EMET 2.1 Released

New version of EMET is now available - Security Research & Defense - Site Home - TechNet Blogs

EMET is an officially-supported product through online forms
“Bottom-up Rand” new mitigation randomizes (8 bits of entropy) the base address of bottom-up allocations (including heaps, stacks, and other memory allocations) once EMET has enabled this mitigation.
Export Address Filtering is now available for 64 bit processes. EAF filters all accesses to the Export Address Table which blocks most of the existing shellcodes
Improved command line support for enterprise deployment and configuration
Ability to export/import EMET settings
Improved SEHOP (structured exception handler overwrite protection) mitigation
Minor bug fixes

 

Nice, very nice.

The 'export/import settings' option is most welcome.
Thanks for posting.

 

Yes this doesn't seem like a minor update but I gues M$ felt it was. A new form of mitigation -- BUM, EAF now applies to 64bit, and a few other things... not quite a major release but not really a tiny one either =p

 

what is this? and what does it do? and how do u use it? thx.

 

EMET is a run-once program that forces program to adhere to security standards/ protocol. It is (virtually) resource-free but it has a slight chance of causing instability in certain programs.

It works in two ways:

1) On a system-wide scale it will change whether programs get to opt out of security features or not.

2) It can force programs that do not normally support security features to implement them. It does this by injecting a .dll into the service.

It's essentially a system hardening tool aimed at protecting you from certain types of attack methods.

 

If it's a run-once program, why isn't it completely resource free?

 

It's basically resource free. Your programs will have to load an extra tiny .dll when they run, it's really nothing.

You run it once but it has to stay installed. The idea is that you don't have to keep it up or anything.

 

AHhh i c. And can you uninstall it? if you do do the .dll go away? thx man... +rep..

 

You can uninstall it very easily. I suggest that before you do you revert all settings back to normal, it's very easy to do this.

If you uninstall it your programs will stop loading the .dll one startup.

 

An interesting article how to configure and use EMET: Protecting your Windows PC with Microsoft EMET 2.1 - rationallyPARANOID.com

 

I've never even heard of EMET; it sounds really interesting. I just installed it and added as many of my programs (the executable files) as I could find. No issues so far and no performance hit that I can see.

 

should i also add comodo & mse to the EMET list? what about windows files like explorer.exe,svchost.exe,... ?

 

so it basically protects all running processes?

 

Nope, you'll have to add/configure processes you want to be protected manually.
EMET doesn't add all running processes automatically to it's list.
When configured, future EMET versions can be installed over the old one and your config settings will be re-applied.

 

EMET's system wide settings are just stricter, it's harder for a program to NOT run with certain protocol when EMET is set to "maximum security." You can also force programs to run with the protocol.

 

to baserk and hungry man are you both using this on your systems right now?
is it rock solid stable?
does it affect performance even if its set on max?

 

also i would like to know which programs you protect with emet.. or actualyl which files (also system files?)

 

I'm using it on a Vista notebook since EMET came out and it's been rock stable. No performance loss at all.

Gandalf already posted a usefull webpage link which is very suitable; link. It lists programs and files.

 

yep i did already what was explained in that link.. but there was nothing about system files (except lsass & spoolsv.exe so i wonder about other system files like explorer,svchost...).

 

EMET will never give you a performance hit unless it's caused by a stability/incompatibility issue.

I'm using it right now. I've heard from others it can cause issues with Steam, what you can do is leave the system wide settings at default and then simply force applications to use EMET.

Haven't had a single stability issue that could be traced to it.


edit: As for what to protect... I basically have everything on it. I would suggest, if you're worried about stability, that you only force programs to use it if they are "internet facing" or make any calls at all to a server somewhere. That means your browser, instant messaging client, any download accelerators, anything you have audo-update. All of those should be using EMET.

 

Hi folks,

@ Hungry Man ...

Q1: I did not see a specific Answer to "Zakazak" Q? But I am assuming Comodo and MSE or any other AntiVirus (i.e. Avira) to go on EMET!?!?

Q2: So Downloaders & what not ... like Orbit and uTorrent would not take a hit? You know get slowed down or not work period?

Q3: Would DVD Apps Freeware or others work!?!? Like Shrink and what not?

Q4: Since I am crunched for time ... can I install it in either Default or Max Security mode and then add to it as I find the time?

Thanks ... oh & NBR system won't let me +Rep u yet!

G!

 

1) Those can go in EMET, yes.

2) Yes those will work just the same.

3) I can't say for sure. You can try. If they don't work simply undo it.

4) Yes.

 

i guess i will also add svchost.exe and explorer.exe.. not sure if that will work out or is usefull at all.

 

I surely don't know all the intricaties of EMET but do remember that Microsoft has made it so that users can primarily force third-party applications to use Microsoft OS functionalities.

As the EMET support forum shows, sometimes explorer.exe can bork under certain circumstances due to a 3rd party plugin. link
If you've forgotten about EMET being activated, you might search high and low on if, why and where the 3rd party plugin makes your computer go 'plonk'.
As the linked example shows, you might suspect the plugin and then uninstall the suspect while it's actually EMET causing the issue.

-----

OT; Funny description of the most recent addition to EMET;
' Bottom-Up Rand (BUR), new with EMET 2.1, adds a random offset to the base of stacks and heaps, making it harder than heck for hacks to hop in a heap. Ahem.' link

 

okay i will not use it on microsoft system files then

so only comodo & mse

 

I would assume microsoft's own products follow these security features already. IE was the first browser to fully support most of these protocol.