Geeks in Phoenix

Geek Blog


Toughen your computer security with EMET 5.1

Keeping your computer secure has always been tough. It seems like every week there is another exploit making the rounds. Nobody can predict what kind of attack hackers will use next. But you can protect your computer from the most common actions and techniques used with the Enhanced Mitigation Experience Toolkit 5.1 (EMET).

The main screen inside of EMET 5.1
The main screen inside of EMET 5.1

What is EMET? It monitors selected programs (Internet Explorer, Microsoft Office programs, etc.) for known attack actions and techniques. When one of the several pseudo mitigation technologies is triggered, EMET can block or even terminate the program in question. It will also validate digitally signed SSL certificates inside of Internet Explorer. Here's is the current list of mitigations EMET currently looks for.

  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Data Execution Prevention (DEP)
  • Heapspray allocation
  • Null page allocation
  • Mandatory Address Space Layout Randomization (ASLR)
  • Export Address Table Access Filtering (EAF)
  • Export Address Table Access Filtering Plus (EAF+)
  • Bottom-up randomization
  • Return Oriented Programming (ROP)
  • Attack Surface Reduction (ASR)

The about screen inside of EMET 5.1
The about screen inside of EMET 5.1

EMET 5.1 includes the following improvements:

  • Attack Surface Reduction (ASR) has been updated to limit the attack surface of applications and reduce attacks.
  • Export Address Table Filtering Plus (EAF+) has been updated to improve and extend the current EAF mitigation.
  • 64-bit ROP mitigations have been improved to anticipate future exploitation techniques.
  • Several security, compatibility and performance improvements.

EMET can also be customized via the registry (see EMET manual for instructions). Here are a few of the items that can be modified:

  • Enable unsafe configurations.
  • Configuring custom message for user reporting.
  • Configuring certificate trust feature for third party browsers.
  • Configuring local telemetry for troubleshooting
  • Configuring EMET Agent icon visibility.

Here's a quote from Microsoft's website:

The Enhanced Mitigation Experience Toolkit (EMET) helps raise the bar against attackers gaining access to computer systems. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.

EMET should never monitor anti-malware and intrusion prevention or detection software, debuggers, software that handles digital rights management (DRM) technologies or software that uses anti-debugging, obfuscation, or hooking technologies. Click here for the EMET 5.1 application compatibility list.

For more information on EMET, just follow the links below,

Enhanced Mitigation Experience Toolkit
Enhanced Mitigation Experience Toolkit download

Strengthen your computer security with EMET 5

It seems like every day a new software exploit or vulnerability is found. Software vendors' work hard at keeping their software secure, but it can take time to test and deploy patches. So what can you do to protect your computer? The Enhanced Mitigation Experience Toolkit (EMET) from Microsoft does just that.

The main window inside of EMET 5
The main window inside of EMET 5

EMET is designed to prevent attackers from taking control of your system. It works as 'shim' in-between your programs and the operating system. EMET looks for the most common attack techniques and will block and/or terminate any program it is monitoring. EMET works alongside your favorite anti-virus and anti-malware programs for layered security.

I have been using EMET as part of my layered security for years and have written a few blogs on it. With each version, Microsoft keeps improving it. Some of the improvements in EMET 5 include Attack Surface Reduction (ASR), Export Address Table Filtering Plus (EAF+) and 64-bit ROP mitigations. Here's is the current list of mitigations EMET currently looks for.

  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Data Execution Prevention (DEP)
  • Heapspray allocation
  • Null page allocation
  • Mandatory Address Space Layout Randomization (ASLR)
  • Export Address Table Access Filtering (EAF)
  • Export Address Table Access Filtering Plus (EAF+)
  • Bottom-up randomization
  • Return Oriented Programming (ROP)
  • Attack Surface Reduction (ASR)

There are two (2) different ways to configure EMET, a Graphic User Interface (GUI) and a command line tool. It is best to configure EMET through the GUI, since the command line tool doesn't allow access to all of EMET's features. The built-in configuration wizard allows you use either the recommenced settings, keep previous settings (upgrade install) or to manually configure EMET (new install).

Easily configure programs to monitor in EMET 5
Easily configure programs to monitor in EMET 5

Once you have EMET installed, it's pretty easy to add programs to monitor. Just open the program you want EMET to monitor and then open EMET. On the lower part of the main window you will see Running Processes. Just find the program you want to monitor in the list, right-click on it and select Configure Process. You will have to restart any program you have just configured inside of EMET.

