Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.
I don't think that v5.51 will be the last release though.
EMET Mitigation Test Kit
Seems to have been around for a few years but has recently been updated.
Anyway, my main purpose with EMET in recent times has simply just been an easy way to enabled/force system-wide mitigations, as opposed to injecting the EMET DLL into processes and dealing with perf issues or stability issues. Particularly I appreciate enabling the forced system-wide ASLR for all processes. The only two processes that I still have EMET injecting is regsvr32 and rundll32 particularly for the ASR functionality to block specific modules known for application whitelisting bypasses (see https://github.com/iadgov/Secure-Ho...r32-application-whitelisting-bypass-technique). However, in the past few days I have been experimenting with ways to achieve similar functionality to EMET ASR but with Bouncer and/or MemProtect to block specific modules. I will share those rules in the appropriate threads once I've finished testing it some more.
I found this article about EMET being able to block the loading of macro's in MS Office. I'm guessing MBAE and HMPA can do the same.
https://isc.sans.edu/diary/VBA Shellcode and EMET/21705
The reason for this is:
User Guide: https://www.microsoft.com/en-us/download/details.aspx?id=54265
@Rasheed187 @ropchain With regard to that ISC diary which you were mentioning, Didier Stevens has now posted a followup in in which he further tested the initial sample but also went a step further to create his own sample for additional testing. It appears that, in conclusion, Windows 10 (without EMET) does not stand up to VBA shellcode at all on it's own.
Link: https://isc.sans.edu/diary/VBA Shellcode and Windows 10/21729
I didn't understand all the details, but I don't see how this would come as a big surprise, since Win 10 on its own will not block process hollowing, but perhaps I'm missing something.
Windows 10 Cannot Protect Insecure Applications Like EMET Can
can you share the configuration you got for those 2 processes please?
not to mention microsoft have forgotten window 7 and 8 are not EOL, do they think only windows 10 matters?
Yeah MS wants to push Win10 on all customers in sneaky and fishy ways..
Since the Carnegie Mellon University CERT/CC blog post (https://insights.sei.cmu.edu/cert/2...tect-insecure-applications-like-emet-can.html) that @BoerenkoolMetWorst posted here a few days ago, there has been quite a bit more attention in technology news that brings more light to EMET being discontinued.
It's good to see more pressure on Microsoft here. Despite EMET development falling behind here and there, being a toolkit as such, it certainly has the potential for newer mitigations and techniques to be updated within this toolkit. My hope still is that Microsoft decides to open-source EMET as soon as possible, prior to EOL.
-Credit to Will Dormann (https://twitter.com/wdormann) of Carnegie Mellon University CERT/CC.
CERT to Microsoft: Don't Kill EMET, Windows 10 Is Not as Secure as You Think
CERT: Windows 7 with EMET is more secure than Windows 10, so don't retire EMET
CERT tells Microsoft to keep EMET alive because it's better than Win 10's own security
Report: Windows 10 is less secure than Windows 7 with EMET
Is Windows 8 the same as 7 as far as security and the entries in the table is concerned?
This is just a guess here since my experience with Windows 8.x is rather limited, but my understanding is that Windows 8.x did have some increased security as a step up from Windows 7. But as far as the particulars go, I am not 100% sure. I know that things such as AppContainer were added. But when it comes to specific mitigations, it is quite possible that there may be a difference between Windows 7 and Windows 8.x. Even the same mitigations could be slightly enhanced as well. I just don't have the particulars. Hopefully somebody with more in depth experience with regard to the security additions to Windows 8.x can chime in here. I don't believe that Microsoft provided as many detailed documents with Windows 8.x with regard to security components in comparison to what they share now with Windows 10. Although we can certainly see what third-party security researchers have dug up as well. I apologize that my answer is not very specific.
Wow, that is super revealing. I thought there was a swath of EMET protection in native W10 - I was wrong wrong wrong. The most aggravating aspect of this, is that like with other really good stuff they come up with, they just abandon it for the most illogical reasons. Maybe they are porting EMET (and renaming it) as a paid product/service for the enterprise.
I was able to dig up some great information showing how much security has evolved with Windows 8.x since Windows 7 making it stand out quite a bit. I will place in spoiler since this is slight off topic.
Spoiler: Windows 8.x Security Improvements
A quote from (https://technet.microsoft.com/en-us/library/dn283963(v=ws.11).aspx) that details how much ASLR has improved in Windows 8 over Windows 7 and also improved Windows heap:
Also some solid information:
What's Changed in Security Technologies in Windows 8
What's Changed in Security Technologies in Windows 8.1
Therefore it appears that security mitigations in general improved even more with Windows 8.1 in many ways, much the same as how Windows 10 has improved security greatly with each major upgrade. But also with Windows 8.1 came the ability to run LSA (lsass.exe) as a protected process light (see: https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx) but proceed with caution with the LSA PPL trick because it does require Secure Boot and I do believe that it is difficult to revert that change.
Wow! Many thanks @WildByDesign. I appreciate you going to the trouble of finding out this information for me. I'm still using 8.1 on one of my machines so this will be very useful.
Windows 10 Mitigation Improvements:
Data Driven Software Security:
http://gsec.hitb.org/materials/sg2016/COMMSEC D1 - Sweety Chauhan - Data Driven Software Security.pdf
EMET enabling secondary logon service is surely an issue (for some) because of that
Well, the death of EMET is good news for MBAE and HMPA, even on Win 10 you still need them, as shown in the report.
but at least EMET doesnt need dozen of updates a month because it breaks things
and that is sadly HMPA's current achilles heel.
So are you saying that EMET doesn't cause too many problems? But yes I agree, I'm a bit shocked when I see how many problems are reported in the HMPA thread. That's why I have chosen not to install it, and I'm already protected against exploits quite well with my Sandboxie + EXE Radar combo.
Keep in mind that the HMPA thread is mostly about BETA versions. So obviously there are many issues in that thread.
Separate names with a comma.