EMET - A new Windows security mitigation toolkit

Or the same as using UAC in admin approval mode?

 

Seriously? Comparing driving a car to using a damn computer? I don't know if you have a driver's license, but I'm pretty sure you took the lessons, etc... because it was demanded (and, it is), by law, to have the license's driver? Otherwise, if you knew or someone taught you how to drive, wouldn't you just drive without one... if there was no need for one?

What's misusing a computer? Plugging it the wrong way? Unplugging it when it's still turned on? People do not misuse computers. The problem are not computers; the problem is what one is able to do with them and with the Internet. The computer is one thing; then we have the Operating System, the apps, and the Internet. Computers are not the problem.

Will you take away Administrator rights... or the right to install whatever a person wants, if the computer belongs to this person? With what right?

Right... I guess what helps me is not what I learnt over the years (and still am learning)... It's the setup I have... Oh, wait... How did I achieve my setup? Some divine/magical touch? Some guardian angel looking over my back?

I just hope this divine help or whatever it is called enlightens and helps my relatives and shows the good way.

-Edit-

Sorry for this little off-topic, but I'm just trying to create some analogy here. You mention driver's license. Even a lot people who take the lessons do not end up getting the driver's license... Why not? Some people are not cut out to be a driver... The same way not everyone is cut out to create music... direct/produce great movies (even those with all those effects... it takes skills... yes, skills)... or create art out of hood. Or, create those amazing and great (in size and specularity) sand creations some people can do....

We're not all cut out for the same things... It's a reality... and why should computers (and all they represent/make possible to work with) be any different?

 

OK. So, they put you on charge of their system security/management (as a way of putting things... or maybe I'm misinterpreting).

But, aren't they aware that restrictions are in place, and that if they try to install something, they simply can't? And, if they wan't, they must come to you first? Whether they're aware of facing with restrictions... or they do know they need to come to you... I'm pretty sure they're OK with it, specially if the computers are their property. They just want to be able to use what they want, which you installed, and anything new needs your better judgment.

I wish I could do that. Not everyone is willing to do that... or simply cannot come to me every time they would need to install something.
I cannot forbid someone who owns his/her computer from installing one of those apps that install emoticons (I think the name is something like that. ) for Windows Live Messenger. It's his/her right to install, and even install it without me knowing it. I don't see any of my relatives sending me an e-mail asking about some app every time they wish to install something. I'm not always there for them.
I set up some boundaries to prevent exploits, etc., but if they willingly install something, then they must know whether or not to trust that application. If they want to install it, then it's something they want to make use of.

It would be nice to have the control you got there... but not every person is willing to accept to lose the control of what belongs to them.

 

That's pretty much it and, as you say, not everybody would tolerate this. A far harder challenge would be to provide a similar level of security if they wanted to install software. That's where the fun would begin! And when I say fun, I mean headache.

 

@moonblood

I'm sorry to chip in but the way I see it is you're not reading between the lines and on the other hand, misinterpreting what Mrkvonic's message is. You shouldn't jump down so fast and pick upon others words, breaking the sentence and only focusing on specific words/phrases without fully understanding them as a whole in the 1st place...

Taking the analogy:

Anyone can possibly drive a car without qualifications but that might just lead them to trouble, be it with accidents on the road itself or with the law. Same goes for computers - for e.g the "accident" is the malware infection and the 'law' is well, let's say the law of your country itself that prohibits online content piracy/sharing.

But would you still drive if didn't have the 'qualifications' - some wouldn't and would seek the relevant knowledge by the officials, others learn through unofficial means (friends teaching) while others just jump head on and take the risk.

Unfortunately, for PC users, most simply 'jumped in' (it's not their fault) seeing that there's no specific law forbidding them to do so...which is why they are the 'easy target' for malware authors. This is why Mrkvonic states what he stated. The 'pattern' has to change and imitate the "would you do something without proper qualifications?" concept. The driving part is just an analogy to ease understanding...not an exact replica of the situation at hand. You can't make a fair one-to-one comparison of a lamp to a sun directly although you can make an analogy out of them. There's similarities but differences too.

People need to equip themselves with at least a bit of 'knowledge' (or 'qualification') so that chances of them 'misusing' the computer is reduced. And when one uses the word "misuse", the object (computer in this case) is not the problem as you stated (iow, you're right) but the person who 'uses' it, be it for whatever purposes and through whatever means. And that's what Mrkvonic is trying to say.

