EMET (Enhanced Mitigation Experience Toolkit)

Interesting thing to follow up with you here... so I spoke with the developer of GFlagsX (who also happens to author the great Windows Internals books) and he created a patch based on your feedback. I also suggested that it needed some more flexibility to the UI for low screen res. Anyway, within just a few hours today he has already published an update. (https://github.com/zodiacon/GflagsX/releases/tag/0.21) However, there is a bit of a problem at the moment because he has only provided the updated source code for this build so far and no compiled binary. So we will have to keep an eye there and see if he uploads a binary or I will have to look into compiling it in case he does not.

 

From: https://blogs.windows.com/business/...rity-features-windows-10/#DzGOH9zeQJ8Pepd3.97

Windows Defender Exploit Guard

 

Older editions of Windows 10 can still benefit from AE protection by running Malwarebytes Anti-Exploit.

But if you're are eligible to update to Creators Update this fall, EMET will become part of Windows 10.

 

Powerful stuff, oh my:

https://pbs.twimg.com/media/DDWtbIaU0AASvfB.jpg
https://pbs.twimg.com/media/DDWwOmvVYAA9dH-.jpg

Source: https://twitter.com/dwizzzleMSFT

Anyone who has an interest in anti-exploit mitigations, have a look at those screenshots above.

EDIT: Disabling child process creation and much more. I know @Rasheed187 would appreciate that mitigation.

 

This is comming with new upgrate this fall?

 

https://www.ghacks.net/2017/06/28/windows-defender-exploit-guard-native-emet-in-windows-10/

 

Insider Build 16232
Link: https://blogs.windows.com/windowsex...32-pc-build-15228-mobile/#LjyX4Lz2pStkaHBj.97

 

Thanks @WildByDesign

I would also caution this if anyone isn't yet aware but the improvements should help a lot I think once the rough edges are ironed out.

 

@EASTER You're welcome.


I just spent 30+ minutes playing with system-wide mitigations and per-process mitigations in Insider build 16232. Everything is done via easy to use modern app UI. I must admit that I am thoroughly overwhelmed with process mitigations. In a good way. But there are far too many mitigations to even take screenshots to share here. It's absolutely insane.

Users who love their process mitigations will certainly be looking forward to Windows 10 Fall Creators Update. By the way, I did all of my testing of this build on Pro x64. So these features are not just for Enterprise users and definitely does not require the use of Defender AV specifically. Also these mitigations still make use of IFEO MitigationOptions registry settings, however, they are using binary format instead of QWORD.

Once this hits Slow ring I may be considering switching my main system over.

By the way, GFlagsX already allows you to configure most of these mitigations. But it is lacking some of the best mitigations from EMET which are only available in RS3 Insider builds right now.

 

This is surprisingly amazing and very welcome indeed.

Glad you were able to test some of those and bring the good news back to share with us on that.

Things are pressing ahead at such a breakneck speed it's hard for me anyway to keep up as they keep showing up anew again

 

Installed EMET latest stable version on Windows 10 pro I am running the old spring creators update version, not the fall version.
EMET is at recommended settings, except that I added a few apps to the list.
Basically, it seems to be working.
Two main issues:
1 Sometimes when I open the GUI, I get an error message that service is not running. But Windows task manager says it is running. If I ignore the message, the GUI opens and everything seems fine.

2 Sometimes I see a black DOS window open for a second , and then close by itself.

EDIT: Maybe there is a real problem here, because now, after opening and closing the GUI, I see that both emet agent and emet service are running. But before, I saw only service.
What's going on here?
Okay, I think I got it now. EMET takes a while to start up. And it starts one process at a time. Correct?
Will it protect programs that launched before it?
Yep, in services I see it is set to delayed start.
What if set it to start normally?

 

Yes by default they changed the service to Delayed in the most recent release(s). Personally, I switched it back to Automatic and everything was as per normal for me during that time. The Delayed start seemed weird and unnecessary. I would suggest to switch it to Automatic. Keep in mind that if you end up upgrading to 1709 Fall Creators Update, EMET will cease to work.

All of the EMET mitigations are running kernel-mode, quite literally build into the kernel, and therefore mitigations such as EAF, EAF+ along with other memory protection mitigations have far less of a performance penalty on 1709 in comparison to 1703. I would way rather recommend 1709 if and when you are ready to upgrade.

 

Thanks for the explanations.
If the mitigations run in kernel, does that also make them more compatible with other security software? Just wondering if EMET integrated into Windows will produce less software conflicts.

And what do you say about EMET on maximum security level?

 

So what would be the best route to convert EMET's old recommended software xml to the new standard?

Update:
I figured it out using the commands on Powershell reading from Notepad xml file.

 

This is something that is difficult to determine and only time will tell. However, since the mitigations are built into the kernel and now a fully supported part of the Windows operating system, that should be best for the long term. Meaning that, if any issues do show up with some security software, Microsoft should be more inclined to fix any compatibility issues or work directly with the security companies. So it is possible that there "may" be some issues early on with 1709, but those issues should get ironed out over time. Although so far I have not seen any issues specific to these mitigations, with the one exception being Chrome (chrome.exe) seems to not like having any of the ROP mitigations enabled and it causes issues with Chrome's sandbox. So that is one benefit that you have is that you can still protect Chrome with ROP mitigations with EMET.

I had ran EMET on Max settings for several years, including the registry tweak (in the EMET manual) which allows you to enable the (possibly problematic) Mandatory ASLR system wide. Closer to the end of my time using EMET, I ended up using Max settings but would then disable the system wide Untrusted Fonts mitigation which would then switch EMET to Custom setting. The font parsing is done within AppContainer now on Windows 10 and therefore that mitigation is not really necessary anymore.