Introducing EMET v3

[funkydude]

Interesting, thanks for checking HM. I guess we'll know the answer if it's crashing or not in the final version.

[zakazak]

I wonder if EMET could slow down windows? My EMET.xml has ~160kb and pretty much all my apps included:

*link deleted*

@edit: WinSCP is missing in that list.

[Hungry Man]

EMET shouldn't slow anything down. It's like saying "ASLR has a hit on performance" - technically it does but it's completely negligible. Unless you're on 128mb of RAM and every bit counts you'll be fine.

[zakazak]

But still for every .exe that runs, EMET will have to scan the whole .xml file if the .exe is inside the rules. And every .exe will have to load an additional .dll (emet.dll) ?

[Hungry Man]

It doesn't have to scan anything. And the emet.dll is something like 40kb.

[test]

EMET 3.5 Tech Preview

[funkydude]

Now that is what I call a nice update! Updated and enabled the new protections on a few processes, no issues yet.

Note:

Quote:

EMET 3.5 TP requires uninstalling previous versions of EMET first. Previously configured applications and rules will be retained and will work again after installing EMET 3.5 TP.

[m00nbl00d]

Quote:

Originally Posted by funkydude

Now that is what I call a nice update! Updated and enabled the new protections on a few processes, no issues yet.

Note:

I just hope the kind of prompt mentioned in the blog post goes away when the stable version comes out; I do not wish any of my relatives to have to guess whether they should answer "Yes" or "No", because they won't have any idea.

[test]

Quote:

Originally Posted by funkydude

...enabled the new protections on a few processes, no issues yet.

+ 1

EMETized:
IE, Chrome, Foxit reader, VLC, LibreOffice (Latest versions)

Now i only need to check if Sbxie interfers in some way even if i don't think so...

*Sorry for my poor english*

[Hungry Man]

When it's finally released I think it deserves its own topic. Huge update.

I use "All" for the .xml and I just enabled all of the ROP mitigations for those. Works fine for me. If EMET was hard to bypass before it just got a lot harder. Anti-ROP is a big deal, it pairs so nicely with EAF, DEP, and ASLR.

edit: I actually wrote about these mitigation techniques when they came out and how they're not all that strong. They mention the same issues in the technet blog.

[xxJackxx]

Quote:

Originally Posted by Hungry Man

When it's finally released I think it deserves its own topic. Huge update.

Agreed.

Quote:

Originally Posted by Hungry Man

I use "All" for the .xml and I just enabled all of the ROP mitigations for those. Works fine for me. If EMET was hard to bypass before it just got a lot harder. Anti-ROP is a big deal, it pairs so nicely with EAF, DEP, and ASLR.

Good to see it is working fine for you. I was hoping to see someone else post before I actually enabled the ROP settings.

[Hungry Man]

Rebooted into Windows and I haven't had a single crash.

[jdd58]

It looks like the 3.5 Tech Preview has been pulled already.

We are sorry, the page you requested cannot be found.

[puff-m-d]

Quote:

Originally Posted by jdd58

It looks like the 3.5 Tech Preview has been pulled already.

We are sorry, the page you requested cannot be found.

I have no problem reaching the web page...

Did you go here:

http://www.microsoft.com/en-us/downl....aspx?id=30424 ?

[jdd58]

Quote:

Originally Posted by puff-m-d

I have no problem reaching the web page...

Did you go here:

http://www.microsoft.com/en-us/downl....aspx?id=30424 ?

Got it now. Thanks puff-m-d!

[xxJackxx]

2 days of testing on 2 machines. No issues. EMET is probably one of my favorite pieces of software.

[Hungry Man]

https://insanitybit.wordpress.com/20...ech-preview-9/

Wrote a guide. I provided a new XML file that enables all ROP mitigations for every program that comes in the ALL.XML.

Let me know if you get crashes and if so which program/ which mitigation caused it.

[puff-m-d]

Quote:

Originally Posted by Hungry Man

And the emet.dll is something like 40kb.

It used to be in the prior 3.5 versions, but now it has jumped up to 548 kb (or at least that is what I find here).

[STV0726]

Quote:

Originally Posted by Hungry Man

https://insanitybit.wordpress.com/20...ech-preview-9/

Wrote a guide. I provided a new XML file that enables all ROP mitigations for every program that comes in the ALL.XML.

Let me know if you get crashes and if so which program/ which mitigation caused it.

That file you tell people to download...is that basically a template/preset save you made of all things you recommend adding EMET protections for?

If so, I might just love you.

[Hungry Man]

At 548kb you'd need hundreds of application s open with it for there to be a noticeable difference in RAM usage.

@STV,
Import the file and you'll get protection for applications that are specifically configured. The ROP mitigations have not been configured and I put them on for all of the applications by default.

[puff-m-d]

I did not mean to imply that this increase would impact system resources to any great extent but just that the dll itself had increased substantially in size. It just makes me ask if all of the increase was just for the new exploits added or if the exploits already covered were improved in any ways.

[Hungry Man]

Adding the new code for the ROP mitigations is probably why it increased size.

[xxJackxx]

Quote:

Originally Posted by Hungry Man

At 548kb you'd need hundreds of application s open with it for there to be a noticeable difference in RAM usage.

Yeah, I personally could care less about a little RAM usage. I don't see any noticeable slowdown with EMET.

[STV0726]

A question about importing presets other people made:

1) What happens for apps listed that aren't actually installed on your comp? Will the entry just remain there for if you ever do install it or does it cause an error?

2) @Hungry: So importing that has all the apps you recommend using EMET and the mitigations checked on?

[Hungry Man]

@STV,

1) They'll activate when you install the application

2) all.xml is provided by Microsoft with all of *their* configurations. I took all.xml and enabled every ROP mitigation for the applications listed there.

Hence allrop.xml.