Strengthen your computer security with EMET 5

It seems like every day a new software exploit or vulnerability is found. Software vendors' work hard at keeping their software secure, but it can take time to test and deploy patches. So what can you do to protect your computer? The Enhanced Mitigation Experience Toolkit (EMET) from Microsoft does just that.

The main window inside of EMET 5
The main window inside of EMET 5

EMET is designed to prevent attackers from taking control of your system. It works as 'shim' in-between your programs and the operating system. EMET looks for the most common attack techniques and will block and/or terminate any program it is monitoring. EMET works alongside your favorite anti-virus and anti-malware programs for layered security.

I have been using EMET as part of my layered security for years and have written a few blogs on it. With each version, Microsoft keeps improving it. Some of the improvements in EMET 5 include Attack Surface Reduction (ASR), Export Address Table Filtering Plus (EAF+) and 64-bit ROP mitigations. Here's is the current list of mitigations EMET currently looks for.

  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Data Execution Prevention (DEP)
  • Heapspray allocation
  • Null page allocation
  • Mandatory Address Space Layout Randomization (ASLR)
  • Export Address Table Access Filtering (EAF)
  • Export Address Table Access Filtering Plus (EAF+)
  • Bottom-up randomization
  • Return Oriented Programming (ROP)
  • Attack Surface Reduction (ASR)

There are two (2) different ways to configure EMET, a Graphic User Interface (GUI) and a command line tool. It is best to configure EMET through the GUI, since the command line tool doesn't allow access to all of EMET's features. The built-in configuration wizard allows you use either the recommenced settings, keep previous settings (upgrade install) or to manually configure EMET (new install).

Easily configure programs to monitor in EMET 5
Easily configure programs to monitor in EMET 5

Once you have EMET installed, it's pretty easy to add programs to monitor. Just open the program you want EMET to monitor and then open EMET. On the lower part of the main window you will see Running Processes. Just find the program you want to monitor in the list, right-click on it and select Configure Process. You will have to restart any program you have just configured inside of EMET.

For more information on Microsoft EMET 5, just follow the links below.

Enhanced Mitigation Experience Toolkit
Enhanced Mitigation Experience Toolkit 5.0 download

How to use layered security to protect your computer

It seems whenever I tell someone that I repair computers for a living, I almost always get asked the question "What do you recommend for anti-virus software?". I tell them that I use a layered approach to security, not relying on just one program for protection. I personally don't like to use all-in-one security suites. It's not that I don't trust any particular software; I just don't like having just one piece of software protecting my computer. Here's how to use layered security to protect your computer.

Protecting your computer with layered security
Protecting your computer with layered security

Software firewall

Windows has had a pretty good firewall built-in since Windows Vista and it's turned on by default. It comes pre-installed inside of Windows and is ready to go. There are also some great stand-alone programs like ZoneAlarm. This is also one of those additional features of all-in-one security software. It's your choice.

Anti-virus software

This one is a no brainer. There are plenty of free and retail anti-virus programs on the market, and I have used quite few different ones over the years. Some internet service providers like Cox Communications even offer free security suite software. The only thing to keep in mind when picking an anti-virus program is the performance of the system you're installing it on. I would not install a full-blown security suite like Norton or McAfee on a tablet or netbook.

Anti-malware / anti-spyware software

Anti-virus software normally looks for, you guessed it, viruses. I've cleaned out quite a few pieces of ransomware that anti-virus programs missed because it wasn't a virus. Quite a few of anti-malware programs are meant to be run side-by-side with anti-virus software. But there are a couple of exceptions to this rule: McAfee software doesn't like to work with Malwarebytes Anti-malware, but it can. And never install Microsoft Security Essentials along with SuperAnti-Spyware, as they are completely incompatible. It's a long story, but basically they are the same program.

Enhanced Mitigation Experience Toolkit (EMET)

EMET actuality works as a shim between programs and the operating system. It looks for known patterns of attack and can prevent programs from getting access to the operating system. It can prevent a hacker from using security holes in programs until the developer issues an update. Just configure EMET to monitor any program that can access the Internet. I've seen it work first hand (rouge flash inside of browser) and it does what it's meant to do.

