EMET - A new Windows security mitigation toolkit

To get things to show up, you need to add the process you want monitored to the Configure Apps section.

 

Not sure why you're having issues. I have it running on 3 PCs (XP Pro, Win 7 32-bit, Win 7 64-bit) and it has caused no issues. I don't have every single program listed (I have chosen only the apps I believe to be most at risk.)

As for it being useless or dangerous, that's really at odds with all opinions I've seen. Known bugs with the first version or two, absolutely. But your's is the first such comment I've seen. Maybe something with the VM test bed??

 

Yep, could be.

OK, so I set mbam.exe on demand to run under EMET then install the rogue and this is what I get:

 

I do not think MBAM is designed to run under EMET.

 

I'm afraid that you are not understanding the function of EMET. I would search the migitation features (like DEP, SEHOP, ASLR) on wikipedia. EMET prevents, for example a 0-day exploit, in software to be exploited. It does not prevent the program to get deleted or whatever.

 

I think you need to read the EMET manual, it's not designed to stop malware from killing exe's, it's designed to prevent vulnerabilities from being exploited. For example opening a malicious PDF file which exploits a known vulnerability in Adobe reader to get malware to load on the system. The goal is to protect programs like web browsers, pdf readers, office programs etc.

 

Looks like I was in a hurry as usual.

 

Is there a reason why you added mbam.exe under EMET protection? AFAIK, EMET won't prevent malicious programs from terminating other programs. It's aim is to do its best at preventing vulnerabilities exploits, which in turn is meant to make more difficult for infections to happen, if those dangerous apps (web browsers, pdf readers, etc) are under its protection.

A proper way to test EMET, would be, for example, to test a web browser, say IE, under its protection and go to web sites known to host exploits against IE, and see if it would be successfull at giving a hard time to the exploits attempts.

Please, don't see this as sarcasm, etc. I'm just trying to understand what was the purpose of such test you did? In my conception of what EMET aims to do, it would make no sense to conduct such test.

I guess the only advantage of adding antimalware apps exes under EMET protection, would in situations that there could exist a vulnerability in such antimalware apps, which could allow attacks to the system. This would be an advantage, I think. But, not to stop malware from terminating/killing other exes, like antimalware apps.

 

Probably because of this statement.

 

Hi Mrk!

For years now I have used 3rd party security products to protect my PC's.

Way back with W95 it was Norton when it was the king of the AV's.

Now with 3rd party AV's, HIPs, Key-scramblers , 2 way FW's on my W7 64 bit system, I'm wondering or thinking what if I scrapped that whole set of overhead and relied on the tools that users get from MS for windows 7?

1) EUA
2) EMET
3) MSE
4) the MS FW properly set up of course
5) IE9 in privacy mode

Last an image backup system.


If we could persuade AC Comparatives to test setup schemes like this rather than just 1 product versus another that would be of great interest to me anyway.

I'm sure there is something wrong with this notion so what do you guys think of this?

I'm sure the 3rd party guys will pan it, but I wonder what MRK and guys like Stem think?


Merry Christmas.

 

Welcome to the club, there are free cookies.

 

I still haven't read the article... Just wondered about your testing (Not against it... just curiosity about it. ).
Interesting affirmation in the article... the one you make mention. A non-aware person, regarding security, would believe, by reading such affirmation, that there are no free and valid alternatives to paid solutions. Curious.

I mostly enjoy this part

Fair enough... But, I could say the same, say about rollback apps, for example. One is merely reacting by rolling the system back to a clean state. No true prevention exists; only reaction. The harm has been done... one is just undoing it.

Now, something like Sandboxie... this is another conversation. With such apps, we do have prevention as our main target.

Just like with EMET, for example.

By the way, how would most people know their systems is infected in the first place, without an antimalware? Not that many, I believe. It would be great, though.

I do believe that, case by case, different solutions are needed and welcome, and as part of such solutions an antimalware app.

P.S: @ all, the emphasis has no intentions to bring discussions on the usefulness (or lack of it) of antimalware apps.

 

Hi


I am using windows 7 64 bit and am having difficulty in getting the green tick circles to show when EMET is covering applications. It seems very sporadic. Also when Opera browser is Sandboxed the green tick icon does not show under EMET column.

Anyone else experiencing this behaviour.

Thanks

Terry

 

The browser isn't running in Windows per se. It's in the sandbox. Windows only sees the sandbox process running.

 

Hi Han

Thanks, BUT:

1) How do I get windows to see Opera running?

2) Are young saying that EMET cannot work with sandboxed applications?

