Introducing EMET v3

Discussion in 'other security issues & news' started by ronjor, May 15, 2012.

Thread Status:
Not open for further replies.
  1. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    62
    The executable EMET_notifier.exe spawns around 10 threads and since we know that the default stack size per thread is 1MB then the we can infer that the minimum amount of memory that would likely remain referenced and in the 'working set' would probably be around (1*10) Megabytes + sizeof(executable image) +heap for a minimum of a little over 10 or 11 MB.

    However if you use an application such as Process Explorer to inspect a bit further you will find that it references over 500MB in the pagefile (the Virtual Size column).

    This might not be an issue for people with a recent model workstation and plenty of RAM. But there are many millions of people in the world that are still using older machines with much less resources. It would be great if they were able to use these security tools with very little performance impact. Unfortunately it seems the Microsoft internal policy of promoting the .NET framework interferes with releasing a native GUI.

    Best Wishes,
    -MessageBoxA
     
  2. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    You tested this on said machine to make sure it's not dynamically set based on available resources or are you making assumptions?
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hello Thread:

    I installed EMET v3 yeserday fresh. I removed v2 first, cleaned up register then defragged for good measure.

    As far as resourse use on W7 64 bit 8GB notebook here is my data.

    CPU=0
    WS RAM=51,348 k
    Peak RAM=51,352 k
    Private RAM=31,984 k
    I/O writes=162,367
    Threads=7

    This resource usage is:

    < explorer
    < eset v5 an av product
    < OP FW Pro 7.5.2

    Your mileage may vary

    I also note that the notifier has not yet asked for www access.

    If it does it will be blocked as I have no FW rule allowing any access for it.

    It set itself up to be able to terminate processes, so I blocked that as I don't mine being notified but I want to control if the process should terminate or not.

    Comment away :D
     
  4. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    171
    Will the ability of the NEMET package to "install and configure EMET on ComputerA and export all of the
    settings and package all of the binaries into a redistributable package ready for installation on ComputerB"
    work if ComputerA is Windows XP3 Pro and ComputerB is XP2 Home? Thanks.
     
    Last edited: May 20, 2012
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    79,960
    Location:
    Texas
    http://support.microsoft.com/kb/2458544
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,257
    Location:
    Outer space
    I just tested it, and EMET indeed did not notify when it crashed, Java fixed it by the way, had to download an older version for it to crash.
     
  8. Tsast42

    Tsast42 Registered Member

    Joined:
    May 7, 2012
    Posts:
    137
    Location:
    United Kingdom
    I vote for a snappier OS and no EMET. Lower system performance and stability can be a price worth paying to prevent infection, but to suffer this cost just for the benefit of making certain trajectories more difficult is a different level of asceticism, one which for me is not worth it by a lot shot.
     
    Last edited: May 19, 2012
  9. tomazyk

    tomazyk Guest

    Disabling Notifier through Registry trick does not prevent loading Emet_notifier from loading at startup for me. Even after reboot the application still loads at startup.

    The only way to disable loading the app is to disable it through Autoruns or other startup manging software. But this solution is only temporary. Next time I launch the gui it starts windows installer and adds missing autorun key back to registry (it's repairing installation every time it is run).

    So for now only solution for me is to rightclick the icon and choose Exit after each restart. I hope they will put more options in next release.
     
  10. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,248
    Location:
    USA
    Me neither and the Notifier continues to sit in my system tray (unless and until I exit out of it).

    This, in itself, doesn't really bother me, though. However, I am now wondering whether the Notifier will actually "notify" me of anything after having disabled the Notifier through the registry trick outlined above. o_O

    I mean, if it's going to run regardless, should I just remove that registry entry?
     
  11. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    I guess you've found a bug? lol
     
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    79,960
    Location:
    Texas
    http://www.h-online.com/security/ne...ool-reports-the-cause-of-a-crash-1621983.html
     
  13. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    403
    Location:
    Event Horizon
    is there any good reason to upgrade from v2.1 to v3.0?
     
  14. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,251
    Location:
    Chaotic Land
    No there isn't.
     
  15. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    the only possible benefit of v3 is using the log to see what is/isn't working in EMET or for errors. If I open EMET 2.1 it will show a green check next to what is running under EMET, so not sure if there is a benefit to the logging either really....
     
  16. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,787
    I'm experiencing the exact same thing. Anyone has any news on the matter??
     
  17. Function

    Function Registered Member

    Joined:
    Feb 5, 2012
    Posts:
    76
    Location:
    UK
    I have a game that I am trying to run and it cannot run on my PC. I was wondering if EMET is the issue.

    Anyway how does one completely disable EMET for a short while.

    I can set both DEP and ASLR to Disable.

    SEHOP however has to be either "Opt In" or "Opt Out". Which setting should I choose to ensure that EMET is fully disable for all applications not listed in the "Configure Apps" section.
     
  18. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,251
    Location:
    Chaotic Land
    "Opt In" is what you want.
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,627
    Best software MS ever released.
    I'm gonna review this latest version soon.
    Mrk
     
  20. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Hey everyone...I'm considering getting this version.

    When you install this over EMET 2.1, does it keep your app and system settings?

    Thanks.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,627
    The answer is yes!
    Mrk
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    I agree! I can't believe it but I only wish they had done as well with their operating systems over the years. IMHO of course.

    When you are done your review I would like to read it. :cool:

    Oh, yes I have V3 installed.
     
  23. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,291
    Location:
    USA
    If a game is crashing it is probably DEP. You can choose Opt Out and if needed set an exclusion for the game. Then you will not constantly have to reboot as one is required for changes to the DEP/SEHOP/ASLR settings.
     
  24. Function

    Function Registered Member

    Joined:
    Feb 5, 2012
    Posts:
    76
    Location:
    UK
    Thanks for the information. I disabled everything and the game ran. Finally after months of trying to figure out the problem it was with being caused by EMET.

    I did what you said and choose to keep EMET running as normal and just disable the use of EMET on that game itself.

    Now everything is working fine and the game runs smoothly.
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,627
    EMET v3 - More of the best

    While the security world is busy spreading meaningless fear and drama around the birth of Flamer and similar things, Microsoft has released an update to the best security software ever created, their Enhanced Mitigation Experience Kit (EMET). Please enjoy an enthusiastic review of EMET v3.0, with numerous improvements and new features, including easy installation over existing versions, preservation of configured applications, protection profiles, enhanced grammar with wildcard rules, group policy and SCCM integration, reporting to Event Log, and more. It's funny how this product comes from the same oven that forged the Metro failure, go figure. But it's good, and you should use it. Read on.

    http://www.dedoimedo.com/computers/windows-emet-v3.html


    Cheers,
    Mrk
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.