Had a customer recently ask me how to test the ASR feature for EMET 5.0 so figured I would write this up to help others as well. Keep in mind there are 2 different sets of programs that utilize ASR one is IE and the other is Office programs or more specifically Word, Excel and Powerpoint in our default’s or Recommended set of programs. This post will focus specifically on creating some Office documents that will get ASR to trigger.
First thing to realize is that we are only blocking flash.ocx for winword.exe/excel.exe/powerpnt.exe as seen in the photo below.
In order to test ASR then for these I basically need some of these document types that have embedded flash content in them. The process is pretty much the same for all three to create a document with some embedded flash content. The main trick is that I don’t even really need “content”, you just need to insert a blank flash object and that’s enough to trigger the protection .
For all three programs you will need the “Developer” tab added to your Office Ribbon (This is all in Office 2013 as an FYI). Add the Developer tab by going to File>Options>Customize Ribbon and then place a check box next to Developer in the right hand window. Then click Ok/Apply until you are back in the document.
Once in the main program you want to go to the Developer tab that you just added and insert an Active X control / More Controls
This in turn brings up another window where you will need to scroll down and select Shockwave Flash Object and click Ok
If you are doing this on a system with EMET 5.0 and the defaults odds are right about when you insert it you are going to get some sort of error from Word/Excel/Powerpoint as during the actual insertion EMET will block it. You should also see a popup from EMET saying it detected/blocked ASR mitigation in the application you were using. If you want to actual save the file for further testing you should disable ASR for that application while creating this test file.
And if all of the above sounds like too much work well here you go http://1drv.ms/1ALMK1t zip file has all 3 filetypes in it with flash object already embedded. Enjoy.