Introducing EMET v3

[MessageBoxA]

Quote:

Originally Posted by 1chaoticadult

Its using 12mb of ram for me. If its really that bothersome, why not just disabled and be done with it? Just saying...

The executable EMET_notifier.exe spawns around 10 threads and since we know that the default stack size per thread is 1MB then the we can infer that the minimum amount of memory that would likely remain referenced and in the 'working set' would probably be around (1*10) Megabytes + sizeof(executable image) +heap for a minimum of a little over 10 or 11 MB.

However if you use an application such as Process Explorer to inspect a bit further you will find that it references over 500MB in the pagefile (the Virtual Size column).

This might not be an issue for people with a recent model workstation and plenty of RAM. But there are many millions of people in the world that are still using older machines with much less resources. It would be great if they were able to use these security tools with very little performance impact. Unfortunately it seems the Microsoft internal policy of promoting the .NET framework interferes with releasing a native GUI.

Best Wishes,
-MessageBoxA

[funkydude]

Quote:

Originally Posted by MessageBoxA

This might not be an issue for people with a recent model workstation and plenty of RAM. But there are many millions of people in the world that are still using older machines with much less resources. It would be great if they were able to use these security tools with very little performance impact. Unfortunately it seems the Microsoft internal policy of promoting the .NET framework interferes with releasing a native GUI.

You tested this on said machine to make sure it's not dynamically set based on available resources or are you making assumptions?

[Escalader]

Hello Thread:

I installed EMET v3 yeserday fresh. I removed v2 first, cleaned up register then defragged for good measure.

As far as resourse use on W7 64 bit 8GB notebook here is my data.

CPU=0
WS RAM=51,348 k
Peak RAM=51,352 k
Private RAM=31,984 k
I/O writes=162,367
Threads=7

This resource usage is:

< explorer
< eset v5 an av product
< OP FW Pro 7.5.2

Your mileage may vary

I also note that the notifier has not yet asked for www access.

If it does it will be blocked as I have no FW rule allowing any access for it.

It set itself up to be able to terminate processes, so I blocked that as I don't mine being notified but I want to control if the process should terminate or not.

Comment away

[soccerfan]

Quote:

Originally Posted by MessageBoxA

...If I have some free time this weekend I will write a native nemet_notifier.exe application and update the NEMET package.

Will the ability of the NEMET package to "install and configure EMET on ComputerA and export all of the
settings and package all of the binaries into a redistributable package ready for installation on ComputerB"
work if ComputerA is Windows XP3 Pro and ComputerB is XP2 Home? Thanks.

[ronjor]

Quote:

What are the requirements for using EMET?

On Windows XP and Windows Server 2003 operating systems, the Microsoft .NET Framework 2.0 must be installed for EMET to work. There are no other special requirements for any other supported version of Windows.

http://support.microsoft.com/kb/2458544

[Escalader]

Quote:

Originally Posted by ronjor

http://support.microsoft.com/kb/2458544

Thanks Ron.

Good thing I kept Microsoft .NET Framework 2.0!!

[BoerenkoolMetWorst]

Quote:

Originally Posted by skudo12

According to my experience, the notifier will only worked for applications that is added into EMET, so it will probably not notify with the java installer unless you added it into EMET. (which is weird) lol. I'm not to sure though.

I just tested it, and EMET indeed did not notify when it crashed, Java fixed it by the way, had to download an older version for it to crash.

[Tsast42]

I vote for a snappier OS and no EMET. Lower system performance and stability can be a price worth paying to prevent infection, but to suffer this cost just for the benefit of making certain trajectories more difficult is a different level of asceticism, one which for me is not worth it by a lot shot.

[tomazyk]

Disabling Notifier through Registry trick does not prevent loading Emet_notifier from loading at startup for me. Even after reboot the application still loads at startup.

The only way to disable loading the app is to disable it through Autoruns or other startup manging software. But this solution is only temporary. Next time I launch the gui it starts windows installer and adds missing autorun key back to registry (it's repairing installation every time it is run).

So for now only solution for me is to rightclick the icon and choose Exit after each restart. I hope they will put more options in next release.

[prius04]

Quote:

Originally Posted by tomazyk

Disabling Notifier through Registry trick does not prevent loading Emet_notifier from loading at startup for me...

Me neither and the Notifier continues to sit in my system tray (unless and until I exit out of it).

This, in itself, doesn't really bother me, though. However, I am now wondering whether the Notifier will actually "notify" me of anything after having disabled the Notifier through the registry trick outlined above.

I mean, if it's going to run regardless, should I just remove that registry entry?

[kupo]

Quote:

Originally Posted by tomazyk

Disabling Notifier through Registry trick does not prevent loading Emet_notifier from loading at startup for me. Even after reboot the application still loads at startup.

The only way to disable loading the app is to disable it through Autoruns or other startup manging software. But this solution is only temporary. Next time I launch the gui it starts windows installer and adds missing autorun key back to registry (it's repairing installation every time it is run).

