Microsoft EMET 5.5 Stable Review - 2016

[Deleted Member 333v73x]

This poll will close on Mar 16, 2016 at 5:35 PM

 

[Soulbound]

what kind of improvements needed? I do not actively using EMET, thats why i ask.

 

[Deleted Member 333v73x]

what kind of improvements needed? I do not actively using EMET, thats why i ask.

Here's some of the main ones:
Using EMET to Disable EMET
I know what you're thinking, but yes you can use it do disable it!
Windows Subsystem Used to Bypass Microsoft EMET
Again, bypassed.

Also it is really complicated to set-up if you don't have much security experience.

 

[Soulbound]

agree is not easy to set up.
Ah those posts.
Ok i see what you mean now.

 

[Cch123]

emet is free but it is not for the user with basic / average computer knowledge.

if emet can be compromised it is pointless.

It's not pointless; anything can be bypassed. EMET's purpose is to raise the cost of developing exploits to infect EMET protected targets, and not to completely stop all exploits. Almost all of the in the wild exploits are unable to bypass EMET and those few that do are usually used by Advanced Persistent Threat actors, meaning that home users are unlikely to face them.

 

[Dirk41]

just installed. as usual it doesn't open it's gui. i use a standard account but i type the correct pw,no error messages,simply the window doesn't open. i set recommended option

does someone know if it conflicts with sandboxie?

Edit: Problem solved

 

[Dirk41]

may i ask a question instead? since i am not an expert and i couldn't do personal settings, it worth anyway to leave emet installed with recommended settings? thank you

 

[jamescv7]

@Dirk41: Well there is no issue to leave EMET on a recommended settings, as the tool design for being simplified at all; in order to see the overall effectiveness is if you will analyze the target program closely like other security labs do to ensure its security hole will not be leak.

 

[_CyberGhosT_]

Well said Cch123.
After reading the links Tornado posted I will stick with Malwarebytes version of Anti-Exploit for a little longer

 

[Dirk41]

@Dirk41: Well there is no issue to leave EMET on a recommended settings, as the tool design for being simplified at all; in order to see the overall effectiveness is if you will analyze the target program closely like other security labs do to ensure its security hole will not be leak.

thank you.but how it works? if something goes wrong,it alerts you with a popup?

 

[Dirk41]

@Dirk41: Well there is no issue to leave EMET on a recommended settings, as the tool design for being simplified at all; in order to see the overall effectiveness is if you will analyze the target program closely like other security labs do to ensure its security hole will not be leak.

i did it. but i don't get if there should be green circle under "running emet" column (as i saw in some picture found in the internet) or emet is working even without them. thank you

 

[Dirk41]

i did it. but i don't get if there should be green circle under "running emet" column (as i saw in some picture found in the internet) or emet is working even without them. thank you

got it.
it's a little easier than i expected: green circle are only for the app you run. and it sets only preinstalled like IE and adobe. but since i don't use them,i didn't see them running in emet. so just add what use ,like ff: simply: add apps-> and you search them
nice

 

[Dirk41]

Hi. Could someone tell me how I can make metro apps run under EMET control?
I can't find ".exe" of the metro apps to add it.. For example Twitter . Where is Twitter.exe in w10?
Thank you

 

[LabZero]

Hi. Could someone tell me how I can make metro apps run under EMET control?
I can't find ".exe" of the metro apps to add it.. For example Twitter . Where is Twitter.exe in w10?
Thank you

Not sure but you can try:

the Metro app files are in the hidden WindowsApps folder in C:\Program Files.

On EMET click the Add Application button and locate and click the application you want to add so click the Open button.

 

[_CyberGhosT_]

Path to window apps on Win10 pro x64:
C:\Windows\SystemApps

 

[Dirk41]

couldn't find in your folders. thanks anyway. maybe the italian version is different
i'll try to ask on italian forum

 

[Dirk41]

Not sure but you can try:

the Metro app files are in the hidden WindowsApps folder in C:\Program Files.

On EMET click the Add Application button and locate and click the application you want to add so click the Open button.

WELL actually i found the folder windows app but it's protected. it doesn't ask admin password. i simply can't access it

BUT anyway it says the folder has 0 files


EDIT: an mvp on MS COMMUNITY told me that now Universal Windows Apps don't have .exe . Stil trying to understand how to add metro apps

 

[Dirk41]

guys, do you think it make sense to run SBIE under emet control?
thank you

 

[jamescv7]

Well if there is no issues occur then its fine however you don't need it since Sandboxie as a strong concept that can be hardly crack.

 

[Dirk41]

guys, thanks to another user from bleeping computer i found this insfomrations regarding emet5.5 and w10 . and i'd like to have your opinion (since of course every producer,MS in this case, says its prodicts are the best).

from technet:

With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard (CFG) protection for 3rd party software that may not yet be recompiled using CFG. Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:
Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.
Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach. It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display). It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations. If that check fails at runtime, the operating system closes the program.
AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.

from Windows Store Apps live in the Sandbox - SogetiLabs:

All Windows Store apps are tightly sandboxed. This means Windows Store apps run in their own virtual space (the sandbox) and whatever happens to it does not affect any other app running or the OS itself. It should be practically impossible for a Windows Store App to crash the entire computer, it may still crash itself but it won’t be able to hurt anything else. Being in the Sandbox also means the app has no direct access to any other app or service running outside of the app’s sandbox. Access to other apps or services is facilitated by Windows itself with a defined set of APIs with in the runtime environment. While this does place limits on what a Windows Store app can do the tradeoff is worth it because it should never be possible for a Windows Store app to be a Virus, Trojan or Rootkit

so it is really uselss emet on w10? i feel safer woth emet
thank you