EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Interesting thing to follow up with you here... so I spoke with the developer of GFlagsX (who also happens to author the great Windows Internals books) and he created a patch based on your feedback. I also suggested that it needed some more flexibility to the UI for low screen res. Anyway, within just a few hours today he has already published an update. (https://github.com/zodiacon/GflagsX/releases/tag/0.21) However, there is a bit of a problem at the moment because he has only provided the updated source code for this build so far and no compiled binary. So we will have to keep an eye there and see if he uploads a binary or I will have to look into compiling it in case he does not.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    From: https://blogs.windows.com/business/...rity-features-windows-10/#DzGOH9zeQJ8Pepd3.97

    Windows Defender Exploit Guard

     
  3. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,361
    Older editions of Windows 10 can still benefit from AE protection by running Malwarebytes Anti-Exploit.

    But if you're are eligible to update to Creators Update this fall, EMET will become part of Windows 10.
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  5. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    This is comming with new upgrate this fall?
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,895
    Location:
    Italy
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Insider Build 16232
    Link: https://blogs.windows.com/windowsex...32-pc-build-15228-mobile/#LjyX4Lz2pStkaHBj.97

     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,816
    Location:
    U.S.A. (South)
    Thanks @WildByDesign

    I would also caution this if anyone isn't yet aware but the improvements should help a lot I think once the rough edges are ironed out.

     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @EASTER You're welcome.


    I just spent 30+ minutes playing with system-wide mitigations and per-process mitigations in Insider build 16232. Everything is done via easy to use modern app UI. I must admit that I am thoroughly overwhelmed with process mitigations. In a good way. But there are far too many mitigations to even take screenshots to share here. It's absolutely insane. :thumb:

    Users who love their process mitigations will certainly be looking forward to Windows 10 Fall Creators Update. By the way, I did all of my testing of this build on Pro x64. So these features are not just for Enterprise users and definitely does not require the use of Defender AV specifically. Also these mitigations still make use of IFEO MitigationOptions registry settings, however, they are using binary format instead of QWORD.

    Once this hits Slow ring I may be considering switching my main system over.

    By the way, GFlagsX already allows you to configure most of these mitigations. But it is lacking some of the best mitigations from EMET which are only available in RS3 Insider builds right now.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,816
    Location:
    U.S.A. (South)
    This is surprisingly amazing and very welcome indeed.

    Glad you were able to test some of those and bring the good news back to share with us on that.

    Things are pressing ahead at such a breakneck speed it's hard for me anyway to keep up as they keep showing up anew again :)
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,456
    Installed EMET latest stable version on Windows 10 pro I am running the old spring creators update version, not the fall version.
    EMET is at recommended settings, except that I added a few apps to the list.
    Basically, it seems to be working.
    Two main issues:
    1 Sometimes when I open the GUI, I get an error message that service is not running. But Windows task manager says it is running. If I ignore the message, the GUI opens and everything seems fine.

    2 Sometimes I see a black DOS window open for a second , and then close by itself.

    EDIT: Maybe there is a real problem here, because now, after opening and closing the GUI, I see that both emet agent and emet service are running. But before, I saw only service.
    What's going on here?
    Okay, I think I got it now. EMET takes a while to start up. And it starts one process at a time. Correct?
    Will it protect programs that launched before it?
    Yep, in services I see it is set to delayed start.
    What if set it to start normally?
     
    Last edited: Oct 19, 2017
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Yes by default they changed the service to Delayed in the most recent release(s). Personally, I switched it back to Automatic and everything was as per normal for me during that time. The Delayed start seemed weird and unnecessary. I would suggest to switch it to Automatic. Keep in mind that if you end up upgrading to 1709 Fall Creators Update, EMET will cease to work.

    All of the EMET mitigations are running kernel-mode, quite literally build into the kernel, and therefore mitigations such as EAF, EAF+ along with other memory protection mitigations have far less of a performance penalty on 1709 in comparison to 1703. I would way rather recommend 1709 if and when you are ready to upgrade.
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,456
    Thanks for the explanations.
    If the mitigations run in kernel, does that also make them more compatible with other security software? Just wondering if EMET integrated into Windows will produce less software conflicts.

    And what do you say about EMET on maximum security level?
     
  14. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,109
    Location:
    South Texas, USA
    So what would be the best route to convert EMET's old recommended software xml to the new standard?

    Update:
    I figured it out using the commands on Powershell reading from Notepad xml file.
     
    Last edited: Oct 20, 2017
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This is something that is difficult to determine and only time will tell. However, since the mitigations are built into the kernel and now a fully supported part of the Windows operating system, that should be best for the long term. Meaning that, if any issues do show up with some security software, Microsoft should be more inclined to fix any compatibility issues or work directly with the security companies. So it is possible that there "may" be some issues early on with 1709, but those issues should get ironed out over time. Although so far I have not seen any issues specific to these mitigations, with the one exception being Chrome (chrome.exe) seems to not like having any of the ROP mitigations enabled and it causes issues with Chrome's sandbox. So that is one benefit that you have is that you can still protect Chrome with ROP mitigations with EMET.

    I had ran EMET on Max settings for several years, including the registry tweak (in the EMET manual) which allows you to enable the (possibly problematic) Mandatory ASLR system wide. Closer to the end of my time using EMET, I ended up using Max settings but would then disable the system wide Untrusted Fonts mitigation which would then switch EMET to Custom setting. The font parsing is done within AppContainer now on Windows 10 and therefore that mitigation is not really necessary anymore.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.