EMET (Enhanced Mitigation Experience Toolkit)

Perhaps because of a blocked pop-up that you didn't notice in Firefox?
(Like user "test" had with IE, yesterday.)

 

new hint from MS that now suggest to uninstall the previous EMET 5.2 before installing the new one,

 

How to know if I'm using update 1 or update 2 ? I installed EMET on mar 16, but want to verify if its the latest one.

 

latest one

 

Mine says build time march 13

 

I disabled all plugins. I never received any type of popup from Firefox either. Firefox can be strange sometimes. I run Firefox in safe mode with all plugins disabled, and can not comment on youtube videos either. It blocks the comment box every time. I disabled all my security software also.

 

Noob question here. Can EMET fully replace an antivirus? I would like to keep my Win7 installation as lean as possible and I was wondering whether to have just EMET installed and run Win without any antivirus.

 

No,
EMET is not antivirus software and will only reduce the impact of memory corruption vulnerabilities.

 

Probably mixed content blocking because MS still serves it's downloads over HTTP. You should see a blue/white shield between on the left of the URL bar if that is the case.

 

I wouldn't use EMET on it's own to replace anti-virus software. It's just intended for stopping exploits. Personally, I use EMET to prevent exploits in combination with a well defined application whitelisting setup, to control what executables can run on my system and from where they can run. No anti-virus. But that is not for everyone.

 

And to drive the point home further, EMET is designed to protect a limited number of applications; those that are Internet based in origin. Your PC can get infected from other sources than the Internet. Also EMET has no self-protection mechanism. So if malware did disable EMET, you would have zip protection.

 

ASR is really a great tool: just blocking the scripting dll's in (libre) office, evince and classic media player. Only enable the permanent protections (google for EMET explained), not the speedbumps for known exploits. Since dynamic content can't be executed those half hearted protections causing the troubles are not needed IMO. Like some forum verterans (e.g. Rich and Pete) always say: when it can't execute it can't do harm.

I use MBAE free with EMET, mutually excluding protections. MBAE has different protection for different type of programs. EMET can be configured, but the defaults are to much a 'one size fits all' approach. Because MBAE (free) is dedicated to browsers, it loads faster and has more (accurate) protection layers in place.

MBAE protects browsers and plug-ins (like PDF and Flash). Using chrome for surfing and IE11 for banking (only allowing port 443 through firewall) without add-ons. Fast, free and without problems.

Note: When you use libre office, be sure to block the dll's of python, beanshell, javascript and libre office basic through Libre Office settings and EMET's ASR.

 

EMET 5.2 Bypassed

https://twitter.com/sec_consult/status/578152623771103232/photo/1

https://pbs.twimg.com/media/CAYCv0cWoAEiWeO.png:large

It doesn't look like they have an article or blog post drafted up just yet.

Thanks for the heads up goes to Sampei Nihira over in the Other Software sub-forum here at Wilders.

 

...on Win7 that does not support CFG technology as opposed to 8.1...

CFG = main improvement over previous build and its operation depends upon it running on a “CFG-Aware” version of the WinOS (= 8.1 Update3+)

 

MBAE Disarm:
http://casual-scrutiny.blogspot.it/2014/12/mbae-malware-bytes-anti-exploit-disarm.html

Defeating EMET 5.2:
http://casual-scrutiny.blogspot.it/2015/03/defeating-emet-52.html

"EMET fights tough, more than any public exploit mitigation solution out there. A lot tougher than MBAE and enterprise exploit detection products.
But if we get to study the system, ..."

 

So if I have EMET 5.1, an upgrade isn't called for if I run Win 7?

 

I'm not a security expert nor my English allows me to deepen my thoughts.

What i meant is that you always need to upgrade though a software may perform differently depending on the OS it runs on.

 

Personally, I couldn't think of a better endorsement for using EMET than this. I encourage everyone to read all the details of the "Defeating EMET" link. Author states he has been able to bypass all enterprise to date solutions. How? He does what all hackers do. He reverse engineers the product.

Bottom line - only foolproof method to mitigate exploits is to patch the software vulnerability.

 

https://github.com/r41p41/snippets/blob/master/Emet_5.2_bypass.html

 

Oh yes? You mean that a hacker able to bypass EMET or MBAE will not ever find a non patched vulnerability in any of the other programs that you have installed on your computer?

 

Didn't write that. To elaborate the point, your best defense against exploits is keeping all your software up to date. Next best thing is using a top tiered AV/anti-malware solution. Next level is properly configuring your browser for maximum security. Next level is using EMET.

Case in point. Anyone still using WIN XP is equivalent of waving a red flag in front of a hacker bull.

I have been using PCs since they were invented in the 1980s. I have never been nailed by an exploit. What I have had in the past is a lot of crapware installed on my PC by freebie security software regardless of its source.

 

You could also use apps that are less targeted. So you could switch to another (or less popular) browser, PDF Reader and Office Suite, for example. But I'm not too worried about these bypasses, EMET/MBAE/HMPA is a nice extra layer, but if they get bypassed, the exploit still needs to load the payload, which is most of the time an executable (separate child process), and that should be stopped by anti-exe or white-listing.

 

Antivirus/Antimalware software exploitation. Kudos to Coolcfan for posting this on a thread in the Antivirus Forum.

http://www.slideshare.net/JoxeanKoret/breaking-av-software-33153490

Based on this, adding your AV service .exe to EMET is a must regardless of how difficult it might be.

 

You're right. As of 2015, still correct patching eliminates most of exploits and good AV can prevent most attack by IP/URL reputaion, IPS, browser protection, behavior-based anti-exploit, signature, heuristics, BB, CAMP, and more.
If you only care about common malware and exploit, using XP is not a problem. But if you care about sophisticated attack or targeted, then XP is pretty big risk, especially lack of ASLR is fatal. You'll be surprised if you see how many enhancements are made dureing XP to Vista, and 7 to 8 shift.

That is much discussed in other thread already.
Also some AV don't accept injection so you can't protect, even if you could, consider what this mean. When it is exploited, EMET try to kill the AV process but as any decent AV have self protection, it just cause freezing and no guarantee for exploit prevention. And protecting AV most probably will cause its mulfunction, even when you unchecked EAF (it's necessary, never enable EAF for such software!) which is one of the most important protection EMET offer.

 

AV Test last year did a study on how many AVs had at least DEP and ASLR protection: http://www.av-test.org/en/news/news-single-view/self-protection-for-antivirus-software/

What I find interesting is that the 4 AVs that Koret states are the best as far as exploits go are at the bottom of the heap in the AV Test report? The AV Test report also notes the previously posted link to the Koret study.