It seems like every day a new software exploit comes out. Software vendors are good at getting out software patches, but it can take some time to do it. And until then, you're vulnerable to attack. But you can make your software more resilient to attacks with the Enhanced Mitigation Experience Toolkit (EMET) v3 from Microsoft.
View of main screen inside of EMET v3
EMET v3 is designed to make it very difficult to impossible for an attacker to exploit vulnerabilities in any given piece of software. It does this by using pseudo mitigation technologies to disrupt current exploit techniques. A couple of these have been built into Windows (SEHOP, DEP) and are designed to be easily updated as new techniques are discovered.
The new EMET Notifier on the Taskbar
EMET v3 has some major improvements over older versions, mainly targeted at the corporate / enterprise environments. Making configuration easy, enterprise deployment via Group Policy and SCCM and reporting capability via the new EMET Notifier feature are just a few changes in EMET v3. Here's a quote from Microsoft's website:
Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.
Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:
1. No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.
2. Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.
3. Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.
4. Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.
5. Ease of deploy: EMET comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment.
6. Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready
The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.
What security exploits are currently covered
- Structure Exception Handler Overwrite Protection (SEHOP) (built-in since Windows Vista SP1)
- Dynamic Data Execution Prevention (DEP) (built-in since Windows XP SP2)
- Heapspray Allocations
- Null page allocation
- Mandatory Address Space Layout Randomization (ASLR)
- Export Address Table Access Filtering (EAF)
- Bottom-up randomization
What programs to harden
You only want to harden / mitigate certain programs that are targeted on a regular basis. Web browsers like Firefox and Internet Explorer, E-mail Clients like Outlook and Windows Live Mail and Instant Messaging Clients are some of the few. I recommend that you harden any program that can open files on or from the internet.
For more information on EMET v3, just follow the links below:
Introducing EMET v3
Download EMET v3
c599999a-2935-48f4-9fa5-aec4286d3f68|2|5.0
In a previous article, I discussed Microsoft Security Essentials (MSE). I like the easy of use, the integration with Windows Update and the small footprint it has, especially on my netbook. Recently, Microsoft has released Microsoft Security Essentials Version 2 with some new features, including a new and improved protection engine, Windows Firewall integration and a Network Inspection System.
A new look for MSE V2
As you can see, the user interface changed slightly, with a new color palette and mesh graphics. There are a few more options for the user to configure, but it is still one of the easiest anti-virus applications to setup. For more on the major improvements, here is a quote from the MSE web site:
Windows Firewall integration
Windows Firewall can help prevent attackers or malicious software from gaining access to your computer through the Internet or a network. Now when you install Security Essentials, the installation wizard verifies that Windows Firewall is turned on. If you have intentionally turned off Windows Firewall, you can avoid turning it on by clearing a check box. You can change your Windows Firewall settings at any time via the System and Security settings in Control Panel.
Network Inspection System
Attackers are increasingly carrying out network-based attacks against exposed vulnerabilities before software vendors can develop and distribute security updates. Studies of vulnerabilities show that it can take a month or longer from the time of an initial attack report before a suitable security update is developed, tested, and released. This gap in protection leaves many computers vulnerable to attacks and exploitation for a substantial period of time. Network Inspection System works with real-time protection to better protect you against network-based attacks by greatly reducing the timespan between vulnerability disclosures and update deployment from weeks to a few hours.
Award-winning protection engine
Under the hood of Security Essentials is its award-winning protection engine that is updated regularly. The engine is backed by a team of antimalware researchers from the Microsoft Malware Protection Center, providing responses to the latest malware threats 24 hours a day.
Now, in going through the program, I did find two options quite interesting...
Enable behavior monitoring and Enable Network Inspection System options in MSE V2
I did a little digging in the MSE V2 Help file and found this description of these features:
Enable behavior monitoring
This option monitors collections of behavior for suspicious patterns that might not be detected by traditional antivirus detection methods.
Enable Network Inspection System
This option helps protect your computer against “zero day” exploits of known vulnerabilities, decreasing the window of time between the moment a vulnerability is discovered and an update is applied.
Here are a few of the other changes inside of MSE V2:
- Microsoft Security Essentials also supports Windows XP Mode in Windows 7
- The ability to limit CPU usage during scanning
- Automatic removal of quarantined files after a set amount of time
- You can now select between monitoring all files, incoming or outgoing
Microsoft Security Essentials Version 2 is available for Windows XP (SP 2 or SP 3)(x86), Windows Vista (x86, x64) and Windows 7 (x86, x64) and can be downloaded here.
Note:
The only issue I came across was that the update function inside Version 1 would not update the program to Version 2. I tried it on a couple of systems without success. I had to uninstall Version 1 first, then install Version 2.
be2478e5-28af-48ac-a405-13ec43174a24|1|5.0
*** Update 5/22/2011 ***
Microsoft released EMET 2.1 on 5/20/2011. Included in EMET 2.1 are minor program revisions and it is now a Microsoft supported product through on-line forum. All information and links in this article have been revised to reflect these changes.
