EMET (Enhanced Mitigation Experience Toolkit)

This is true I guess, but on other sites I also often read negatives things. Don't get me wrong, it's clear that HMPA provides powerful protection, and it also depends on what other tools you are using, some people might never encounter big compatibility problems with HMPA. But in general, anti-exploit tools can be quite intrusive because of the "aggressive" techniques that are being used. I would love to see a HMPA version with only the anti-ransomware and safe banking feature.

 

Hi guys , I downloaded emet 5.5 maybe in february..I read in this thread there were some updates in the last months
could you tell me if emet autoupdates? I read I have version 5.5.5871.31892

thank you

 

As any anti-exploits, it does; if the user enables things he shouldn't. But on my side, it didn't created much.

As @erikloman said, the HMPA thread is mostly a beta thread so it is obvious that issues appears. After all, a public beta purposes is to fix issues that common users will face.

You pinpointed the main reason, we can't expect everything to run flawlessly all the time when a soft inject its own code into another.

it wouldn't be an Anti-Exploit anymore.

 

i install it on all machines - it is very easy to setup & while in the past it took some trial & error to find out what mitigations you could enable with each App, the latest few versions work with default settings. No compatibility issues here.

 

Same here.

 

Nope, it doesnt. You can download the latest version here: https://www.microsoft.com/en-us/download/details.aspx?id=54264

 

I have had issues with EMET in the past when I used to use for DEP, ROP etc. and false positives I wont lie, but when comparing to HMPA it is nowhere near on the same level. The main difference in that regard between EMET and HMPA is that EMET only hooks against programs that are added in the config, whilst HMPA works differently.

Of course EMET does slow down programs more (especially with EAF+) and the protection is not as robust.

 

I see you are listed as a closed beta tester (how do you get on all these closed betas?), maybe this is the problem, the existing closed beta testers are not testing a wide enough range of software. HMPA needs beta testers who dont just install the software on blank VMs and what not but on in use systems with a high range of software for different tasks, like gaming, office work, multimedia, encoding and so forth. I would do that if I was a official beta tester but not when I am paying for my license.

For HMPA to solve their issues they really need to do 1 of 2 things.

Stop hooking onto everything (which I suspect has security implications of course) or allow a user to avoid the crash by approving the behaviour. This wont solve everything of course, as there is issues reported with browsers which will be hooked onto and I had the silent uplay issue where HMPA did not even generate an alert.

Ultimately I think a core problem is they are prioritising development time into closing down holes that malware/ransomware can exploit rather than making sure it runs smoothly. Presumably because the former has a bigger effect on marketing, reputation of product etc. e.g. if you look at youtube videos from people like cruelsister they tend to just concentrate on the detection rate and put no focus on false positives, this only encourages developers to concentrate on detection rate as a priority. False positives however can be disastrous for detection as it can lead end users to routinely ignore alerts as they get used to them from false positives.

 

I started by using public beta builds of the soft for long time (months, years) without doing absurd combo-stockpiling setups, give frequent reports on issues/bugs encountered and gives feedback to the devs after a fix/task is proposed/asked to me; after a while, in some cases, the devs would trust me and proposed me to be closed tester.
Some companies are more open than others for getting/selecting closed-beta testers.
In all case a good understanding of the OS and how to do basic diagnostics is required.
i didn't mention all the vendors i am closed tester because i don't have time anymore for them or felt less love for their apps or i just don't have enough machines

closed betas tester's purposes is to test system compatibility, GUI and security issues. However , because we use some softwares like anybody else, we can report them.
We are not bound to test all softs than Average Joe is using, those are for the Public Betas.
In my case i don't use VMs , all is done in real system.

Closed-Beta = ensure the soft work the best way possible on a classic system.
Public Betas = Report issues with softwares compatibility

An anti-exploit by definitions is bound to sometimes break things because the way it works. If anti-exploit stop injecting Dlls into all processes how you expect it to protect you from exploits. In that case , a sandbox is a better option for you.
Using an analogy, you inject a vaccin into a person to reduce infections, sometimes that person get unwanted side effects or even get really sick.

It is why i dont use AVs. Remember it is a business, if you can't protect a system from attacks, you will drop in reputation, then loose customers , then money , then you will close your business.
FPs can be managed by users themselves or by the support team.

 

I can understand why M$ says EMET is redundant on Windows 10. With Return Guard Enabled, CFG+RFG prevented HPMA test tool to launch calculator (when letting HPMA testtool attack explorer) for all exploits.

 

Yes exactly, that may be the reason why EMET and MBAE cause less problems. But like I said, I've chosen to use sandboxing + anti-exe to tackle exploits. I would still like to use HMPA for the safe-banking and anti-ransom feature, and I know you can disable anti-exploit, but that often isn't enough to solve problems.

 

EMET and MBAE also inject dlls, however maybe because they do less strict jobs than HMPA , they may have less compatibility issues out of the box.

 

MBAE injects the dll only into programs which MBAE is protecting.
HMP.A is injecting into nearly all processes and this may lead to more problems, which can be seen in the corresponding thread.
EMET:

 

The reason why Microsoft is moving beyond EMET is because they would rather focus on developing and integrating security features and mitigation into the operating system itself.

Windows 10, as of now, may not have all the mitigation that EMET offers but one has to look at the bigger picture here. Windows 10 is a constantly updated and developing OS which would eventually include those features and new innovations within the OS itself. It is a moving target.

 

In the future Windows won't need 3rd party security features, at least for the Average Joe user.

 

EMET doesn't inject for anything not added in the apps section.

 

You forgot that windows 10 is not their only OS, what about the protections on 7 and 8.1? you cannot say tough luck they irrelevant as these are supported operating systems with very large userbase's of 100s of millions of installs.

It is unlikely that windows 10 will in a OOTB config have parity with EMET as it is too diffilcult to implement, they may possibly add a built in UI or registry config to apply these extra protections, but given microsoft are dumbing down the OS, this seems unlikely.

 

i didnt say the opposite.

 

simply because it is a pure AE while A3 a solution that covers proactively also other area (Process Hollowing,...)

 

I know the reason why, I was just saying it doesnt inject when guest said it did.

 

choose which version please

i think you didnt understood what i meant...

 

indeed, emet inject dlls, you didnt know that?

 

EMET does not inject dlls into every running process, whilst HMPA does.

Me and one other person have said this.

EMET will only inject its dll to applications specifically added into its protection list.