Introducing EMET v3

Re: EMET v3 - More of the best

I think people like EMET because it doesn't rely on updates and it's very effective at preventing exploits in programs like the JVM, which account for a large portion of infections.

In terms of 'wasted CPU cycles' DEP and ASLR and EAF and probably the others too will have a slight performance impact - who cares? It's not even noticeable and neither is the 2% CPU usage that modern AVs use.

 

Re: EMET v3 - More of the best

Hmm? Seems to me there should always be some performance impact from CPU usage. Even IO bound tasks use CPU power, e.g. for disk IO scheduling (which IIRC Windows Vista and 7 do a lot of for desktop performance reasons). And registers being used for the AV stuff can't be used for anything else while so occupied. And when not doing stuff in the CPU registers, an on-access AV will probably be occupying space in the L1 and L2 caches... No?

Anyway the CPU usage is not as important in my experience as disk usage. At least a few AVs are major disk IO hogs, and disk IO is pretty much a guaranteed bottleneck.

(IMO though the major issue with on-access AVs is not the overhead, so much as that they're just a really stupid way of dealing with malware. Even with heuristics, they're not scalable - as the variety of malware increases, more and more new stuff slips right past them.)

 

Re: EMET v3 - More of the best

People also like the concept of OS hardening, and especially where it's Microsoft hardening their own OS. As to whether the performance impact is a problem really depends on just how recent your computer is, a lot of people don't have more than 512MB RAM and (amazingly) most computers have 5400rpm HDDs.

 

Re: EMET v3 - More of the best

Yes, but the performance degradation is very rarely the result of the limitation of CPU availability per-se rather than what it represents. In other situations such a discussion would be pedantic but the point I was making was precisely that the likelihood of slowdowns being experienced by users from any such software cannot be determined by the simple measurement of CPU utilisation and that as for this reason the incidence of such degradations is no less frequent under testing with EMET than anti-malware software regardless of the number of CPU cycles being used meaningful performance impact is not a basis for preferring one over the other. That was all.

 

Re: EMET v3 - More of the best

So basically you're changing the argument you originally started because you're wrong, I see. You cannot start an argument with the most invalid statement ever, that using CPU 'cycles' doesn't affect performance, then try to recover from it by changing it, that it doesn't affect performance based on the amount of CPU being used. No duh! If I'm rendering an image or movie which is using every core an AV product WILL affect my performance, if it's idling it won't affect performance, this is basic math, you cannot over 100%.

 

Re: EMET v3 - More of the best

This is pure timewasting now but somewhat entertaining at least. The problem is your unwillingness to read. Were you to show more proficiency at it you would less likely be unaware that I have changed nothing at all. As a side point the blanket 'using CPU 'cycles' doesn't affect performance' isn't an example of an invalid statement but an incorrect one. Your fundamental error is in failing to notice the difference between my judgement that what matters is not the quantity of CPU cycles used by a given application but the system's actual performance and your own straw man addition that 'using CPU 'cycles' doesn't affect performance'. Unlike the above this amalgamation of yours is invalid.

Yes you have cleverly noticed that in the event of complete utilisation of the CPU every extra available hz will proportionately reduce the time taken to complete the task. Of course had you noticed the 'Correct: the use of CPU will only drag down the system when it is the bottleneck, where it is a increase from 3% to 5% of CPU utilisation the cause of the performance reduction will lie elsewhere.' bit you could have saved yourself the effort; again, reading classes. You have just brought an example of a short-term bottleneck of CPU where performance will be increased by temporarily shutting down every non-essential process. It is not a particularly useful example as it is not remotely akin to the the issue under discussion, which is the experience of the reduced system responsiveness that discourages the use of given security software.

 

Do you even know how scheduling in kernel works?
Or do you just blast off with vague paragraphs on water bucket analogies?
Mrk

 

Re: EMET v3 - More of the best

Exactly, nothing to remove. That is the whole point behind EMET, to prevent having to remove.