With proper and reasonable 'knowledge' to serve as the 'qualification' factor, one can then put up a reasonable 'correct setup' even if one doesn't have much 'skill'. To 'know' and to be 'skilled' in something can be compared to 2 different 'temperature levels' of a thermometer as an example (and you don't have to nitpick me on this)

As for the Admin rights issue, again you're not fully grasping the message. Mtkvonic stated "If you give admin rights to someone who's not qualified to use the computer, they will eventually cause damage. As simple as that." In other words, this is in the context of your own PC that you have the right to administer and not of others. Why should you give others using your PC Admin rights when you know they don't need/deserve it? There's a risk of them 'causing damage' which is something that you do not wish for on your own PC. (or a library/school PC where you're the IT guy in-charge)

As for another person's PC, there's no need to argue the fact that you can never take the Admin rights without his/her explicit permission as you stated. There's simply no doubts about that at all. That's under a different context altogether. "Give" and "take" are again 2 different things.

Hope I clear that up for you. I don't know if MrkVonic fully agrees with me but that's how I understood it to be. I'm sorry if I'm just adding further confusion.

 

@ safeguy

Sorry for not quoting such a big comment, but I'll try to resume my view of it. I do understand what Mrkvonic said, but the analogy he picked is wrong, in my opinion.

I would never drive a car, etc., without proper qualification; but, this is a completely different situation, and that because there would be one other variant in it: Other people's lives.
Without a proper education on how to drive and be prepared to drive in a defensive way (there are driving schools for that), most likely and maybe with 99,99% of certainty, I'd eventually end up killing either myself or some other person/people. Maybe a mix of both sides, actually.


Don't get me wrong, I'm from the opinion that, if people want to use the Internet, they should be educated to use such "tool". But, for people to be educated, there is a need for someone to educate them, for special schools to exist, or aside classes in school so that the future people will be more aware of what dangers are out in there in the virtual world. I am not in favor of these people not being able to use the Internet if they don't understand about security, though. I'm in favor that they should be taught, as right that should be theirs, IMO.

I just see such analogy wrong, simply because just as what happens with a driver's license or driving an automobile... not everyone is able to do it so.
Now, let's imagine X working person. A car would be nice to be able to get to his/her work place. But, hey... she/he simply isn't able to drive as one should, so that won't be a reliability to other people. They can still get the bus to the work place.

But, for those people who have computers and Internet, and who actually need the Internet to work with, who apply for jobs, etc... Why would these people be forbidden to use computers and the Internet, just because they aren't security aware (Remember, there are no computer security classes in this context.), nor do governments actually care about it; hence forcing people into caring about it.
Still, ultimately, would computer security schools exist and if some of these people couldn't get to understand all of it... should these people be forbidden to use the Internet, and not being able to apply for jobs, etc., just because they would get the risk of infecting their systems, when sending and receiving e-mail, searching for jobs on some search engine? Or, even when looking for music (not necessarily piracy)? Or, even for "today" news?

The Internet is also a mean to access information, and information is a right and not the privilege of some people. *

This is not to make people stupid either. We all have difference learning capacities, and learn by different means. Some feel compelled to learn, others do not. Some are able to assimilate the information and others are not. It has always been like that.

It's just the reality of what things are like.

And, obviously, when I mentioned the administrative rights... in my computer(s) I dictate the laws. But... why would Mrkvonic make mention to such? I really believe it was meant for a more general scenario... otherwise I wouldn't have argued about it.

Again, maybe what I interpreted was wrong...

-edit-

* And, taking the example of the bus to the work place... Unless such people needing the Internet for such situations would have a public library near around, and one with computers and Internet... What other way would exist for them, if them and all they know "aren't" considered fit to use the Internet, due to lack of security knowledge?

Does this person have not the right to have an Internet connection, if she/she can afford to have it? IMO, yes. Why? I don't make a comparison with driving... And, were I to make such comparison, these people would need to have the "bus" to get where is their right to get at.

 

-edit-

Consider this one more example. I need the Internet as of way to make a living. I'm a designer and I expose my work in a portfolio, so that others may contract my work.
I'm not security aware... Must I be forbidden from making a living?

