Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads

May I introduce to you... EMET


enigma#
 Share

Recommended Posts

EMET is a pretty fancy tool that covers some fancy issues we have rifling through the Internet.

 

Most of these issues start from poor programming to bugs that simply don't get patched in time.

 

Luckily Microsoft has designed a tool (Yay?) for techies and novices alike to help mitigate some of these attacks. (issues ;P)

 

It's called EMET... also known as Enhanced Mitigation Experience Toolkit. It's free and yes, it's helpful! But there a bit of setup is required..

 

EMET will help mitigate certain attacks from programs or applets downloaded from the Internet. This is not a bulletproof vest for Windows. There are many ways to exploit Windows even with this toolkit installed. However, it will help your system substantially when needed.

 

EMET is application based and Windows based. You can configure certain protections for applications and only some for windows globally.

 

First, grab the file from Microsoft

http://www.microsoft.com/en-us/download/details.aspx?id=29851 - The stable release (get this one first!)

http://www.microsoft.com/en-us/download/details.aspx?id=30424 - This is the Tech Preview (the 'beta')

 

Download and install it.

 

After installing it, run the program by hitting Start -> All Programs (Programs). Look for "Enhanced Mitigation Experience Toolkit" and expand it.

 

Run the program. Note: there is a user's guide in it so feel free to read through it.

 

50662de11ac11.png

 

 

You will see something like this

50662e40a932e.png

 

Hit Configure System:

50662e72a9197.png

 

If you don't know what these mean, here is a brief explanation for each of these mitigation techniques and why I have mine set this way.

DEP: short for "Data Execution Prevention"

Basically this little nifty feature tries to keep programs at bay. When malicious programs try to access memory that they're not supposed to (let's say where a crucial system file is), DEP will intervene.

SEHOP: "structured exception handler overwrite protection"

As the name implies, this is used to prevent applications from overwriting or access memory addresses (e.g. system files like in our first example) when it calls an exception. Exceptions are used when the program malfunctions or when it does something it doesn't anticipate or gets results it doesn't anticipate.

tldr: it's worth enabling to ensure malware doesn't try to bypass DEP or other protection mechanisms (like your antivirus for example)

ASLR: "Address space layout randomization" is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space. (copied straight out of Wikipedia)

Basically the idea of ASLR is to prevent applications from arbitrarily grabbing memory addresses and using them to inject files where system files are supposed to be only present. To do this, it will randomise where each part of the program is being sent. (as the definition says :P)

 

My suggestion is to follow what I have set up. However, there are profiles you can use "Maximum Security Settings" and "Recommended Security Settings". Recommended Security Settings is preferred for home users who have a lot of old programs that may not play nicely with ASLR or SEHOP. Maximum Security for maximum paranoia :D

 

Press Ok once you've figured out what you want to set it as.

 

Moving on...

 

50662e40a932e.png

 

Before we go, If you notice in the center you'll notice a list of all your running programs. If you see DEP with a green checkmark, you're in luck. The application running supports DEP natively.

If you see a checkmark beside "Running EMET", it means you've configured EMET to protect this application.

 

Once back at your prompt, select "Configure Apps"

 

Note: In an effort to save some time so you don't get confused by the extra information. I'll be happy to answer questions about it below

 

5066318855ead.png

 

As you can tell, I have added multiple applications already. You will probably have a blank list.

To start adding them, hit 'Add'. You will then be able to navigate to your programs.

 

These are the programs I suggest adding to this toolkit:

a) web browsers

B) flash and java executables (these guys are notorious for being exploited and even then there are exploits that EMET cannot stop because the way these applications handle it)

c) any network services you run... if you have an SQL server publishing info to the internet

d) driver monitors and driver applications (not as important but helps!)

 

The last one I don't recommend as much because these binaries are usually harder to find and they can through unhappy exceptions at EMET if EMET is overprotective.

 

Once you have added these applications, make sure all the tic boxes are checked. You can play around with the middle three but I would suggest keeping them on.

 

In my list, I have the following executables watched by EMET.

Iexplore.exe - our wonderful friend Internet Explorer xD

nusb3mon.exe - My USB 3.0 driver/host monitor

nusb3utl.exe - The configuration utility for nusb3mon.exe

plugin-container.exe - Hello Adobe Flash!

ts3client_win64.exe - As TS3 can execute LUA scripts, I have enabled this for my own testing purposes. You don't need to list TS3 if you don't want to.

waterfox.exe - Firefox's 64-bit brother. Need I say more ;)

 

Press 'Ok' once you're done and reboot your computer.

 

You are now protected against many 0-day (in the wild) attacks.

 

Questions, queries, complaints... shoot a reply below =D

Edited by enigma#
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share