Free Microsoft security tool Enhanced Mitigation Evaluation Toolkit locks down apps

From http://www.theregister.co.uk/2009/10/27/microsoft_security_tool/:

 

Has anyone tested it against a known buffer overflow? I tried both Acrobat and IE and can't get the damn thing to do anything.

 

FWIW, I tested the latest IE and Acrobat 0-days against EMET and it let noth through. Not good.

 

Version 2.0 is available. The tool has been renamed to Enhanced Mitigation Experience Toolkit.

 

I was waiting for this...
Hope it helps...

 

@ MrBrian

*



I'm not one for usually blowing MS's trumpet, but if i had a hat, i'd have to take it off for them with this

From the PDF

*

*

Appears to be Very configurable with various opt in/out settings

Only for Windows XP service pack 3 and above

Don't miss - 4. Mitigation caveats

The GUI requires that .NET 2.0 is installed on the system

http://blogs.technet.com/b/srd/arch...itigation-experience-toolkit-emet-v2-0-0.aspx

PDF - http://blogs.technet.com/cfs-file.a...ostAttachments/00-03-35-03-78/Users-Guide.pdf

Video - http://technet.microsoft.com/en-us/security/ff859539.aspx

I wonder how many ordinary users will take advantage of it ? Not many i would have thought = pity

 

Runs on Windows 7 x64?

 

@ ExtremeGamerBR

Yes

See the PDF for more info

 

See SAFE-ADMIN, will make a real easy to apply, plus other goodies

https://www.wilderssecurity.com/showpost.php?p=1741064&postcount=214

Give a compliment to Sul when you like it.

 

Darn, ASLR is not supported on XP?

What does it mean that SEHOP is not supported for system, but has an application opt in?

 

I had enabled DEP for all programs but EMET showed it's status as Aplication Opt Out I set it to Always On but Google Talk doesn't work now...

I had also enabled ASLR for all programs, EMET showed the status as Always On but there is no such option in drop down menu

 

Registry settings are made for each program you implement EMET for. A GUID is created, but stays local the EMET reg key only. Modifying these values does nothing unless you can also manipulate the .sdb (security database) file located in c:\apppatches\custom\{GUID}.sdb.

Attempting to open .sdb file with either security config and analysis tool from mmc.exe or with secedit /analyze /db <path> fails with an error - corrupt database. This .sdb is housing some aspect, have not yet confirmed what, but certainly each program you use EMET for.

This provides decent command line interface, and I like how it can display all EMET values. Might be a worthwhile tool if it had a better interface. A little rough right now, especially if you don't really know what you are doing. Not complex to use, just lacking in infos. The .pdf instructional help file is of use for geeks, not sure about average Joe though.

Sul.

 

Thanks MrBrian for update. I am testing it on Windows 7 x64.

 

Thanks for the update

EMET shows ASLR as Opt-in and I can only change it to disabled, not to opt-out or always on :S

And how about the other migitation techniques?(NullPage, HeapSpray, EAF) I can only manually add a a program and configure them, but if I don't do that, does that mean they are disabled for every program?

The standard DEP setting for Windows is on for all MS services and programs and Opt-in for the rest. You can enable it for everything with opt-out for programs that don't work with it. And now with EMET you can also force it on for everything with no excpetions(Always On.) So, Opt Out is good, it means On for everything except your own exceptions, for example Google Talk.

 

Firefox without SandboxIE protected is able to run under EMET ... but if we protect it with SandboxIE than it won't able to run under EMET ....

What if i put SandboxIE under EMET with DEP, SEHOP, NullPage, MandatoryASLR enabled? I guess it won't affect SandboxIE functionality..

Need confirmation

 

Thanks for the explanation, the thing is Google Talk is not in the exception list, process explorer shows it as DEP(permanent), but I guess opt out is good enough...

 

Found some info on the ASLR questions:

 

It seems like not many people are interested in this sotware?

 

Yes, a pity, it's very nice software.
I've so far put ASLR to always on without problems and EMET'ed quite some software, including some security software: Eset Smart Security, Avast! Free, Prevx, Sandboxie and Immunet Free. All without problems so far

 

I can't run this new version of EMET no matter what I do. The EMET_GUI.exe simply won't run...anyone has any ideas?

 

Are you trying to run it with Admin privileges?

Secondly, if GUI is not working for you then do try to run it with command line interface...

 

New as in Emet 2 ?
http://blogs.technet.com/b/srd/arch...itigation-experience-toolkit-emet-v2-0-0.aspx

 

Other versions are not possible as Emet 2 is the first with a GUI

 

of course but the op mentioned EMET_GUI.exe which reminded me of file names in 1.0.2 command line version. Always good to be clear

 

I feel your pain. I have exactly the same issue. Have tried running as admin and tried the command line version, doesn't work for me. I installed it in a vm with xp pro sp3 works great. Does anyone have a guess on what might be going on?