EMET 4.0 ,and its sidekick .NET Framework

Discussion in 'other anti-malware software' started by Uitlander, Sep 28, 2014.

  1. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    Been researching this topic here (and on other forums) for about a month now, and I keep seeing conflicting info, so guess I will just ask outright:
    For an XP Pro user, is the benefit of installing EMET 4.0 greater than the detriment (privacy & security issues) of .NET Framework?
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
    Moved Thread to this Forum for More Exposure.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I can't answer your question, but I'll post these alternatives in case you don't know about them:
    OpenEMET
    NEMET
     
  4. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    IMO, no... not even close in fact. Adding a ton of bloat to XP (it's lighter on Win7/8, but then again forced too so you have no choice in the matter), but also attack surface that has been proven to be highly vulnerable several times in the past... just to stop an exploit you'll probably never really come across in a real world situation anyway. Not to mention that XP can't even take advantage of 2 of the 3 system wide mitigations offered by EMET anyway (ASLR & SEHOP). And DEP can be turned on in the OS settings and set to Always On with a tweak.

    If I were you I'd look into Malwarebytes Anti Exploit (MBAE) instead. It doesn't require .NET FW and uses different methods to prevent exploits that XP can actually utilize, unlike EMET.

    Also, I can tell you from personal experience that NEMET is junk. It just doesn't work the way it's supposed to.

    I'm also looking forward to OpenEMET, but it's been so long now I've been waiting that I'm hardly holding my breath anymore. And while it doesn't require .NET FW, the same limitations mentioned above apply (no ASLR or SEHOP).

    So to sum up... I'd recommend MBAE in your situation. I'm waiting for it to mature a bit more personally. Especially until compatibility with Sandboxie is implemented.
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    EMET is a great tool but for it to do its job well, the OS has to support the mitigation techniques needed.

    This is where things are not that good-looking for XP users. EMET effectiveness is limited on XP thanks to the lack of ASLR. Given the choice between nothing and adding in EMET, it's wiser to pick the latter even if it means the benefit is only by a slight margin. Not security through design but security through oddball chance. If you are going to be in the low hanging fruits group, you would still want to be slightly above the rest.

    As for .NET Framework, let's get real. Even if it's a threat to privacy/security, it is a drop in the ocean if you compare it to the fact that you are running XP - an OS which cannot keep up with current threat landscape only to be made worse with no more official updates (discounting the XPe hack).

    Truth be told, you are far better off upgrading the OS (even to a supported Linux distro is a better choice). If that is not an option, your best bet is to disconnect your XP from the network.

    P.S. Just in case my post offends anyone using XP, I'm not interested in any stupid debate about how XP can be 'secured'.
     
    Last edited: Sep 29, 2014
  6. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    I agree with the two posters above on XP EMET is not worth the extra bloat and security holes of .net

    Using xp on the internet i also use malwarebytes anti exploit which will cover more than emet on xp.
     
  7. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    Thanks for the assist, and sorry for the trouble, but I seldom seem to guess right when it comes to deciding where to place a post.
     
  8. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    Thanks for the advice. Although I am not a big fan of the liberal attitude of Malewarebytes Anti-Malware towards PUPs (I will be going with their competitor), I see no reason to let that color my judgement against Malewarebytes Anti Exploit, so I will add the paid version to my tryout-list, and I will drop the EMET 4.0 from the list. From what has been said here, plus learning about the underhanded way Microsoft used .NET Framework to muck up Firefox via that stealth-install, I think I can live without anything that requires .NET to work.
     
  9. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    Well I have been forced to learn Vista and Win7 by the public computer purveyors, and I have watched my productivity decline and my joy of using the internet turn into not so joyful. This is the major reason for me to get a home PC. My opinion would be that a stripped-down custom install of XP Pro is no better nor worse than Vista or Win7 or Win8, but even if I am wrong, its simple comonsense to assume that if XP Pro is as bad as you believe, adding .NET can only make it worse, and since it seems the benefit of EMET cannot outweigh the detriment of .NET, its not a hard decision.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    What are the privacy and security implications of .NET? It is not a running program, it is a framework that allows other programs to run. There is no attack surface unless you run a .NET service/ program, and it's *that program* that is the issue.
     
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    Update to the latest .NET and you'll be fine.
     
  12. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    Jeez there is a lot of "privacy and security implications". Just do a Google search of: .NET Framework security exploits, or similar search. Here's one of many:

    http://www.cvedetails.com/vulnerabi...product_id-2002/Microsoft-.net-Framework.html

    Most recent incident that comes to mind is Microsoft using .NET to do a secret install of some junk that screwed up Firefox...all the rage on the Mozilla forum!
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Right, but EMET is a local application. So those vulnerabilities would all be local. And EMET offers little to local attackers.
     
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Uhmmm...just to be clear, I was saying the entire opposite of that. I would rather throw in .NET and use EMET on XP than without.. But then again, I wouldn't use XP on a production machine that's connected.
     
