EMET - a dummy's guide

Susan Bradley writing in Windows Secrets e-magazine gives a good guide to EMET that even a dummy like me could probably follow it.

http://windowssecrets.com/top-story/protecting-pcs-from-the-next-zero-day-threat/

- may help others.

-have a good day,

feandur

 

Thank you for this.
Not sure if im brave enough to try EMET.But it certainly looks interesting.

 

Thanks, I didn't know MS had updated it.

 

The new versions runs a process and sits in the system tray. Better of with the previous version.

 

A nice explanation why EMET is a good add-on

http://www.utdallas.edu/~zhiqiang.lin/spring2012/public/lec21.pdf

http://www.utdallas.edu/~zhiqiang.lin/spring2012/public/lec22.pdf

Just change lec21 to lec20 or lec23 when you want to graduate

EMET is definitely a keeper in my Lazy admin setup

 

With the 3.0 version there were lots of reports of the new gui/systray process using a lot of resources, did they fix it in 3.5?

 

12000kb's in v3.5 in resources it takes up, not much if you ask me. Problem I see is if every man and his dog is installing it, it will be targeted and pulled apart.

 

About EMET: what is exactly the meaning of "Application Opt-In" (or “Application Opt-Out")?

 

"Opt-In" means the feature is NOT enabled for all applications, only those apps you manually turn it ON for.

"Opt-Out" means the opposite, ie the feature is enabled for all applications except for those you manually turn it OFF for. Hope that's clear.

 

Robin A.

Opt In is the weakest. An application must 'Opt In' to use teh protection.

Opt Out is stronger. An application will use the protection unless it explicitly 'opts out'.

Always On is the strongest. All applications are forced to use it.

@Victek, I believe that's incorrect.

 

So with the "Opt Out" setting apps with the necessary smarts can choose to not enable specific protections, and "always On" would mean the protections are forced On - is that correct?

 

Yes, that's correct.

An application has to 'tell' the operating system it doesn't want to use the protection. But if it's ambiguous/ the program doesn't say what it wants it will be forced to use the feature (in opt out mode).

Always on doesn't care if it tries to opt out - it forces it.

 

Ah thanks, and I see what you mean, I think MS should redesign EMET's implementation to make it less vulnerable to targeted attacks.

 

Still running 3.0 on netbooks on maximum security setting with no problems at all.

 

It´s more clear now, thanks.

 

why is there no 'opt out' option for ASLR?

 

There is on Windows 8 I think. But it doesn't really make sense because no application opts out - it would basically be Always On. Whereas DEP has always had an Opt Out.

They'd have to introduce the Opt Out more slowly and considering that the default policy for DEP is still Opt In I don't exepct it to happen to fast.

 

thanks for clarifying HM

 

Does EMET need to connect out through the firewall? It has tried to and I have blocked it but am wondering if this affects its performance in any respect.

 

just noticed that if you double click the tray icon then it shows a text box for a few seconds. does this mean that EMET will notify us when it detects/blocks suspicious activity?

screenshot here http://i.imgur.com/IVkML.png

 

It may have checked for updates or something. But no, it shouldn't need to otherwise.

 

Good deal. Thanks HM.

 

Thanks for confirming. By the way, the new ROP options in 3.5 are unchecked by default. I wonder if there's a new database that configures these options for well known apps?

 

I created one.

https://insanitybit.wordpress.com/2012/07/26/setting-up-emet-3-5-tech-preview-9-2/

Should work. I can review it later.

 

Yes it suppose to notify through a popup when it blocks something.