Testing the ASR feature for Office documents in EMET 5.0
Had a customer recently ask me how to test the ASR feature for EMET 5.0 so figured I would write this up to help others as well. Keep in mind there are 2 different sets of programs that utilize ASR one is IE and the other is Office programs or more specifically Word, Excel and Powerpoint in our default’s or Recommended set of programs. This post will focus specifically on creating some Office documents that will get ASR to trigger.
First thing to realize is that we are only blocking flash.ocx for winword.exe/excel.exe/powerpnt.exe as seen in the photo below.
In order to test ASR then for these I basically need some of these document types that have embedded flash content in them. The process is pretty much the same for all three to create a document with some embedded flash content. The main trick is that I don’t even really need “content”, you just need to insert a blank flash object and that’s enough to trigger the protection .
For all three programs you will need the “Developer” tab added to your Office Ribbon (This is all in Office 2013 as an FYI). Add the Developer tab by going to File>Options>Customize Ribbon and then place a check box next to Developer in the right hand window. Then click Ok/Apply until you are back in the document.
Once in the main program you want to go to the Developer tab that you just added and insert an Active X control / More Controls
This in turn brings up another window where you will need to scroll down and select Shockwave Flash Object and click Ok
If you are doing this on a system with EMET 5.0 and the defaults odds are right about when you insert it you are going to get some sort of error from Word/Excel/Powerpoint as during the actual insertion EMET will block it. You should also see a popup from EMET saying it detected/blocked ASR mitigation in the application you were using. If you want to actual save the file for further testing you should disable ASR for that application while creating this test file.
And if all of the above sounds like too much work well here you go https://1drv.ms/1ALMK1t zip file has all 3 filetypes in it with flash object already embedded. Enjoy.
Kurt
Comments
- Anonymous
January 01, 2003
Sorry about that think I had it password protected for passing through email. The password is probably emet or asr I believe. I'll work on getting one up that isn't pw protected. - Anonymous
January 01, 2003
The comment has been removed - Anonymous
September 11, 2014
Kurt,
I have downloaded the files from the link but they have password set. Can you please share the password?
Thanks,
-Kam - Anonymous
September 11, 2014
Kurt,
Password is asr.
Thanks,
Kam - Anonymous
September 18, 2014
The comment has been removed - Anonymous
November 04, 2014
ASR doesn't actually block it? If you open the excel or doc file, the pop up comes up but it still allows the application to run, is that the norm? - Anonymous
October 16, 2015
The EMET tester program is really helpful, thanks! Just trying out EMET 5.5 Beta on Win 7 and I am not sure it's working correctly.