Or, I have set an Internet service that compares prices of many products from many shops, all centered in one place... Obviously, I need to have an Internet connection.
I'm not security aware... Must I be forbidden from making a living?

Other examples could be given.

 

@moonblood

I understand where you're going and you're absolutely right. I'm not arguing against whether the analogy is right/wrong. The way I see it is you're putting too much emphasis on proving the analogy wrong rather than to take the message for what it is intended for. That's all. Calm down and read it again. If need be, ignore the analogy if it's deemed as wrong. What one sees as 'right' might be seen as 'wrong' by the other...we don't have to make a mountain of a molehill. We don't need to hijack this thread or it'll lose it's relevance. Please...I beg you I hope you can understand

 

I'm calm. I'm not sshakkingg.

I also don't think this has been off-topic. Actually, it was a comment to a comment, regarding a statement/phrase in an article by Mrkvonic, which is the article presented in this thread.

And, I did understand it properly... Mrkvonic said it clearly, and I'm only quoting what I was directed to me:

With this, he's asking me whether or not I'd be using a computer if I hadn't the "setup" I have (whatever it is I have in place to protect my system), and that this would be the same as driving a car with proper qualifications. Simple: It's not the same.

In this example, no one but me as rights to install anything. So, this leaves who? Are we leaving aside other people who own their own systems? If yes, then forget all I said behind... because in my system I'm the one messing with it.

So, who is the "not qualified" "someone"? I'm assuming that such words also include those "not qualified" "someone" who also own their systems, right?

-edit-

I do agree that what is needed is not skills... But, education... But, saying this

, having in mind most people lack of knowledge, how real is this? **

(https://www.wilderssecurity.com/showpost.php?p=1803255&postcount=41)

I do agree with the two other comments in that same comment, specially with the second one... the first one will depend on who sets what (that's another talk, though).

But, we cannot simply say that "you" (I'm assuming this "you" means people in general) don't need security software; third-party, that is.

Heck, maybe not... but... would be OK to use Microsoft Security Essentials? It's not a third-party app...

-edit-

** I mean, let's be real for 1 second (as a way of putting things)... As I already asked previously, how many people of the millions/billions using computers and the Internet, are aware of the existence of EMET? How many are aware of what AppLocker/SRP is... or that such things are present in their systems? These sort of information lacks in the "general" Windows website, AFAIK, and for a reason... It wouldn't be the sort of information such users would most likely to understand what it is and how to set it up and what could come from using such, like locking themselves out of their system.

How many of these users know what an exploit is? How to prevent them? How many of these users know what is an administrator and standard user accounts, or that such difference exists?

Most people, all they know about are antiviruses, unfortunately... and as long as this situation lasts, it's what they "need"... I just wish there was a mass campaign to advertise things like EMET, etc.. I'd love it to see it happening, but wouldn't we be living in an utopia, where everything would be just perfect? I guess we wouldn't be needing EMET either.

 

Please advise, what is the consensus on EMET in XP?

I read (here) that, "Some of the technologies will not be available on certain editions of Windows. For instance, XP does not have ASLR, which was introduced in either Vista or Windows 7. DEP, on the other hand, in an old friend",

and also (here) that, "DEP breaks exploitation techniques that attackers have traditionally relied upon, but DEP without ASLR is not robust enough to prevent arbitrary code execution in most cases."

My conclusion therefore would be, installing EMET is better than not installing it, but maybe not by very much... especially compared to the effectiveness of DEP + ASLR, in which, "their combined effectiveness is heavily dominated by the effectiveness of ASLR".

What thinks the experts?

 

I was wondering if programs like sticky password and u torrent should be added to EMET ?

 

I have added all programs which have had exploit problems in the past (incl. µtorrent, http://torrentfreak.com/utorrent-vulnerable-to-remote-exploits/ )

 

I personally see no reason to go nuts with EMET and add lots of programs, the more you add, the higher your chances you're going to encounter one that doesn't play nice.

I just added my browser and foxit reader. You could also add Office apps.

 

Don't see this as a bad reaction or anything like that, but I'd like to clarify something.

This thread "EMET - A new Windows security mitigation toolkit is about an article regarding EMET, where MrKvonic mentioned that

OK. He advises against it... naming two reasons for such: not wasting money and resources and that people will merely be reacting to threats.