 

Re: EMET v3 - More of the best

I'd actually say Bitlocker is MS's best work. EMET is nice and does a great job but it's not any better than paxctl, worse even when you consider that paxctl is built entirely into the kernel and imo enforces better features than EMET.

No other FDR software really comes close to Bitlocker's ease of use.

 

For information of the thread:

Yesterday, I set up Dropbox a cloud server with 2GB free.

That all worked.

Then at end of day I added Dropbox to EMET 3.0 and the application is shut down by an EAF mitigation. It loads the icon appears in the task bar but as soon as I click on it the mitigation occurs

So now I'm wondering is this "valid" or is it a EMET equivalent of a false positive.

BTW where the h..l are the emet logs?

 

There are no false positives.
This means dropbox is badly written.
Mrk

 

Pretty much what Mrkvonic said, if you need to disable a feature for a program, it's the programs fault for not being compatible.

This used to be an issue with Skype until MS bought it, the latest versions of Skype now work fine with all EMET protections.

SkyDrive also works fine with them.

 

Are you sure about that? Microsoft EMET v3 comes with a template, which does come with Skype and EAF mitigation disabled.
I don't use Skype, but a relative does use and so I reenabled the EAF mitigation, and Skype kept crashing. From what I could tell, Skype was up-to-date.

There was no alert from EMET, though. But, once I disabled EAF back, Skype no longer crashed.

 

Thanks Mrk.

Is it just "bad"/ "incompetent" or is it "evil" code?

Do we care?

 

Are you saying that MS has disabled certain mitigations for certain applications within EMET 3.0?

That sounds like they are handing out free passes?

 

Only for Skype, to the best of my knowledge. Skype is known to crash with EAF enabled. That's the reason why this mitigation is disabled.

 

So I'm having a problem with the vendor rationale for all this.

MS owns Skype right? and they granted a pass to their own bad code via a template? All violators could now create templates for themselves rather than fix their code?

It seems to me that now I find Dropbox needs a pass as well should I do that for them? I think not.

I want an equivalent cloud service that doesn't use attack coding why should I wait for Dropbox to clean up it's act?

 

I have Skype added with every feature enabled in EMET. Unless EMET is not applying it and not notifying me in any way, which I'd find odd.

Keep in mind that Skype's "check for updates" feature doesn't necessarily grab the latest version, I've had to manually update in the past when it came to non-security updates.

 

Yes I learnt process scheduling in Windows up to Vista. No I am not going to get myself sidetracked into writing pages about the interrelation of the various hardware components with prioritising et al and the resultant measures on performance when 'water bucket analogies' alone have taken up more than enough of my kinetic and mental energy not to mention public space on a topic that I continue to regard as a pure distraction.

 

Re: EMET v3 - More of the best

This is the real problem: people and even Wilders' members like yourself will give this answer to a rhetorical question with examples of malware intrusion that I specifically chose because in every one of them malware would be present and active on the user's system. EMET cannot serve as sole security installation but as a layer only.

 

The template that comes with EMET is generic for the best compatibility. It's not about them giving themselves a free pass so they can avoid updating the code. An advanced user can configure their own settings.

 

Re: EMET v3 - More of the best

I don't think anyone is arguing otherwise.

 

Well I don't want to get into a flaming post here BUT I just gave Dropbox a free pass by disabling EAF. I don't attempt to speak for the vendor all I can tell the forum is Dropbox works with the mitigation disabled and it crashes the application when you enable it.

Who here claims to speak for EMET or Skpe? Nobody.

 

There's nothing wrong with that. That is the correct (and only) approach you can take. Supporting EAF is up to the developers and until then you're taking advantage of the other protections.

 

Re: EMET v3 - More of the best

Never said it should. The goal is to not to get infected in the first place. A goal I have successfully achieved since I touched my first PC in 1982. I must be doing something right.