Introducing EMET v3

Interesting, thanks for checking HM. I guess we'll know the answer if it's crashing or not in the final version.

 

I wonder if EMET could slow down windows? My EMET.xml has ~160kb and pretty much all my apps included:

*link deleted*

@edit: WinSCP is missing in that list.

 

EMET shouldn't slow anything down. It's like saying "ASLR has a hit on performance" - technically it does but it's completely negligible. Unless you're on 128mb of RAM and every bit counts you'll be fine.

 

But still for every .exe that runs, EMET will have to scan the whole .xml file if the .exe is inside the rules. And every .exe will have to load an additional .dll (emet.dll) ?

 

It doesn't have to scan anything. And the emet.dll is something like 40kb.

 

EMET 3.5 Tech Preview

 

Now that is what I call a nice update! Updated and enabled the new protections on a few processes, no issues yet.

Note:

 

I just hope the kind of prompt mentioned in the blog post goes away when the stable version comes out; I do not wish any of my relatives to have to guess whether they should answer "Yes" or "No", because they won't have any idea.

 

+ 1

EMETized:
IE, Chrome, Foxit reader, VLC, LibreOffice (Latest versions)

Now i only need to check if Sbxie interfers in some way even if i don't think so...

*Sorry for my poor english*

 

When it's finally released I think it deserves its own topic. Huge update.

I use "All" for the .xml and I just enabled all of the ROP mitigations for those. Works fine for me. If EMET was hard to bypass before it just got a lot harder. Anti-ROP is a big deal, it pairs so nicely with EAF, DEP, and ASLR.

edit: I actually wrote about these mitigation techniques when they came out and how they're not all that strong. They mention the same issues in the technet blog.

 

Agreed.

Good to see it is working fine for you. I was hoping to see someone else post before I actually enabled the ROP settings.

 

Rebooted into Windows and I haven't had a single crash.

 

It looks like the 3.5 Tech Preview has been pulled already.

We are sorry, the page you requested cannot be found.

 

I have no problem reaching the web page...

Did you go here:

http://www.microsoft.com/en-us/download/details.aspx?id=30424 ?

 

Got it now. Thanks puff-m-d!

 

2 days of testing on 2 machines. No issues. EMET is probably one of my favorite pieces of software.

 

https://insanitybit.wordpress.com/2012/07/26/setting-up-emet-3-5-tech-preview-9/

Wrote a guide. I provided a new XML file that enables all ROP mitigations for every program that comes in the ALL.XML.

Let me know if you get crashes and if so which program/ which mitigation caused it.

 

It used to be in the prior 3.5 versions, but now it has jumped up to 548 kb (or at least that is what I find here).

 

That file you tell people to download...is that basically a template/preset save you made of all things you recommend adding EMET protections for?

If so, I might just love you.

 

At 548kb you'd need hundreds of application s open with it for there to be a noticeable difference in RAM usage.

@STV,
Import the file and you'll get protection for applications that are specifically configured. The ROP mitigations have not been configured and I put them on for all of the applications by default.

 

I did not mean to imply that this increase would impact system resources to any great extent but just that the dll itself had increased substantially in size. It just makes me ask if all of the increase was just for the new exploits added or if the exploits already covered were improved in any ways.

 

Adding the new code for the ROP mitigations is probably why it increased size.

 

Yeah, I personally could care less about a little RAM usage. I don't see any noticeable slowdown with EMET.

 

A question about importing presets other people made:

1) What happens for apps listed that aren't actually installed on your comp? Will the entry just remain there for if you ever do install it or does it cause an error?

2) @Hungry: So importing that has all the apps you recommend using EMET and the mitigations checked on?

 

@STV,

1) They'll activate when you install the application

2) all.xml is provided by Microsoft with all of *their* configurations. I took all.xml and enabled every ROP mitigation for the applications listed there.

Hence allrop.xml.