Scenario where you want to operate PI ProcessBook in an environment where a higher level of protection against cyberattacks is required. As a legacy product, PI ProcessBook does not implement all the mitigations now available.
Users can run PI ProcessBook under Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). EMET is designed to detect and block exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.
EMET Security Mitigations usable with PI ProcessBook
- Data Execution Prevention (DEP)
- Structured Execution Handling Overwrite Protection (SEHOP)
- Null Page Protection
- Heap Spray Allocation Protection
- Export Address Table Filtering (EAF)
- Export Address Table Filtering Plus (EAF+)
- Mandatory Address Space Layout Randomization (ASLR)
- Bottom Up Address Space Layout Randomization
- Load Library Check – Return Oriented Programming (ROP)
- Memory Protection Check – Return Oriented Programming (ROP)
- Caller Checks – Return Oriented Programming (ROP)
- Simulate Execution Flow – Return Oriented Programming (ROP)
- Stack Pivot – Return Oriented Programming (ROP)
Both Procbook.exe and Pbshell.exe should be added to EMET. You can use Attack Surface Reduction (ASR) to prevent a specific add-in from being loaded.
PI ProcessBook version 2015 R2 (3.5.1) and earlier may display an EMET warning upon exit.
Prevent the EMET warning by unchecking the EMET DEP mitigation for Procbook.exe (Windows DEP will still be enforced by the operating system without a warning on exit). Process Explorer can be used to verify Windows DEP status. Below is a Process Explorer screenshot showing Procbook.exe running with EMET and EMET DEP unchecked. It shows Procbook.exe still using DEP.
EMET 5.2 is the current version at the time this KB was written. EMET is designed for frequent updates and users are encouraged to update EMET as new mitigations become available. Mitigations in EMET are optional. Any issues reported to OSIsoft about enhanced mitiations will be remedied and/or identified in this KB.
More information about EMET can be found on Microsoft’s Security TechCenter
EMET support is being discontinued by Microsoft. The new guidance is to run Windows 10 with all the latest updates. See Microsoft's End of Support policy for EMET https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/