For more information on Microsoft EMET 5, just follow the links below.

Enhanced Mitigation Experience Toolkit
Enhanced Mitigation Experience Toolkit 5.0 download

How to use layered security to protect your computer

It seems whenever I tell someone that I repair computers for a living, I almost always get asked the question "What do you recommend for anti-virus software?". I tell them that I use a layered approach to security, not relying on just one program for protection. I personally don't like to use all-in-one security suites. It's not that I don't trust any particular software; I just don't like having just one piece of software protecting my computer. Here's how to use layered security to protect your computer.

Protecting your computer with layered security
Protecting your computer with layered security

Software firewall

Windows has had a pretty good firewall built-in since Windows Vista and it's turned on by default. It comes pre-installed inside of Windows and is ready to go. There are also some great stand-alone programs like ZoneAlarm. This is also one of those additional features of all-in-one security software. It's your choice.

Anti-virus software

This one is a no brainer. There are plenty of free and retail anti-virus programs on the market, and I have used quite few different ones over the years. Some internet service providers like Cox Communications even offer free security suite software. The only thing to keep in mind when picking an anti-virus program is the performance of the system you're installing it on. I would not install a full-blown security suite like Norton or McAfee on a tablet or netbook.

Anti-malware / anti-spyware software

Anti-virus software normally looks for, you guessed it, viruses. I've cleaned out quite a few pieces of ransomware that anti-virus programs missed because it wasn't a virus. Quite a few of anti-malware programs are meant to be run side-by-side with anti-virus software. But there are a couple of exceptions to this rule: McAfee software doesn't like to work with Malwarebytes Anti-malware, but it can. And never install Microsoft Security Essentials along with SuperAnti-Spyware, as they are completely incompatible. It's a long story, but basically they are the same program.

Enhanced Mitigation Experience Toolkit (EMET)

EMET actuality works as a shim between programs and the operating system. It looks for known patterns of attack and can prevent programs from getting access to the operating system. It can prevent a hacker from using security holes in programs until the developer issues an update. Just configure EMET to monitor any program that can access the Internet. I've seen it work first hand (rouge flash inside of browser) and it does what it's meant to do.

Harden / Mitigate the security of your Windows programs with Microsoft EMET

*** Revised 19, February 2016 ***
This article has been revised for EMET v5.5

Enhanced Mitigation Experience Toolkit 5.5

Let's face it, some of the software we use on a daily basis has become subject to security vulnerabilities and exploits. Software manufacturers do their best to develop and test fixes / patches as fast as possible, but this can take time. A lot of users just cannot keep up with all of the updates and hotfixes. A few years ago Microsoft released the Enhanced Mitigation Experience Toolkit (EMET) to deal with just this issue.

View of the main screen inside EMET 5.5
View of the main screen inside EMET 5.5

So what is EMET? EMET monitors selected programs (Internet Explorer, Microsoft Office, etc.) for known attack actions and techniques. When one of the several pseudo mitigation technologies is triggered, EMET will either block the programs' access to the resouce it is trying to reach or just terminate it. EMET expands on the technologies that Microsoft implemented with Data Execution Prevention (DEP), which has been included in the Windows operating system since Windows XP SP2. It will also validate digitally signed SSL certificates inside of Internet Explorer.

View of the application configuration screen inside EMET 5.5
View of the application configuration screen inside EMET 5.5

So how does EMET work? EMET acts as a shim between the program being monitored and the operating system. The monitored program thinks it's talking directly to the operating system, but it's actually talking to it through EMET. EMET comes with predefined profiles for some of the more common programs like Microsoft Office, Internet Explorer, Adobe Acrobat and Java. You can also add to the predefined profiles or create your own. I recommend that you monitor any program that can open files on or from the Internet.

What security exploits are currently covered

Here's is the current list of mitigations EMET 5.5 currently looks for.

