EMET (Enhanced Mitigation Experience Toolkit)

Who knows how to use "Certificate trust" - just to enable and to load "Cert Trust" template?

 

Its better to uninstall 4.1 because they create different directories.

 

After installation of 5.0 the folder EMET4.1 got deleted by EMET itself.

 

Completely and totally useless for me on XP! (Fresh, new install.) Is it working for anyone else? Am I missing something??

SdbHelper.dll doesn't seem to work in this version... I got an error about it on install and it also appears when trying to configure apps. Unbelievable, if it wasn't even tested? SdbHelper contains the SDB/AppCompat stuff (functions) for XP that's included with Vista and newer. I didn't try upgrading on main system, so I don't know if anything would work if the existing AppCompat database stuff is preserved (e.g. not attempted to be rewritten).

The SdbHelper stuff is what I needed to work out and borrow/use for OpenEMET (no, not abandoned ). EMET actually installs it on non-XP systems too, even though it's not needed -- not used as far as I could tell since things still worked when I deleted it on 7...

 

Control EMET with Group Policy
http://windowsitpro.com/security/control-emet-group-policy

 

That's sort of at odds with M$ recently released statement about continuing to provide anti-malware support 'til 2015. Or does EMET not fit the bill?

 

I see, appreciate your clarifying.

 

Same thing here with SdbHelper.dll under XP. Also says agent is not running as admin when trying to open the GUI, even though it is.

Finally the default install doesn't seem to include firefox and chrome anymore. Are there any other apps that have been dropped from the list?

 

Good news!

 

Installed 5 in Windows 7 and 8 Pro – Max Settings – only issue (so far) encountered has been with Itunes – disabled mandatory ASLR and now appears to be working OK.

 

(An XP update!)

Forgot to check the system requirements, which I meant to do. I thought I'd seen XP mentioned in the announcement post about it, but I was thinking of the article I had just (re)read about bypassing EMET 4, etc.

Anyway, I thought OK fine, if the interface part doesn't work in XP, but the actual EMET.dll protection component is XP-compatible, that means OpenEMET would allow configuration... So I just swapped in 5's EMET.dll on main system with 4 installed. But, nope! DLL initialization error (C runtime/msvcrt.dll function(s)). I tried playing with it a bit the other day to see if I could get it to work somehow modifying some things, but I don't know enough about it, and it probably can't work anyway.

There's no reason for SdbHelper.dll to be there if no XP support, as it just provides Vista+ compatibility...

And yeah ZVL, I forgot to mention the bogus error about needing to run as Administrator.


But then what do I see last night?? (I think my e-mail/forwarding is acting weird since I never got a Twitter notification.)

Tweet from the MS security/EMET guy -- it sounds like XP will be supported: "Likely to be two different builds at RTM, one for XP/WS03 & one for other. Ran out of time for the TP tho." https://twitter.com/jness/status/439260394943557633

Don't get why there'd need to be 2 different builds all of a sudden , but hey, if there's XP support, whatever. I wonder if the final version will come before XP's support ends...?

 

I returned to 4.1 as with 5.0 icons in the bar tray become irresponsive and some apps got freezed after a while. Even Advanced Uninstaller (it doesn't work with DEP) cannot start though I make DEP Opt Out.

 

Lol, bypassed again:

https://twitter.com/WTFuzz/status/439551003705094144

http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619

 

One thing I don't like about these findings is the potential bias they create. Let's say there are several products out there with mitigations against exploits or payloads. Yet only one of them is in the constant focus of professionals and they bypass it. The other products are circumventable as well, but the professionals just don't test them. The average user reads: "EMET bypassed!" "EMET bypassed yet again!" and so on. Same with the Sandboxie findings.

So we got people thinking now that EMET and Sandboxie are worthless. There are no bypass headlines for other products out there so they must be better, of course... I just wish they would tear through the other products as well. Then we would probably get headlines like:

"Complete Chromium sandbox bypass thanks to non-ASLR enabled web-av" or
"Chromium sandbox escape thanks to third-party security app dll injection" or
"Third-party security app actually increasing attack surface in case of advanced persistent threats in a corporate high value target scenario"

Please, dear professionals, just pentest the living !"§$%&/ out of the other !"§$% as well and show their actual benefit and possibly the additional the holes they create, which wouldn't even be there, if it weren't for these products. And if you don't, just put one line at the end of your findings: "Just in case you're wondering: the other crap isn't any better and it's not even free."

 

Back in XP, there was only DEP and 90% of the home users were running Admin.

Exploit protection was based on keeping your system updated.

Today's protection is much stronger (OS + EMET)

95% of the malware is based on existing exploit kits

White hat scoops versus M$ EMET improvements are great.

They lower effectiveness of old exploit kits and reduce number of infections.

I am as happy with EMET bypasses as Sheldon is when upgrading his favourite linix distro: Ubuntu

 

Keep in mind that not every vulnerability is going to be exploitable in these ways - having an arbitrary write will certainly bypass EMET, but a really basic heap overflow might now, for example. And it is likely that they had to use a separate vulnerability, an information leak, to get around it.

It still has significant value, and nothing about it being 'userland' has to do with that (except the anti-ROP features, which have always been dumb).

 

Yes, EMET is still a good anti-exploit tool.
And I also think that they should also try to bypass the competitors instead of just one program.

 

Yes exactly, I'm also not that worried when EMET and other anti exploit tools are bypassed.

On the other hand, I do think the next step is making security tools act as hypervisors, see link.

So basically, if your HIPS is bypassed, there is still another layer that needs to get hacked.

http://www.darkreading.com/attacks-breaches/researchers-create-hypervisor-based-tool/221600127

 

Agreed. We've had 3 bypass reports of MBAE since it's first beta and, even though those are not the type of techniques you see in exploits in the wild, each one of them has helped us to make the product better.

 

PWN2OWN offer of 150,000 USD for IE 11 modern app with EMET was not challenged by anyone. Some experts claim that the amount is too low but in India you can employ 14 senior software engineer for 1 year with this amount. The fact that no one even tried to attack it is a very good reason to install EMET and use modern IE.
P.S. Chrome developers told me that EMET does not add anything to improve security of Chrome.

 

Sounds like a comment on EMET 1, not 5. I doubt they bother reviewing every version just to see if it adds anything valuable.

FYI, Chrome running with EMET 5 and all protections enabled shows no issues here.

 

IMO that's because EMET is the most known and probably most used anti-exploit software. Microsoft also promotes it when there are vulnerabilities in their other software. The same can be said for Windows in comparison to Linux and others...

hqsec