  15. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    So far as I know, EMET has no exploits...its all the vulnerabilities on the .NET (which is required to install EMET), plus the fact that .NET appears to be useful to Microsoft whenever they want to do a surreptitious download.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    For an attacker to exploit .NET they would have to be able to interact with it. And you can't do that when your only .NET application is EMET, which is closed half the time.
     
  17. ciscodisco

    ciscodisco Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    18
    Location:
    World!
    In theory applications developed with .NET Framework are safer than native languages such as C++. It is virtually impossible to write malware with a language such as C# which uses the .NET framework.



    .NET runtime works as intermediate between machine level code and the application created with .NET. The runtime does have vulnerabilities but they are normally addressed in Windows Updates hence why there are updates which say .NET in the descriptions.



    How do you know that an application written in C++ does not have a similar vulnerability?
     
  18. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    A host of useful programs require .NET, so if I were to install .NET, it's likely I would want to get at least some of them (guess you could call .NET the gateway drug). On the other hand, with no .NET, those programs would be out of reach.

    If you take a look at the link (cvedetails.com) I gave, you will find 9+ pages of exploits for .NET, which affords plenty of ways and means to interact with it.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Your argument is that if you installed .NET you'd want to install more things? That makes no sense.

    As for your link, it tells me nothing of the sort. A .NET attack requires a .NET application - if the only application is EMET, you have no remote attack surface. End of story.
     
  20. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Of course you're not... because doing so would blow a pretty decent sized hole into your stance. But this thread wasn't started by you, alas, nor is it for your benefit. The person who started it could benefit from the information. And I think it's only fair that while it's pointed out ad nauseum how XP cannot take advantage of the mitigations in EMET the way MS OS's since can, that the need for them can also be rendered nearly non-existent via hardening... hardening that simply isn't possible on any OS since without turning your box into an extremely overpriced paperweight.

    So if you don't want to hear about this you just shouldn't be participating in these types of threads. I for one don't want to hear any more stupid debates about how XP is some insecure, accident waiting to happen of an OS, but of course this persons thread was turned into that anyhow, as usual.
     
    Last edited: Oct 30, 2014
  21. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    I haven't logged in here for some time so was late to see this post of yours. Anyway, here goes my late reply....

    Neither was this thread created by you nor was my post meant for your benefit. So, please learn some basic online etiquette before you go around telling people whether they should be participating in threads. I posted that remark under "P.s" because I anticipated a fruitless debate (which we already had elsewhere) and wanted to avoid it. Alas, it seems impossible. As you are entitled to your opinion, so do I.

    At this point, all I can say to others who may be reading this is that I am tired of trying to point out the obvious. XP has no form of ASLR and no more official updates (without hacks). If you are interested in security, take some time to find out the implications of what that means.
     
  22. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    Your argument is that I would want to install the overbloated .NET for no other reason that to install EMET? Nevermind that of the three mitigations EMET offers, only one will work for XP Pro. Nevermind that Microsoft has proven it can use .NET to do surreptitious installs. My argument is that if I installed .NET I would need to install other stuff to justify this much wasted space (EMET alone most certainly would not), and considering just how much software requires .NET, its more than likely I would. As I see it EMET offers little, .NET demands much, so the benefit/cost ratio is way off...unless I install .NET-dependent apps that are far more useful than EMET. But if I do that, then I expand my vulnerability map as "A .NET attack requires a .NET application", so the more apps the greater the risk. I think I can do a lot better without EMET, I can live without those apps that require .NET, so I think .NET is not needed.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Can you explain how .NET is bloated? I can't think of any way in which it is. C# is a very fast language and the .NET runtime is quite solid and well built.

    I don't understand the argument that "If I install one thing that I consider bloated I'll have to install other things to add to that bloat to justify it". Am I missing something?

    Sorry, that makes absolutely no sense to me. No one is forcing you to install any more .NET applications.

    You say .NET demands 'much' but I don't think it does at all. It won't actually consume resources itself, it's ilke saying installing Java consumes resources - it doesn't, it's just a runtime environment. Neither consumes anything on their own.
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Disk space is a resource, and then there are buggy MS updates, but those aren't the norm.
     
  25. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Not only attack gate is attack surface, if a component can deepen or aggravate damage its attack surface. It won't matter in common attack against general mass, but can be matter in targeted attack where attacker seeks to attempt local exploit to gain admin control after successful initial intrusion.
    Also I agree with J_L, disk space is valuable resouce especially for those who use only cheap SSD (not with HDD) as littele free space cause significant slowdown. I keep away all unnecessary things on my Windows.
    I actually use some other software which need .NET so for me EMET uses it is not a matter, but it is better if EMET can be made w/out .NET, and it seems actually it is.
     
Loading...
Similar Threads
  1. emmjay
    Replies:
    5
    Views:
    773
  2. Victek
    Replies:
    14
    Views:
    960
  3. lodore
    Replies:
    3
    Views:
    654