2

Is it possible to collect metrics or generate alerts when one of EMET's suite of mitigations prevents code execution? Ideally I'd want to be able to collect and analyze data to support statements like, "deploying EMET blocked ### exploit attempts against our Windows PCs last year."

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
Matt
  • 31
  • 1
  • 4

2 Answers2

1

EMET 3.0 has been announced.

With EMET 3.0, we have included an additional new reporting capability that we call "EMET Notifier". When you install EMET 3.0, this lightweight component is set to automatically start with Windows.

EMET events are logged via the event source called EMET. These logs can be found in the Application log. There are three levels: Information, Warning and Error. Information messages are used for logging usual operation such as the EMET Notifier starting. Warning messages are used when EMET settings change. Error messages are used for logging cases where EMET stopped an application with one of its mitigations, which means an active attack has been blocked.

The new version looks like it puts the needed information into the Windows Event Log.

Community
  • 1
Matt
  • 31
  • 1
  • 4
0

There does not seem to be an EventID associated with EMET, so it might not be possible to collect those metrics. There really should be a way to do that, though.

Try the Microsoft EMET forums.

schroeder
  • 123,438
  • 55
  • 284
  • 319