EMET v3 - More of the best


Updated: July 7, 2012

While the security world is busy spreading meaningless fear and drama around the birth of Flamer and similar things, Microsoft has released an update to the best security software ever created, their Enhanced Mitigation Experience Kit (EMET). You would expect the websites to be busy writing about it, but no. Maybe one or two sources.

Why, you ask? Well, because money is all about selling inferior blacklisting products rather than resolving user issues. When it comes to security, EMET takes a fraction of bandwidth to download and install, it requires no reboot, it's fully supported by Microsoft, it can be deployed and managed in a centralized manner using GUI or command line or even group policies, and it imposes no performance penalty on the user. It's a whitelist product, it requires no interaction, and it's virtually foolproof. The perfect security product. And the security industry hates it and tries to keep it under the radar. So please, follow me, proudly presenting Microsoft EMET v3.

Teaser

Installation

EMET 3.0 can be installed over the existing version. The only thing you will have to do is close programs running through EMET to allow the replacement of DLLs. And that's it. Afterwards, EMET will start with all your settings and apps preserved. On top of that, you get a handful of other goodies and gradual improvements. Let's review them briefly.

Install

Files in use

Installing

New features and capabilities

Microsoft EMET 3.0 comes with improved administration. At home, you will probably not care much for the ability to deploy the rules at 1,000 machines across your organization, but businesses will love this.

Profiles

Profiles, or Protection Profiles are preconfigured EMET rules in XML syntax, which cover most common Microsoft applications. The rules are stored in the EMET installation folder, under Deployment\Protection Profiles. Three rules are included by default: Internet Explorer, covering only browser mitigations, Office Software that includes also Adobe products, and All that targets many common applications. You can add your own rules there, for easier deployment.

Profiles

Example

A sample profile looks like this:

<Product Name="Windows Media player">
  <Version Path="*\Windows Media Player\wmplayer.exe">
   <Mitigation Enabled="false" Name="MandatoryASLR"/>
  </Version>
</Product>

The language is very simple to understand, and you soon begin to appreciate the simplicity and granularity of the XML format, as it allows to fine-tune your software very easily, without having to waste time using the GUI.

EMET grammar rules

Quoting from the official blog, EMET can now use wildcards to create inclusive rules without depending on the installation path or the architecture. I predict the next step will be the use of full regular expressions. Anyhow, the quote:

Notice the "*" in the Path attribute above? In EMET 3.0, we also expanded the EMET grammar rules. Existing rules that you might have continue to work as-is and it is possible now to also use wildcards in EMET rules. This means that you no longer have to use the full path of an application in EMET rules. You can use the "*" character or simply use the image name, such as "iexplore.exe" in your rules. EMET will protect them regardless of where these applications may be installed. This has been one of the most requested features.

Group policy management

EMET is geared toward use in enterprises, which is why you've always had the command line functionality. Now, though, you also get a tighter integration with Group Policies as well as SCCM. This new version now includes an ADMX file that contains the three default profiles, which can then be turned on/off through the Group Policy Editor. You also get a template policy that can be used for creation of new rules. And let's not forget, your applications configuration is preserved:

Apps preserved

Conclusion

EMET v3.0 is an excellent product. It is a refinement of a superb concept and solution that should put at rest all your security worries. There's more than what I just wrote, like the reporting facility, so you should take time reading the Microsoft blog entry. And still more stuff is in the oven, so we should expect useful and practical future development of additional features in the coming months.

Really, there's little else to say. EMET is probably the best thing Microsoft ever produced, and yet, it keeps slipping under the radar while the security scene is boiling with crybaby nonsense. The only thing I can do is try to raise awareness and warmly recommend that you take EMET for a spin and start enjoy a new level of smart security computing. Well, that would be all this time, fellas.

Cheers.

RSS Feed icon

del.icio.us del.icio.us stumbleupon stumble digg digg reddit reddit slashdot slashdot



Advertise!

Would you like to advertise your product/site on Dedoimedo?

Read more

Donate to Dedoimedo!

Do you want to
help me take early retirement? How about donating
some dinero to
Dedoimedo?

Read more

Donate