EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    832
    Location:
    UK
    EMET does not inject dlls into every running process, whilst HMPA does.

    Me and one other person have said this.

    EMET will only inject its dll to applications specifically added into its protection list.
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,683
    Location:
    Europe then Asia
    i never said that EMET does, read my posts better please.
     
  3. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    832
    Location:
    UK
    I am not the only one who interpreted the post I quoted as meaning to say that EMET and HMPA inject into the same processes. Even after I requoted the post you still dont see the need to edit it?
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,683
    Location:
    Europe then Asia
    no, because i never said "emet inject dlls into every processes" i just said it also "inject dlls" , my post was to highlight that every Anti-Exploit have to inject dlls hence creating potential issues and not to say that EMET or MBAE were doing as HMPA which is not as everybody here knows. i practiced enough with all of them , observing which dlls they inject to not make that mistake.

    I think you wrongly related it to my HMPA statement .

    Sorry if i wasnt clear enough but for me it was obvious not needing to precise that fact.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,214
    Location:
    The Netherlands
    Yes correct, but the developers of HMPA have explained that system wide injection is also needed for the safe banking and anti-ransom feature, but other competing products do not do this, so technically speaking it shouldn't be necessary. But this was the design that the developers chose.
     
  6. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,284
    Yes, the developer mentioned it in this post: #9723
    Ok, now back to topic :)
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
    So apparently with Windows 10 Creators Update, all of EMET features will now be baked into the operating system with the use of Powershell and can utilize EMET .xml configurations. According to a Microsoft security developer, this mitigation functionality will also include the hugely popular EMET ASR (attack surface reduction) feature and cert pinning.

    Mitigations plus ASR plus cert pinning plus CFG plus RFG = Significant security news for Windows 10 Creators Update

    Source: https://twitter.com/dwizzzleMSFT/status/819226684163432448

    Source: https://twitter.com/Carlos_Perez/status/819237510861717505

    Source: https://twitter.com/dwizzzleMSFT/status/819238616119422977
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,384
    Location:
    U.S.A. (South)
    Thank You WildByDesign for your ever vigilance to the things that matter for all of us Windows end users.
     
  10. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,050
    Location:
    UK
  11. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,052
    Location:
    Triassic
    @clubhouse1 Nice find.

    Comparisons are interesting.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
    EMET survey regarding future integration into Windows 10

    Link: https://microsoft.qualtrics.com/jfe/form/SV_cYoqiaHAzX338AR

    EDIT: Interesting...
     
    Last edited: Mar 16, 2017
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
    The main feature(s) of Windows 10 Creators Update (1703) that was expected to not only make EMET irrelevant, but also make EMET not function correctly at all, was the combination of Control Flow Guard (CFG) and Return Flow Guard (RFG). So now that RFG has been dropped from Windows 10 Creators Update, EMET is still very much relevant in my opinion and runs/functions flawlessly.

    So I just wanted to confirm that with build 15063 (Windows 10 Creators Update 1703 RTM) EMET installs without issue and functions as per normal. Although I do not expect Microsoft to change their mind to support EMET on 1703.

    When Creators Update is officially released, Microsoft is expected to release a detailed blog/guide on how to replicate EMET features in Windows 10 by using Powershell commands to enable/disable mitigations.
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
    An update to the EMET support article (https://support.microsoft.com/en-ca/help/2458544/the-enhanced-mitigation-experience-toolkit) from Apr 11, 2017:

    That is what we all essentially had expected. However, what is interesting to me is the "EMET will not be supported or operable on Windows versions that are released after Windows Server 2016 and Windows 10 version 1703" point. That is quite interesting to state that EMET (which uses many built-in Windows mitigation methods/options) would not be "operable" on future versions of Windows 10.

    Also what is of interest to me is whether or not those core operating system security changes would also render other anti-exploit software (or potentially anti-virus software) inoperable as well. Whether third-party anti-exploit or anti-virus would even be necessary on future versions of Windows 10 is debatable. But whether or not they would be operable is quite interesting to see how this plays out. I assume this has more to do with Return Flow Guard (RFG) making a return in future versions. But there could be more to it.
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,683
    Location:
    Europe then Asia
    the word "operable" is very interesting, i'm curious to see the implications too. :D
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
    I've had some time to put some more thought into this. And I don't think that it will be quite as damaging as I first thought. I believe that this will be more than just CFG+RFG.