Tighten your computer security with EMET 4

Seems like every day a new software exploit comes out. And of course your computer is vulnerable until a patch is released. Or maybe you have older software that doesn't have support any more. But you can still protect your computer from known exploits with the Enhanced Mitigation Experience Toolkit 4.0 (EMET) from Microsoft.

The new user interface inside of EMET 4.0
The new user interface inside of EMET 4.0

EMET monitors programs for several known types of exploits using pseudo mitigation technology and is aimed at disrupting currently known hacking techniques. It is not meant to replace anti-virus software, but to work side-by-side with it. EMET adds on to the Data Execution Prevention (DEP) and Structured Exception Handler Overwrite Protection (SEHOP) protection that is already inside of Windows. If a program that EMET is monitoring tries to executes any these exploits, EMET can log it or terminate it.

Here's a list of the software mitigations that EMET currently monitors:

  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Data Execution Prevention (DEP)
  • Heapspray Allocations
  • Null Page Allocation
  • Mandatory Address Space Layout Randomization (ASLR)
  • Export Address Table Access Filtering (EAF)
  • Bottom-up randomization
  • Return Oriented Programming (ROP) mitigations

So how does EMET work? EMET acts as a shim between the program being monitored and the operating system. The monitored program thinks it's talking directly to the operating system, but it's actually talking to it through EMET. EMET comes with predefined profiles for some of the more common programs like Microsoft Office, Internet Explorer, Adobe Acrobat and Java. You can also add to the predefined profiles or create your own. I recommend that you monitor any program that can open files on or from the internet.

EMET also includes a Certificate Trust feature that checks the validity of websites, but it currently only works with certain versions of the Internet Explorer. EMET does have what Microsoft considers unsafe options to change, as they have been known to cause system instability. They are hidden by default, but can be invoked by changing a registry key. If you want to change it, the instructions can be found in the advanced options section of the EMET 4.0 User Guide.

When upgrading from EMET 3 to EMET 4, the configuration wizard prompts you keep your existing settings or start new
When upgrading from EMET 3.0 to 4.0 the configuration wizard prompts you keep your existing settings or start off new

If you have EMET 3.0 already installed, EMET 4.0 will automatically uninstall it and ask if you want to import the current settings or start off new (recommended). If you have any other version of EMET installed, you will have to manually uninstall it and remove its registry hives HKLM\Software\Microsoft\EMET and, if it exists, HKLM\Software\Policies\Microsoft\EMET.

EMET 4.0 works on the following operating systems:

  • Windows XP service pack 3 and above
  • Windows Vista service pack 1 and above
  • Windows 7 all service packs
  • Windows 8
  • Windows Server 2003 service pack 1 and above
  • Windows Server 2008 all service packs
  • Windows Server 2008 R2 all service packs
  • Windows Server 2012

EMET 4 does require the .NET 4 Framework to be installed. Also, for EMET 4 to work properly on Windows 8 and Server 2013, Microsoft KB 2790907 must be installed.

For more information on EMET from Microsoft, just follow the links below.

Enhanced Mitigation Experience Toolkit
Enhanced Mitigation Experience Toolkit 4.0 download page

Harden your computer's security with EMET v3 from Microsoft

It seems like every day a new software exploit comes out. Software vendors are good at getting out software patches, but it can take some time to do it. And until then, you're vulnerable to attack. But you can make your software more resilient to attacks with the Enhanced Mitigation Experience Toolkit (EMET) v3 from Microsoft.

Main screen inside of EMET v3
View of main screen inside of EMET v3

EMET v3 is designed to make it very difficult to impossible for an attacker to exploit vulnerabilities in any given piece of software. It does this by using pseudo mitigation technologies to disrupt current exploit techniques. A couple of these have been built into Windows (SEHOP, DEP) and are designed to be easily updated as new techniques are discovered.

EMET v3 Notifier on Taskbar
The new EMET Notifier on the Taskbar

EMET v3 has some major improvements over older versions, mainly targeted at the corporate / enterprise environments. Making configuration easy, enterprise deployment via Group Policy and SCCM and reporting capability via the new EMET Notifier feature are just a few changes in EMET v3. Here's a quote from Microsoft's website:

Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.

Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:

1. No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.

2. Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.

3. Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.

4. Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.

5. Ease of deploy: EMET comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment.

6. Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

What security exploits are currently covered

  • Structure Exception Handler Overwrite Protection (SEHOP) (built-in since Windows Vista SP1)
  • Dynamic Data Execution Prevention (DEP) (built-in since Windows XP SP2)
  • Heapspray Allocations
  • Null page allocation
  • Mandatory Address Space Layout Randomization (ASLR)
  • Export Address Table Access Filtering (EAF)
  • Bottom-up randomization

What programs to harden

You only want to harden / mitigate certain programs that are targeted on a regular basis. Web browsers like Firefox and Internet Explorer, E-mail Clients like Outlook and Windows Live Mail and Instant Messaging Clients are some of the few. I recommend that you harden any program that can open files on or from the internet.

For more information on EMET v3, just follow the links below:

Introducing EMET v3
Download EMET v3

Security made easier with Microsoft Security Essentials 2

In a previous article, I discussed Microsoft Security Essentials (MSE). I like the easy of use, the integration with Windows Update and the small footprint it has, especially on my netbook. Recently, Microsoft has released Microsoft Security Essentials Version 2 with some new features, including a new and improved protection engine, Windows Firewall integration and a Network Inspection System.

Microsoft Security Essentials Version 2
A new look for MSE V2

As you can see, the user interface changed slightly, with a new color palette and mesh graphics. There are a few more options for the user to configure, but it is still one of the easiest anti-virus applications to setup. For more on the major improvements, here is a quote from the MSE web site:

Windows Firewall integration
Windows Firewall can help prevent attackers or malicious software from gaining access to your computer through the Internet or a network. Now when you install Security Essentials, the installation wizard verifies that Windows Firewall is turned on. If you have intentionally turned off Windows Firewall, you can avoid turning it on by clearing a check box. You can change your Windows Firewall settings at any time via the System and Security settings in Control Panel.

Network Inspection System
Attackers are increasingly carrying out network-based attacks against exposed vulnerabilities before software vendors can develop and distribute security updates. Studies of vulnerabilities show that it can take a month or longer from the time of an initial attack report before a suitable security update is developed, tested, and released. This gap in protection leaves many computers vulnerable to attacks and exploitation for a substantial period of time. Network Inspection System works with real-time protection to better protect you against network-based attacks by greatly reducing the timespan between vulnerability disclosures and update deployment from weeks to a few hours.

Award-winning protection engine
Under the hood of Security Essentials is its award-winning protection engine that is updated regularly. The engine is backed by a team of antimalware researchers from the Microsoft Malware Protection Center, providing responses to the latest malware threats 24 hours a day.

Now, in going through the program, I did find two options quite interesting...

Microsoft Security Essentials Version 2
Enable behavior monitoring and Enable Network Inspection System options in MSE V2

I did a little digging in the MSE V2 Help file and found this description of these features:

Enable behavior monitoring
This option monitors collections of behavior for suspicious patterns that might not be detected by traditional antivirus detection methods.

Enable Network Inspection System
This option helps protect your computer against “zero day” exploits of known vulnerabilities, decreasing the window of time between the moment a vulnerability is discovered and an update is applied.

Here are a few of the other changes inside of MSE V2:

  • Microsoft Security Essentials also supports Windows XP Mode in Windows 7
  • The ability to limit CPU usage during scanning
  • Automatic removal of quarantined files after a set amount of time
  • You can now select between monitoring all files, incoming or outgoing

Microsoft Security Essentials Version 2 is available for Windows XP (SP 2 or SP 3)(x86), Windows Vista (x86, x64) and Windows 7 (x86, x64) and can be downloaded here.

The only issue I came across was that the update function inside Version 1 would not update the program to Version 2. I tried it on a couple of systems without success. I had to uninstall Version 1 first, then install Version 2.

Professional Service + Affordable Prices = Geeks in Phoenix

Like Geeks in Phoenix on Facebook
Follow Geeks in Phoenix on Twitter
Watch Geeks in Phoenix on YouTube