EMET (Enhanced Mitigation Experience Toolkit)

I find 4.0 to be rather troublesome for my Win-7 x64.

 

EMET isn't just about "keeping malware away". If you think some random 3rd party security software will be better, you're wrong.

Then quite simply there's something wrong with your setup.

 

Did you have the same troubles with older versions of EMET?

 

No 3.5 and 3.0 were OK.

 

There must be something wrong with version 4.0 and Windows x64! Is it safe to use an old version of EMET?

 

Sure its safe. I use 3.0 on my x64.

 

Gonna stick with 3.0 until the bugs in 4 are remedied.

 

Moreover, as it is told in EMET 4.0 user manual its 5 additional mitigations (in comparison to EMET 3.0) are not working for 64 bit Win.

 

They are working on 64 bit windows, just not on 64 bit processes.

 

Agreed. EMET 4.0 has a lot of problems in my experience--far more than the previous versions, including 3.5 Beta. I assume CIS and x64 further complicates things.

I've had marked process (svchost) completely break and after being removed from EMET or even uninstalling EMET and erasing reg entries continue to be broken.

Or working apps (kmplayer/switcher/twofingerscroll) to then become broken after deactivation/reactivation of global rules (DEP/SEHOP/ASLR).

Or the notifier not notifying or showing simexecflow then turning that off to no avail. Same message.

Or the tray always appearing despite the switch being off in the GUI.

One Chrome Dev install became utterly useless the other day. Froze the entire OS. Think 4.0, again, was the culprit.

Endless problems.

These frustrations often need to be rolled back for the system to work properly. It must be a reg tweak because Win sys restore generally does the trick.

I'd keep data synced, restore points, and images handy with this new EMET.

Love the new tweaks--if they worked; thumbs down.

Note:

MSFT, maybe next time use the actual vetted beta/RC you received free comment on as the final instead of some random untested waste of snot. Or why are we testing?

...and thanks for removing the Tech Prev DL.

/rant

 

Oh, yeah, thanks. Really.

 

I think that's the best solution.

 

Though on my office PC Win-7 32 bit EMET 4.0 feels OK even in max settings.

 

EMET 3.0 worked just fine on W7 x64.

I installed 4.0 and things have gone bad by bogging down my computer. Start up is much slower and I have a continuous busy mouse cursor.

I receive a message showing that I don't have administrator privileges when trying to open it using the tray icon, however, I can open it directly. As stated earlier, the tray icon remains after unticking it in the GUI.

I think I'm going to really like 4.0 when the bugs get worked out. I have gone back to 3.0.

What is the best method to learn of a new release?

 

if you register issue with EMET, you should review your security arsenal because the reason is almost certainly linked to third-party software considering that EMET leverages tecnologies of OS itself with the exception of the mitigations that it provides per-processes (ROP,...).

 

Test: Third party conflict may be part of the initial problem. But the ball is also in MSFT's court to test first and fix. I'm getting dirty disks and deep problems with 4.0.

And that also leaves us with why the same techniques worked fine on 3.0/3.5 but now those same progs are crashing or the notifications being busted or GUI being generally ineffective at times.

The kicker. When the hooks are changed, why are applications still broken or even post install and manual reg deletion.

Icing the cake: EMET 4.0 breaks applications running off boxes with no other third party sec gear/drivers installed.

Which leaves me with this, EMET is adding in additional hooks/checks per mitigation versus 3.5, and the 4.0 GUI is buggy and not properly relieving said mitigations.

Granted that this program by design may crash apps and is set up via trial and error--the inability to properly roll back and relieve mitigations makes 4.0 a powder keg of hell and otherwise unusable.

 

I'm back to 3.0 too. Is there a final version 3.5?

 

No, MS removed it from their site. So you can consider 3.5 as an early beta for 4.0.

 

I personally am having no issues with EMET 4.0 final at all. Functions great on my laptop running Win 8 Pro 64 bit with DEP, SEHOP, and ASLR set to Always On.

Later...

Bob

 

Anybody has a list of windows processes that can be protected by EMET? I can imagine if MS haven't include them by default is because is not needed....?

 

Not wanting to sound like a jerk or anything but to me EMET 4 behaves suspiciously like PuPs or even malware.

 

Losing out on the anti-ROP techniques is not a huge deal if you're on a later OS like Vista/7/8. They're not nearly as important as DEP/ASLR/SEHOP/pseudo ASLR. Some of the new techniques of 4.0 will *not* play nicely with security software, this isn't the security softwares fault, it's just how it is.

So if EMET4.0 is crashing things, just roll back to 3.0 for a while rather than uninstalling completely.

 

The fact that MS haven't included windows processes in its config lists implies it's not necessary.

 

EMET reviewers over at rationallyparanoid dot com suggested including lsass.exe and spoolsv.exe.

 

That's reassuring to know. It shows one doesn't always need the newest and shiniest software to stay reasonable safe.
I might as well skip 4.0 altogether if anti-ROP isn't _that_ crucial. The extra goodies that Microsoft added to 4.0 such as certificate trust feature, I can live without.