So for now only solution for me is to rightclick the icon and choose Exit after each restart. I hope they will put more options in next release.

I guess you've found a bug? lol

[ronjor]

Quote:

EMET exploit mitigation tool reports the cause of a crash


Microsoft's Enhanced Mitigation Experience Toolkit (EMET) now notifies users when a process has been stopped (crashed) because a protective mechanism was activated by the hardening tool. The new feature was introduced with the recent 3.0 release of EMET, which is also designed to be easier to use in enterprise environments.

http://www.h-online.com/security/new...h-1621983.html

[Arcanez]

is there any good reason to upgrade from v2.1 to v3.0?

[1chaoticadult]

Quote:

Originally Posted by Arcanez

is there any good reason to upgrade from v2.1 to v3.0?

No there isn't.

[adrenaline7]

the only possible benefit of v3 is using the log to see what is/isn't working in EMET or for errors. If I open EMET 2.1 it will show a green check next to what is running under EMET, so not sure if there is a benefit to the logging either really....

[safeguy]

Quote:

Originally Posted by tomazyk

Disabling Notifier through Registry trick does not prevent loading Emet_notifier from loading at startup for me. Even after reboot the application still loads at startup.

The only way to disable loading the app is to disable it through Autoruns or other startup manging software. But this solution is only temporary. Next time I launch the gui it starts windows installer and adds missing autorun key back to registry (it's repairing installation every time it is run).

So for now only solution for me is to rightclick the icon and choose Exit after each restart. I hope they will put more options in next release.

I'm experiencing the exact same thing. Anyone has any news on the matter??

[Function]

I have a game that I am trying to run and it cannot run on my PC. I was wondering if EMET is the issue.

Anyway how does one completely disable EMET for a short while.

I can set both DEP and ASLR to Disable.

SEHOP however has to be either "Opt In" or "Opt Out". Which setting should I choose to ensure that EMET is fully disable for all applications not listed in the "Configure Apps" section.

[1chaoticadult]

Quote:

Originally Posted by Function

I have a game that I am trying to run and it cannot run on my PC. I was wondering if EMET is the issue.

Anyway how does one completely disable EMET for a short while.

I can set both DEP and ASLR to Disable.

SEHOP however has to be either "Opt In" or "Opt Out". Which setting should I choose to ensure that EMET is fully disable for all applications not listed in the "Configure Apps" section.

"Opt In" is what you want.

[Mrkvonic]

Best software MS ever released.
I'm gonna review this latest version soon.
Mrk

[STV0726]

Hey everyone...I'm considering getting this version.

When you install this over EMET 2.1, does it keep your app and system settings?

Thanks.

[Mrkvonic]

The answer is yes!
Mrk

[Escalader]

Quote:

Originally Posted by Mrkvonic

Best software MS ever released.
I'm gonna review this latest version soon.
Mrk

I agree! I can't believe it but I only wish they had done as well with their operating systems over the years. IMHO of course.

When you are done your review I would like to read it.

Oh, yes I have V3 installed.

[xxJackxx]

Quote:

Originally Posted by Function

I have a game that I am trying to run and it cannot run on my PC. I was wondering if EMET is the issue.

Anyway how does one completely disable EMET for a short while.

I can set both DEP and ASLR to Disable.

SEHOP however has to be either "Opt In" or "Opt Out". Which setting should I choose to ensure that EMET is fully disable for all applications not listed in the "Configure Apps" section.

If a game is crashing it is probably DEP. You can choose Opt Out and if needed set an exclusion for the game. Then you will not constantly have to reboot as one is required for changes to the DEP/SEHOP/ASLR settings.

[Function]

Quote:

Originally Posted by xxJackxx

If a game is crashing it is probably DEP. You can choose Opt Out and if needed set an exclusion for the game. Then you will not constantly have to reboot as one is required for changes to the DEP/SEHOP/ASLR settings.

Thanks for the information. I disabled everything and the game ran. Finally after months of trying to figure out the problem it was with being caused by EMET.

I did what you said and choose to keep EMET running as normal and just disable the use of EMET on that game itself.

Now everything is working fine and the game runs smoothly.

[Mrkvonic]

While the security world is busy spreading meaningless fear and drama around the birth of Flamer and similar things, Microsoft has released an update to the best security software ever created, their Enhanced Mitigation Experience Kit (EMET). Please enjoy an enthusiastic review of EMET v3.0, with numerous improvements and new features, including easy installation over existing versions, preservation of configured applications, protection profiles, enhanced grammar with wildcard rules, group policy and SCCM integration, reporting to Event Log, and more. It's funny how this product comes from the same oven that forged the Metro failure, go figure. But it's good, and you should use it. Read on.

http://www.dedoimedo.com/computers/windows-emet-v3.html


Cheers,
Mrk