EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    791
    Location:
    UK
    EMET does not inject dlls into every running process, whilst HMPA does.

    Me and one other person have said this.

    EMET will only inject its dll to applications specifically added into its protection list.
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,009
    Location:
    when i can counter-troll
    i never said that EMET does, read my posts better please.
     
  3. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    791
    Location:
    UK
    I am not the only one who interpreted the post I quoted as meaning to say that EMET and HMPA inject into the same processes. Even after I requoted the post you still dont see the need to edit it?
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,009
    Location:
    when i can counter-troll
    no, because i never said "emet inject dlls into every processes" i just said it also "inject dlls" , my post was to highlight that every Anti-Exploit have to inject dlls hence creating potential issues and not to say that EMET or MBAE were doing as HMPA which is not as everybody here knows. i practiced enough with all of them , observing which dlls they inject to not make that mistake.

    I think you wrongly related it to my HMPA statement .

    Sorry if i wasnt clear enough but for me it was obvious not needing to precise that fact.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,701
    Location:
    The Netherlands
    Yes correct, but the developers of HMPA have explained that system wide injection is also needed for the safe banking and anti-ransom feature, but other competing products do not do this, so technically speaking it shouldn't be necessary. But this was the design that the developers chose.
     
  6. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,761
    Yes, the developer mentioned it in this post: #9723
    Ok, now back to topic :)
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,841
    Location:
    Toronto, Canada
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,841
    Location:
    Toronto, Canada
    So apparently with Windows 10 Creators Update, all of EMET features will now be baked into the operating system with the use of Powershell and can utilize EMET .xml configurations. According to a Microsoft security developer, this mitigation functionality will also include the hugely popular EMET ASR (attack surface reduction) feature and cert pinning.

    Mitigations plus ASR plus cert pinning plus CFG plus RFG = Significant security news for Windows 10 Creators Update

    Source: https://twitter.com/dwizzzleMSFT/status/819226684163432448

    Source: https://twitter.com/Carlos_Perez/status/819237510861717505

    Source: https://twitter.com/dwizzzleMSFT/status/819238616119422977
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,841
    Location:
    U.S.A. (South)
    Thank You WildByDesign for your ever vigilance to the things that matter for all of us Windows end users.
     
  10. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    835
    Location:
    UK
  11. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,007
    Location:
    Triassic
    @clubhouse1 Nice find.

    Comparisons are interesting.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,841
    Location:
    Toronto, Canada
    EMET survey regarding future integration into Windows 10

    Link: https://microsoft.qualtrics.com/jfe/form/SV_cYoqiaHAzX338AR

    EDIT: Interesting...
     
    Last edited: Mar 16, 2017
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,841
    Location:
    Toronto, Canada
    The main feature(s) of Windows 10 Creators Update (1703) that was expected to not only make EMET irrelevant, but also make EMET not function correctly at all, was the combination of Control Flow Guard (CFG) and Return Flow Guard (RFG). So now that RFG has been dropped from Windows 10 Creators Update, EMET is still very much relevant in my opinion and runs/functions flawlessly.

    So I just wanted to confirm that with build 15063 (Windows 10 Creators Update 1703 RTM) EMET installs without issue and functions as per normal. Although I do not expect Microsoft to change their mind to support EMET on 1703.

    When Creators Update is officially released, Microsoft is expected to release a detailed blog/guide on how to replicate EMET features in Windows 10 by using Powershell commands to enable/disable mitigations.
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,841
    Location:
    Toronto, Canada
    An update to the EMET support article (https://support.microsoft.com/en-ca/help/2458544/the-enhanced-mitigation-experience-toolkit) from Apr 11, 2017:

    That is what we all essentially had expected. However, what is interesting to me is the "EMET will not be supported or operable on Windows versions that are released after Windows Server 2016 and Windows 10 version 1703" point. That is quite interesting to state that EMET (which uses many built-in Windows mitigation methods/options) would not be "operable" on future versions of Windows 10.

    Also what is of interest to me is whether or not those core operating system security changes would also render other anti-exploit software (or potentially anti-virus software) inoperable as well. Whether third-party anti-exploit or anti-virus would even be necessary on future versions of Windows 10 is debatable. But whether or not they would be operable is quite interesting to see how this plays out. I assume this has more to do with Return Flow Guard (RFG) making a return in future versions. But there could be more to it.
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,009
    Location:
    when i can counter-troll
    the word "operable" is very interesting, i'm curious to see the implications too. :D
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,841
    Location:
    Toronto, Canada
    I've had some time to put some more thought into this. And I don't think that it will be quite as damaging as I first thought. I believe that this will be more than just CFG+RFG.

    My best guess here is that there will be major changes with regard to Application Compatibility (AppCompat) which is the Shim Engine (http://www.alex-ionescu.com/?p=39 old article but covers shimming well) in which EMET uses to inject into processes to protect them utilizing Application Compatibility Databases (.SDB files) similar to which Windows itself uses for many compatibility fixes and much more. I've seen some hints at changes coming to AppCompat at some point and that is likely what is expected in the next major upgrade/milestone for Windows 10 and would make sense that EMET would no longer be "operable" if major changes occur to AppCompat. These would be important changes with regard to overall Windows security in general and therefore necessary. The hints that I have seen here and there refer to enforcing digital signing of .SDB files and verifying those signatures prior to AppCompat injections to thwart malware utilizing AppCompat for malicious purposes. Although there is likely more to it beyond my best guesses.

    I have always been a die-hard fan of EMET, however EMET has been officially uninstalled from my machines for several weeks and I will be looking forward now as opposed to looking back. :ninja:
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,009
    Location:
    when i can counter-troll
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,841
    Location:
    Toronto, Canada
    No. No need for EMET anymore with CU since there are so many mitigations in place. Although I still do run MemProtect just in case operating system protections fail. MemProtect has been fantastic particularly with fileless malware since protected processes contain the malicious activity even if the process was compromised.
     
Loading...