Thanks

Terry

 

Sandboxing adds a layer of complexity. What system calls do you intercept and what memory whatever pages do you restrict - the sandbox or whatever runs inside it?

AV comparatives = money. So you won't persuade anyone. It's like news that report all is well. No. You need drama and fear to keep people under control and obedient, including spending money.

You don't need any third-party security at all, but that's as hard as believing santa claus ain't a real person, just a quantum fluctuation.

Cheers,
Mrk

 

I share your feelings really. If I wasn't too lazy to set up SRP, I'd even ditch real time AV.

 

Leaving our heated debate in the other thread aside....it's not difficult Elapsed. Are you on Win 7x64 home or pro? It shouldn't be any more than a 5 minute job...unless of course you haven't got a LUA/SUA account setup already.

 

Seriously?

Go tell that to a family member who very recently got her Windows XP heavily infected. (I didn't set up this environment). It came like that already.

Right... security software is not needed... That depends on the user and on the O.S. For sure with Windows Vista and 7 you need way less, or none if you're geek enough to apply other measures.

Who doesn't need security software? Care to explain? A statement like that anyone can make... but who doesn't need it, etc?

Most likely, if it weren't for me... most of my relatives would be completely screwed. Why? A few points:

* They have no idea what AppLocker/SRP/etc is, that it exists, and how to set it up;
* They have no idea what EMET is, and wouldn't know about its existence in the first place.
* They have no idea there are two main different accounts - Administrator and standard user. When I make mention to such... they say: Ah...

When we have people like these closer to us, it gets a lot easier to understand the different needs each person will have.

-Edit-

Heck! Even yesterday a relative got upset that I had disabled autorun! 2 seconds more to open "My Computer" and go to the USB device letter assigned to the 3GB Internet connection is way too much time to waste!

It's simply not that easy to change the way some people see computers... They just want to be able to use something as fast as they can... I still haven't enabled autorun, because I want to see how things go... But, most likely I'll have to. I'll install No Autorun, which will provide the added protection it's needed.

 

I have some practical experience of this having setup two relatives laptops with LUA+SRP+EMET. In general it works great and they don't need any third party security apps, although they do have Prevx SOL installed due to historical reasons. They just get on with doing what they do on their laptops and have no knowledge or interest in how it is configured.

 

You mention something quite interesting. You do it... not them. But, I believe that you explained them what SRP does, and maybe that they need either - or you already did it - allow certain stuff to be executed, maybe from a "special" allowed folder?

Or, that they need to execute something with Administrator rights, because SRP kills the rights to standard users?

I believe they do understand that and were willing to accept it? Not everyone accepts that... for some, computers and Internet are a blessing and resources to have some fun...

For such people, Internet is not a risky place... it's fun... Without security software most of these people would be totally screwed. Most are 50% screwed with security software... without it, they'd be 100%.

 

As far as I'm aware, drive-by downloads are done via exploits so technically yes. But also technically no, as you'd need to secure any plugins you had in firefox also.

Social engineering is a different thing altogether, that's where IE's SmartScreen should kick in (1st Party), or firefox's Google filtering in your case (3rd party).

edit: We're running under the assumption EMET can block all future exploits which is a false assumption, but that's not what Mrkvonic suggested. SRP, ASLR, etc all these things are 1st party not 3rd.

 

I haven't explained it to them and haven't had a need to so far because there's been no issues with it. They get to use their laptops as normal but stay protected. However, that's all they get to do - use their laptops as they are already. Anything new that needs to be installed they can't do by themselves - they don't even know the admin password.

Not everybody would accept this approach but in this case it works with these users.

 

The emphasis is on should. But given a software condition where you can run arbitraty code outside the memory pages of the "trusted" application, which could lead to a download and installation of malicious software, EMET should provide the required protection.

Can it gurantee 100%? Most likely not, but the whole beauty of it is that it will block any code trying to run in pages outside the allocated segments, regardless of its nature. EMET does not block malware - it blocks badly coded programs.

It's the same as limited acount. The whole thing is, you don't allow programs to pollute the memory, touch devices or exceed their boundaries. Many programs try to do the same, via all sorts of permissions and sandboxes, so why not use a Microsoft solution. After all, they should know the architecture of their system better than anyone else.

Peter, power your vms and test ... that's the best way.

In general: limited account and proper permissions - 99.9999999% hassle free.

moon, would you drive a car without proper qualifications? I don't know why people think computers are any different. You misuse them and then you wonder how come it all went wrong. What's needed is not skill, it's the correct setup. If you give admin rights to someone who's not qualified to use the computer, they will eventually cause damage. As simple as that.

Cheers,
Mrk