  • Attack Surface Reduction (ASR) Mitigation
  • Export Address Table Filtering (EAF+) Security Mitigation
  • Data Execution Prevention (DEP) Security Mitigation
  • Structured Execution Handling Overwrite Protection (SEHOP) Security Mitigation
  • NullPage Security Mitigation
  • Heapspray Allocation Security Mitigation
  • Export Address Table Filtering (EAF) Security Mitigation
  • Mandatory Address Space Layout Randomization (ASLR) Security Mitigation
  • Load Library Check - Return Oriented Programming (ROP) Security Mitigation
  • Memory Protection Check - Return Oriented Programming (ROP) Security Mitigation
  • Caller Checks - Return Oriented Programming (ROP) Security Mitigation
  • Simulate Execution Flow - Return Oriented Programming (ROP) Security Mitigation
  • Stack Pivot - Return Oriented Programming (ROP) Security Mitigation
  • Windows 10 untrusted fonts

What programs should you harden / mitigate

You only want to harden / mitigate certain programs that are targeted on a regular basis. Web browsers like Chrome, Firefox and Internet Explorer, production / office programs like Microsoft Word, Excel and PowerPoint, e-mail clients like Outlook and Windows Live Mail are some of the few. I recommend that you harden any program that can open files on or from the Internet.

What programs should you not harden / mitigate

You should never configure EMET to monitor anti-virus, anti-malware, intrusion prevention / detection software, debuggers, software that handles Digital Rights Management (DRM) technologies or software that uses anti-debugging, obfuscation, or hooking technologies.

Installation notes

New installation: Just download EMET and install

Upgrade install: Since the registry keys for EMET changed with this version, you can either export your existing EMET settings using the method in the 'What's new' section below, download the converter or reconfigure all of the program settings. With the drastic change with the EMET data format inside of the registry, I think that it would be just easier to reconfigure EMET then try the export / import method. Either way, remember to uninstall any older version of EMET and restart your computer before you install this version.

What's new in EMET 5.5?

  • Full-featured GPO management, compatible with reporting and compliance requirements
  • Command line: new syntax and options
  • Implementation of certificate pinning now based on root CA thumbprints. Exceptions logic removed.
  • Export and Import now memorize path
  • EMET registry has been refactored. To convert settings from previous versions of EMET (including EMET 5.5 Beta), registry values must be saved in a file then imported back with the use of the converter PowerShell script after EMET 5.5 is installed. Here are the steps to follow:
  1. Export settings. With elevated PowerShell, run the following command:
    .\Migrate-EmetSettings.ps1 -RegFile .\NewEmetSettings.reg -MissingCertCsv .\MissingCerts.csv PowerShell script Migrate-EmetSettings.ps1 is provided with EMET 5.5 RTM. It includes documentation about its usage.
  2. Uninstall former version of EMET.
  3. Install EMET 5.5 RTM. When asked to choose between Use recommended settings and Configure manually later, chose option Configure manually later.
  4. Import settings. With elevated PowerShell, run the following command:
    reg.exe import .\NewEmetSettings.reg

Supported Operating Systems

Windows 10 , Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, Windows Vista

  • EMET 5.5 requires .NET Framework 4.5.
  • For Internet Explorer 10 on Windows 8 you need to install KB2790907 - a mandatory Application Compatibility update that has been released on March 12th, 2013 or any other Application Compatibility updates for Windows 8 after that

For more information on EMET, just follow the links below.

Enhanced Mitigation Experience Toolkit
Download Enhanced Mitigation Experience Toolkit (EMET) 5.5
Download Enhanced Mitigation Experience Toolkit (EMET) 5.5 User Guide
Download Enhanced Mitigation Experience Toolkit (EMET) 5.5 converter

Customer service is #1

Here at Geeks in Phoenix, we take pride in providing excellent customer service. From computer repair, virus removal and data recovery, we aim to give the highest quality of service.

Bring your computer to us and save

Our in-shop computer repair service  is based on the time we work on your computer, not the time it takes your computer to work!

Contact us

Geeks in Phoenix
4722 East Monte Vista Road
Phoenix, Arizona 85008
(602) 795-1111

Like Geeks in Phoenix on Facebook

Follow Geeks in Phoenix on Twitter

Watch Geeks in Phoenix on YouTube

Geeks in Phoenix is an IT consulting company specializing in all aspects of Computer Repair / PC Repair / Laptop Repair. Since 2008, our expert computer repair technicians have been providing outstanding Computer Repair, Virus Removal, Data Recovery, Photo Manipulation and Website Support.

Geeks in Phoenix have the best computer repair technicians providing computer repair and service in Phoenix, Scottsdale and Tempe Arizona. We offer In-Shop, On-Site and Remote (with stable Internet connection) computer repair service.

Copyright © 2016 Geeks in Phoenix LLC