3

I've just found about the Enhanced Mitigation Experience Toolkit. The science behind it is beyond me, but how much protection over an antivirus does it provide?

Should I enable its protection for every process or select the most used attack vectors and safeguard only those? I am concerned about the negative performance impact.

Anders
  • 64,406
  • 24
  • 178
  • 215
Marek Andreansky
  • 161
  • 6

1 Answers1

2

EMET implements various protection features which are lacking from Windows editions prior to Win10. It additionally adds some protection features which catch out common cut-and-paste shellcode. EMET is being deprecated because Microsoft has now rolled most of the features into Windows 10 natively, although not all of them are present.

I wrote an answer a while back which describes some of the standard EMET features.

The performance impact is negligible, even on more complex applications like Firefox, Chrome, Office, and Visual Studio. The only issue I've ever run into is false detection of the "Caller" or "Caller+" features when opening standard dialogs (e.g. load / save) from some applications. For those cases I just turn those features off.

I have enabled EMET against pretty much everything on my system which is likely to be opening lots of untrusted content. Browsers and document readers are the obvious primary choice, video and audio players (e.g. VLC, MPC-HC) too, as well as communications apps (IRC, Telegram), plus Windows Explorer, cmd.exe, PuTTY, image editing suites, and a bunch of other random applications. These all run fine, although some needed a little policy tweaking.

Keep in mind that EMET does not protect you from malware. It implements features which make it harder for someone to successfully achieve a code execution exploit against a vulnerability in the software running on your system (not including the kernel!). These features also help stop generic shellcode from executing properly, so an attacker would likely have to tailor an exploit payload specifically for an EMET-protected system.

Community
  • 1
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Should I use it on Windows 10? Based on your answer I'm inclined to enable every security feature on every process. – Marek Andreansky Dec 31 '16 at 13:50
  • 3
    @MarekAndreansky I would say yes, simply because it is much more likely to be beneficial than detrimental. – Polynomial Dec 31 '16 at 13:57
  • 1
    There were some strong representations recently about EMET from government-level security orgs. Basically trying to get Microsoft to change their minds about deprecating EMET because W10 still doesn't have all the protections it does. My advice would be to include it, especially if you aren't adblocking and/or your users may have limited cyber knowledge. – Julian Knight Jan 01 '17 at 15:02
  • @Polynomial, do you have a write-up somewhere of the settings you use for various apps? – Julian Knight Jan 01 '17 at 15:03
  • @JulianKnight Nope. Just install EMET and enable all features for every app. If one crashes while doing normal things (try file -> save on it as a good test) then it'll throw up the EMET warning and you can disable that protection feature for that process. – Polynomial Jan 01 '17 at 19:55
  • @Polynomial, thanks. I've generally just used the defaults in the past. I'll give that a go. – Julian Knight Jan 01 '17 at 21:39