Testing the ASR feature for Office documents in EMET 5.0


 

Had a customer recently ask me how to test the ASR feature for EMET 5.0 so figured I would write this up to help others as well.  Keep in mind there are 2 different sets of programs that utilize ASR one is IE and the other is Office programs or more specifically Word, Excel and Powerpoint in our default’s or  Recommended set of programs.  This post will focus specifically on creating some Office documents that will get ASR to trigger.

First thing to realize is that we are only blocking flash.ocx for winword.exe/excel.exe/powerpnt.exe as seen in the photo below.

image

In order to test ASR then for these I basically need some of these document types that have embedded flash content in them.  The process is pretty much the same for all three to create a document with some embedded flash content.  The main trick is that I don’t even really need “content”, you just need to insert a blank flash object and that’s enough to trigger the protection Smile.

For all three programs you will need the “Developer” tab added to your Office Ribbon (This is all in Office 2013 as an FYI).  Add the Developer tab by going to File>Options>Customize Ribbon and then place a check box next to Developer in the right hand window.  Then click Ok/Apply until you are back in the document.

image

Once in the main program you want to go to the Developer tab that you just added and insert an Active X control / More Controls

image

This in turn brings up another window where you will need to scroll down and select Shockwave Flash Object and click Ok

image

If you are doing this on a system with EMET 5.0 and the defaults odds are right about when you insert it you are going to get some sort of error from Word/Excel/Powerpoint as during the actual insertion EMET will block it.  You should also see a popup from EMET saying it detected/blocked ASR mitigation in the application you were using.  If you want to actual save the file for further testing you should disable ASR for that application while creating this test file.

And if all of the above sounds like too much work Smile well here you go http://1drv.ms/1ALMK1t  zip file has all 3 filetypes in it with flash object already embedded.  Enjoy.

Kurt

Comments (7)

  1. Anonymous says:

    Sorry about that think I had it password protected for passing through email. The password is probably emet or asr I believe. I’ll work on getting one up that isn’t pw protected.

  2. Anonymous says:

    Just realized I didn’t respond to a comment and I usually try to. Anyway the answer here is that the ASR feature unlike most of the other memory mitigations does not crash the complete application. It just stops the module(s) that are supposed to be blocked
    from loading. In the case with these files it blocks flash.ocx from loading within the say winword.exe process. Winword.exe can keep functioning no problem without flash loading in it thus you don’t see the application crash. If you used process explorer to
    look at loaded modules in winword.exe process you would not be able to find flash.ocx within the process.

  3. Kam Patel says:

    Kurt,
    I have downloaded the files from the link but they have password set. Can you please share the password?

    Thanks,
    -Kam

  4. Kam Patel says:

    Kurt,
    Password is asr.
    Thanks,
    Kam

  5. SaD says:

    http://www.shopbestgoods.com/
    http://www.nike-jordanshoes.com/
    http://www.beatsbydreoutlet.net/
    http://www.michaelkorsus.com/
    http://www.polo-tshirts.com/
    http://www.northsclearance.com/
    http://www.ralph-laurensale.com/
    http://www.gucci-shoesuk2014.com/
    http://www.michael-korsusa.com/
    http://www.polo-outlets.com/
    http://www.ralphslauren.co.uk/
    http://www.marcjacobsonsale.com/
    http://www.mcmworldwides.com/
    http://www.salongchamppairs.com/
    http://www.canada-gooser.com/
    http://www.burberryoutlet2014.com/
    http://www.michaelkors.so/
    http://www.hermes-outletonline.com/
    http://www.oakley-sunglassoutlet.com/
    http://www.north-faceoutlets.net/
    http://www.moncler-clearance.com/
    http://www.woolrich-clearance.com/
    http://www.barbour-jacketsoutlet.com/
    http://www.moncler-jacketsoutletonline.com/
    http://www.monsterbeatsbydres.net/
    http://www.louis-vuittonblackfriday.com/
    http://www.lv-guccishoesfactory.com/
    http://www.mcmoutlet-jp.com/
    http://www.cheapdiscountoutlet.com/
    http://coachoutlet.iwopop.com/
    http://www.coachsfactoryoutlet.com/
    http://www.coach-blackfriday2014.com/
    http://www.coach-storeoutletonline.com/
    http://www.coach-factorysoutletonline.com/
    http://www.coachccoachoutlet.com/
    http://www.coach-factories.net/
    http://www.coach-pursesoutletonline.com/
    http://www.llouisvuitton-factory.net/
    http://www.coach-outletsusa.com/
    http://www.mksfactoryoutlet.com/
    http://www.zxcoachoutlet.com/
    http://www.mischristmas.com/
    http://www.misblackfriday.com/
    http://www.bestcustomsonline.com/
    http://www.newoutletonlinemall.com/
    http://www.clickmichaelkors.com/
    http://www.cmichaelkorsoutlet.com/
    http://www.ralphlaurenepolo.com/
    http://michaelkorsoutlet.mischristmas.com/
    http://mcmbackpack.mischristmas.com/
    http://monsterbeats.mischristmas.com/
    http://northfaceoutlet.mischristmas.com/
    http://mk.misblackfriday.com/
    http://coachoutlet.misblackfriday.com/
    http://coachfactory.misblackfriday.com/
    http://uggaustralia.misblackfriday.com/
    http://coachpurses.misblackfriday.com/
    http://coachusa.misblackfriday.com/
    http://coach.misblackfriday.com/
    http://michaelkorss.misblackfriday.com/
    http://michaelkors.misblackfriday.com/
    http://airmax.misblackfriday.com/
    http://michael-kors.misblackfriday.com/

    http://t.co/1PJuejI1ys
    http://t.co/FYm2MxWwLM
    https://twitter.com/CoachOutlet2014
    https://www.facebook.com/pages/Coach-Factory-Outlet-Online-Store-Michael-Kors-Outlet-Online-Sale-75-Off/712060898859091
    https://www.facebook.com/pages/Ralph-Lauren-Polo-Outlet-Online-Sale/1404100279810690

  6. John says:

    ASR doesn’t actually block it? If you open the excel or doc file, the pop up comes up but it still allows the application to run, is that the norm?

  7. Adam Piggott says:

    The EMET tester program is really helpful, thanks! Just trying out EMET 5.5 Beta on Win 7 and I am not sure it’s working correctly.