Sunday, October 17, 2010

Use EMET On Windows Machines

"The Enhanced Mitigation Experience Toolkit v2.0 (EMET) is a utility designed to help IT Professionals protect systems from common threats. EMET works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors."

Microsoft has made EMET very easy to use and free of charge. It significantly hardens Windows machines against Zero Day malware and hack attacks. You can download EMET v2.0 here:

NOTE: This site appears to be under attack, and Microsoft has repeatedly changed the link, so you made need to search Google.

After you install EMET, you will need to tell it how much protection to provide. First, click on the Configure System button:

configure sytem

Select Maximum Security Settings, and click the OK button.

maximum security

Click on the Configure Apps button:

configure apps

Click on the Add button for each application you wish to add protection for. You will then browse to the executable file in the Programs folder to choose it. You will want to add browsers, instant messaging software, FTP clients, Adobe products, HP software, anti-virus software, and any software application that Secunia's PSI reports as being "End of Life".

add applications

After you have selected the programs to be protected, reboot the computer.

Two of the security engineers who created EMET, Andrew Roths and Fermin J. Serna, have an excellent video which demonstrates using EMET:

EMET provides the following advanced protections:

Dynamic Data Execution Prevention (DEP):
DEP has been available since Windows XP. Unfortunately, most software applications have not been compiled with the required special flag. EMET allows applications compiled without that flag to be opted in to DEP.

Structure Exception Handler Overwrite Protection (SEHOP):
This protects against currently the most common technique for exploiting stack overflows in Windows. This mitigation has shipped with Windows since Windows Vista SP1. Recently with Windows 7, the ability to turn it on and off per process was added. With EMET, these Windows 7 capabilities become available on any platform back though Windows XP.

Heap Spray Allocation:
When an exploit runs, it often cannot be sure of the address where its shellcode resides and must make a case when taking control of the instruction pointer. To increase the odds of success, most exploits now use heapspray techniques to place copies of their shellcode at as many memory locations as possible. This mitigation blocks the use of addresses most common in today’s exploits.

Null Page Allocation:
This is similar technology to the heap spray allocation, but designed to prevent potential null dereference issues in usermode.

Export Address Table Access Filtering:
This mitigation is designed to break nearly all shell code in use today. Before a piece of shellcode can do anything useful, it generally has to locate windows APIs first. This mitigation blocks a common current technique shellcode uses to do this.

Mandatory Address Space Layout Randomization (ASLR):
ASLR randomizes the addresses where modules are loaded to help prevent an attacker from leveraging data at predictable locations. The problem with this is that all modules have to use a compile time flag to opt into this. EMET forces modules to be loaded at randomized addresses for a target process regardless of the flags it was compiled with.

A helpful User Guide is available:

EMET does not require end user decision making, so you can deploy it on Windows computers throughout your organization (or on your mom's machine). With 75% of anti-virus software applications unable to recognize Zero Day malware, EMET is an application which you must have in order to secure Windows. EMET also installs and runs seamlessly on Windows servers.

- James McQuaid

Updated 12-1-2010