EMET, Is anyone using it?

[chattius 2,522]

The number of computer magazines I buy a year is down to 2. With 5 kids and my wife a doc we have tons of magazines weekly already. I am only buying the half yearly computer savety issues. I am too lazy to do my own Linux-Live-DVD to debug windows machines so I buy the magazine having it.

I stumpled on an article describing that microsoft had a tool which would even protect older software from attacks in most cases. There is even an english translation online.

 

http://www.h-online.com/security/features/Damage-limitation-Mitigating-exploits-with-Microsoft-s-EMET-1102501.html

 

So this tool would be a bit diffrent to a virus checker: it would close doors before an attack and this might even work before a virus is put into a database for an antivirus program.

 

With all the memory-sticks my daughters bring home, I was considering to read deeper into the stuff if it would be a useful tool. But since my time is limited and I am mainly on Unix machines I decided to ask if anyone uses it allready.

[gogoblender 3,069]

I've never heard or read about anything like this before, I do know there are some Unix users here on the board, maybe some of them will have some info for us.

 

 

gogo

[chattius 2,522]

Gogo EMET is a free tool supported by Microsoft for Windows Vista/7. The problem is that I am more into Unix/QNX than into Windows, so I would need a Windows expert

 

The savety DVD in the magazine has a lot of savety tools for Windows on one side and the other side is a linux system which can start from DVD, no harddisc needed. So you can start a clean computer and use the linux versions of anti-virus programs to inspect the windows partitions of your harddisc. It has repair tools, different AV programs, so you can do repairs to window partitions in a read only test first, all you need is loaded into memory from the DVD.

 

So what EMET will do is: it will do a layer around a program, trying to capture any access to a program. This layer will hopefully prevent buffer overflows doing nasty stuff or prevent trojans. It will not protect the programs automatically, you will have to protect programs which may be attacked on your own using the tool. Companies writing new software use this technic already for their programs. But older software or freeware stuff may not have it buildin. So you can use this to add savety to a freeware program without changing the code.

[essjayehm 58]

Well, I was very interested in your topic, Chattius, but one thing caught my eye in the english article you linked:

 

For a quick test of EMET's efficacy, we used the Metasploit exploit framework to generate a crafted demo PDF file which launched the calculator application when opened with an unpatched version of Adobe Reader. We then tested the crafted file with EMET installed.

 

The crafted PDF file was no longer able to launch the calculator and merely crashed Adobe Reader. Unfortunately, EMET does not offer us a facility for identifying which of its options prevented the Adobe Reader vulnerability from being exploited.

 

So far, so good. But regrettably, we were forced to conclude that we were still far from being properly protected from attacks originating from this PDF file. Adding the Adobe Reader binary to EMET offers zero protection against attacks on the Internet Explorer and Firefox plug-ins. And anyone who thinks that adding the plug-in files should be enough to thwart exploits is heading for disappointment. Adding the AcroPDF.dll ActiveX control and the nppdf32.dll Mozilla plug-ins to EMET does not prevent the calculator from being launched when the infected file is loaded in IE or Firefox.

 

And if I read this part of the article correctly, the program is just fine for a standalone machine (offline) but will not protect you from anything coming from the internet? More or less.

Edited March 30, 2011 by essjayehm

[chattius 2,522]

I read it as: it is better than nothing but hard to work with, because for optimal use you have to know windows interna.

 

In my eyes a crashing Adobe reader is better than an Adobe reader which opens the calculator unwanted. Because at a dangerous attack it wouldn't be the calculator which would be opened by an attack. The problems seem to be that EMET seems to block if you call Adobe reader directly, but not if it is called as a plugin. So you would have to add more files to EMET than just the reader and the author is not knowing which ones.

 

Thats why I was hoping for a person who knows some Windows interna. Another interest was if I could do a savety shell around old games with memory leaks so only the games but not windows would stop.