Let's face it, some of the software we use on a daily basis has become subject to security vulnerabilities and exploits. Software manufacturers due their best to develop and test fixes / patches as fast as possible, but this can take time. A lot of users just cannot keep up with all of the updates and hotfixes. Microsoft recently released version 2.1 of the Enhanced Mitigation Experience Toolkit (EMET) to deal with just this issue.
EMET expands on the technologies that Microsoft implemented with Data Execution Prevention (DEP). DEP has been included in the Windows operating system since Windows XP SP2. EMET is designed to disrupt current exploit techniques by using pseudo mitigation technologies. The EMET mitigation's can prevent your system from being compromised by current exploit techniques. And can be easily updated when a new exploit is discovered.
Before continuing, I must warn you that this program is intend for advanced users. But used with caution, a novice user can use it to reduce the chance of hackers gaining control of their system. EMET can be used to configure both system mitigation's or program mitigation's.
What security exploits are currently covered
- Dynamic Data Execution Prevention (DEP) (built-in since Windows XP SP2)
- Structure Exception Handler Overwrite Protection (SEHOP)
- Heapspray Allocations
- Null page allocation
- Mandatory Address Space Layout Randomization (ASLR)
- Export Address Table Access Filtering (EAF)
- Botton-up Rand (BR)
For more information on the specific mitigation techniques, please see the user manual included.
What programs to harden / mitigate
You only want to harden / mitigate certain programs that are targeted on a regular basis. Web browsers like Firefox and Internet Explorer, E-mail Clients like Outlook and Windows Live Mail and Instant Messaging Clients are some of the few. I recommend that you mitigate any program that can open files on or from the internet.
EMET's Main screen
EMET's Add / Remove Program screen
EMET does support 32-bit and 64-bit applications and can be downloaded here
Notes:
- EMET runs on Windows XP SP3 or higher, Windows Vista SP1 or higher, Windows 7, Windows Server SP1 and higher, Windows Server 2008 and Windows Server 2008 R2.
- The EMET GUI requires .NET 2.0 framework be installed.
- Some security mitigation technologies may break applications.
dc8dbd03-9196-4880-b07f-781d975c4c29|1|5.0
In this article, I am going to spotlight Microsoft Security Essentials (MSE). This is not Microsoft's first venture into the ant-virus market, but it is probably the best. Having used the some of the more well know anti-virus software (Norton / Symantec, McAfee, etc.) for over a decade, I decided to give MSE a try.
All of articles I had read on Microsoft Security Essentials were quite positive, so I installed its on my netbook running Windows 7 in June. Since then, I have taken the netbook on several on-site service calls and on vacation. I am happy to report that the netbook remains virus free. What I really like is the small footprint the software has. It does not take five minutes to start up Windows, as can happen on systems with limited resources (such as a netbooks).
MSE works quite well with Windows 7 built-in firewall. The interface is clean and easy to use, unlike some of the anti-virus software out there. It's easy enough for a novice user to navigate. It also integrates into Windows Update as well. Here's a quote from Microsoft's website:
Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.
Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.
I encourage you to take a look at Microsoft Security Essentials. It's simple and free.
Scott
b9718316-da9c-4e02-9138-cb65f6f8d9d3|1|5.0
Here is a list of four free Internet Security programs I recommend for those who are on a budget. Keep in mind that free software often comes with limitations, but are fully functional. Some of them require manual updating, but that is a small price to pay for great software that is free. Let us start with an Anti-Virus program:
(***Disclaimer: Never install and/or run two anti-virus programs on the same system.***)
AVG Free Click here for latest version
Upside: Here is a fully functional Anti-Virus program that has Anti-Virus, Anti-Spyware, E-mail and link scanners. The program is fully automatic in updating itself. It can be updated from a file too (USB drive), when you have to quarantine a system by disconnecting it from the internet/intranet.
Downside: There is no free technical support. Support for this product is sold at blocks of 15 minutes.
Next is a Firewall program:
(***Disclaimer: Before installing a firewall in Windows XP / Vista, disable the Windows Firewall in the Control Panel first. Moreover, never install and/or run two software firewalls on the same system.***)
ZoneAlarm http://www.zonealarm.com/
Upside: The program is fully automatic in updating itself.
Downside: It only provides inbound and outbound protection, but does it in full stealth mode. It also requires internet access to install.
Let us now look at two free spyware / malware programs. My first choice is Malwarebytes' Anti-Malware. Note: I ranked Malwarebytes first only because it can be installed and run without the need for internet access (I use USB drives for installing software on quarantined systems).
Malwarebytes' Anti-Malware http://www.malwarebytes.org/
Upside: It is a great malware program. It can be installed and run without the need for internet access (always download the latest version first).
Downside: You have to open the program and manually update it.
Spybot http://www.spybot.com/
Upside: It is a great spyware scanner with a ton of features including an ‘Immunization’ feature for your internet browser. Also has ability to update itself when the program is started.
Downside: It requires internet access to install. Not a good thing if you have to quarantine a system by disconnecting it from the internet/intranet.
b2dfefcc-8778-4f2e-b26e-a62fcecc3dc7|1|5.0