Don't get me wrong, I agree with this phrase, but if applied to certain people, and most likely these people do not need to be told such, because I believe that they have the enough knowledge to decide whether or not they have the need for such antiviruses or suchlike tools, in which I guess are apps like sandboxes and HIPS, behavior blockers, anti-executables...

I'm pretty sure you don't need to be told what measures you need... So, I believe that this phrase had no mentions to "target" you. Nor most of the people here at Wilders Security Forums.

So, this leaves everyone else out there, millions/billions of computer (and Internet) users, who are not security aware... Just install EMET... ditch your AV?

And, in a reply to one of my comments... if people cannot manage to be computer/Internet security aware, just alike what happens with a driver's license, if you don't manage to be able to get it, people should be forbidden from using the Internet and or using computers as well, if they misuse them?

Life, and this matter is not any different, is not black or white, there is a gray area, and a very large one.

My posts were never a bad critic to Mrkvonic article or point of view... I just didn't see/don't see how that specific phrase makes sense in the real context of what things are like.

So, these posts were not off-topic... they were comments based on a phrase on the mentioned article and to a reply to my first (I think it was my first, or second one) comment. Very on topic.

Now, considering EMET... and what is useful or not useful... I could just plainly say that EMET has no use. Now, how true is this? Is it true for the general audience? No. It is for me. Why? Because the way I have my web browser, no exploit will be able to download anything to my system, so EMET is of no use.

Am I free to say: You can still use EMET, but I'd advise against it, because there is no need for it. It's 100% useless.

This would be 100% wrong to say. Why? Others are not me. For me, it's 100% useless... but for others, like my family members, to whom I installed it, makes all the difference. Why? They cannot handle to use their Windows the same way I do, and not all of them have the same version I have, which allows me to do precisely what I did, which is what is preventing the web browser from being 100% exploited.

Just the same way, you enjoy all what Sandboxie means. (But, now this would be off-topic.)


Kind regards

 

Personally I've yet to encounter any ill effects through utilizing EMET with any application I've tried,I suspect issues are more likely with poorly coded software.However adding the 'usual suspects' should be sufficient really.

 

It's effectiveness is definitely lower without ASLR, but that doesn't mean it doesn't add some protection. But those are only the system-wide protections, I think for XP users the power of EMET is in adding applications to the protection list; While SEHOP is not available on XP in system settings, it is application settings and NULL Page, Heap Spray and EAF migitations are also available. It doesn't use any resources so unless you have your browser sandboxed or protected otherwise from running exploits it is a nice addition. It's not as effective as on 7 or Vista but it can be a nice part of a layered security setup.

 

Not sure if it's something that has been already solved - and it's something that would need to be solved by the software developer(s) -, but there was a problem with running Skype under EMET, according to Microsoft EMET team.

But, I've added e-mail client, web browser, media player, pdf reader, and a few others that you well name "usual suspects" under EMET in two relative's systems, and no problems.

 

you may need to disable EAF for Skype inside EMET for Skype to work.

mind you, Skype doesn`t play nice with Geswall either...

 

m00nbl00d, if you think about it, the most popular way to get infected is via the internet.

Now, if you remove the chances of getting infected from standard social means, by use of SmartScreen, DynDNS, and other services that don't exactly need to run in your machine in real time, the only method left is exploitation, where EMET comes in.

With use of other mothods such as AppLocker and SRP you can start to see how you can secure your PC entirely.

 

I don't think this is about Skype?

I never discussed my system protection. If you search for threads where I'm in, you'll see I'm an advocate for AppLocker, Windows own firewall (they do have glitches, though... but as any other similar app would do...), EMET, etc.

But, as I said... I never discussed "me". I discussed "mom" and "dad". "Mom" and "dad" have different needs than me. They need a nice and warm "blanket" to protect them from "Winter's nasties"... but, without restricting their "movement".

 

Oh, I don't use Skype... lol But, I remember reading about it; I believe it was in a Microsoft's blog about EMET.

Yeah, issues happen no matter what we use. lol Fun.. fun... all fun. lol

 

I didn't mention Skype once in my post, errr...

 

Thanks for posting this. Looks interesting. Your site is great.