    My best guess here is that there will be major changes with regard to Application Compatibility (AppCompat) which is the Shim Engine (http://www.alex-ionescu.com/?p=39 old article but covers shimming well) in which EMET uses to inject into processes to protect them utilizing Application Compatibility Databases (.SDB files) similar to which Windows itself uses for many compatibility fixes and much more. I've seen some hints at changes coming to AppCompat at some point and that is likely what is expected in the next major upgrade/milestone for Windows 10 and would make sense that EMET would no longer be "operable" if major changes occur to AppCompat. These would be important changes with regard to overall Windows security in general and therefore necessary. The hints that I have seen here and there refer to enforcing digital signing of .SDB files and verifying those signatures prior to AppCompat injections to thwart malware utilizing AppCompat for malicious purposes. Although there is likely more to it beyond my best guesses.

    I have always been a die-hard fan of EMET, however EMET has been officially uninstalled from my machines for several weeks and I will be looking forward now as opposed to looking back. :ninja:
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,683
    Location:
    Europe then Asia
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
    No. No need for EMET anymore with CU since there are so many mitigations in place. Although I still do run MemProtect just in case operating system protections fail. MemProtect has been fantastic particularly with fileless malware since protected processes contain the malicious activity even if the process was compromised.
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
    Therefore, built into the Windows 10 RS3 (Fall Creators Update) we will have the following mitigations from EMET:
    • Export Address Table Access Filtering (EAF)
    • Export Address Table Access Filtering Plus (EAF+)
    • ROP - Caller checks
    • ROP - Simulate execution flow
    • ROP - Stack pivot
    • Import Address Table Filter (IAT)
    Keep in mind, those are the remaining EMET mitigations that had not yet made it into Windows 10. All other EMET mitigations are already in Windows 10. EMET has officially been swallowed up by Windows 10 and therefore no longer needed.
     
  21. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,405
    This is awesome news indeed. I have not been using EMET since I installed CU. Looking forward to the rest of it being implemented into the fall CU update.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,384
    Location:
    U.S.A. (South)
    Awesome. :thumb:

    The others are naturally no less just as important but this one (for table jumpers) is all too familiar for me from the userland rootkits/dll injects if memory still serves released on the previous platforms.

    • Import Address Table Filter (IAT)
    Happy to see it included.
     
    Last edited: Jun 18, 2017
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,023
    Location:
    Toronto, Canada
    @Trooper @EASTER Even more great news!

    Source: https://twitter.com/markwo/status/876644805249511424

    Therefore, that means that these super important (and still relevant) mitigations from EMET plus the dozens or so other mitigations already built into Windows 10 will all be able to be configured per-process via IFEO MitigationOptions regkeys (either manually or simple GUI of GFlagsX) or several other ways to configure via group policy, PowerShell, etc.

    This is going to be powerful and granular. Much more to it in comparison to EMET, though minus the fancy GUI which EMET had going for it. I prefer GFlagsX over EMET anyway.
     
  24. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,405
    This is indeed awesome news. Thanks for keeping us all up to date @WildByDesign
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,384
    Location:
    U.S.A. (South)
    Ye ikes! Beneficial array of added mitigations are indeed something of a game changer but it remains to be seen what other vectors coverage from 3rd parties will help round things out, or seal the deal so-to-speak. Excubits MemProtect I know is one members really favor and for good reason. I may be putting that one into operation soon myself but am trying to nail down basics first.

    This takes some time and effort and some trial and error but the granularity is welcome of course.

    Are there any basic rulesets anyone else has found useful which might could be shared amongst members of different Win 10 series where they might be applied as a starting point for these current releases? I mean 1511. 1607, 1703 and the like.

    I finally got around to moving up to 1703 CU, but added EMET because GFlags GUI is in the way and is not adjustable for size differences on this end.

    Am I missing something to that?

    As for GFlags, as nice a GUI as it is with the clear layout for user config mitigations, again I repeat, it won't let you adjust the window box size so some of it is under the bottom of the taskbar on my machine and that's a bit of an annoyance. Maybe it was overlooked? I have a set 1366x768 Landscape which I need for optimum visual.
     
Loading...