EMET v.4.0 is Coming

Virus & Spyware

Virus & Spyware
Perspectives on PC security, including antivirus, anti-spyware and firewall solutions.

EMET v.4.0 is Coming

  • Currently in beta release (I haven't tried it) this version includes a "Certificate Trust" feature. Should be available as a final release May 28. Only applies to MSIE.
    http://blogs.technet.com/b/srd/archive/2013/05/08/emet-4-0-s-certificate-trust-feature.aspx

    I currently use EMET v.3.0 with IE8/XP Pro, without problems. I'm not exactly sure what it adds to my layered security mix, but as long as it gives me no grief I will keep it. I rather imagine ky331 will have more to say on this.

    _________________________________________

    Dell Forum Member since 2,000

    WOT Web of Trust    Use OpenDNS   MalwareBytes' Anti-Malware Free

    (Mostly) Free Security Software- A Primer

  • EMET 4.0 (full release) now available for download:

    http://www.microsoft.com/en-us/download/details.aspx?id=39273

    _________________________________________

    Dell Forum Member since 2,000

    WOT Web of Trust    Use OpenDNS   MalwareBytes' Anti-Malware Free

    (Mostly) Free Security Software- A Primer

  • I installed EMET 4 "over" EMET 3, and found that I had both versions installed!   Since EMET doesn't run as an "active" process, I have no way of knowing if both versions were trying to protect me, or if one (4?) superseded the other (3?).

    I had wanted to keep 3 around "initially", so as to be able to import the customized configurations I implemented there.   My understanding was that installing v4 would automatically remove v3 after importing its customizations --- indeed, that's explicitly stated in the instructions --- but as just noted, that didn't happen Tongue Tied .   So to play it safe, I decided to uninstall v3 (after the fact).

    The main problem I ran into was that the TRUST button, to configure IE's "certificate pinning rules", just seemed to freeze EMET's GUI.   I had no choice but to kill the EMET GUI via Task Manager.   [Joe:  Wondering if this happens to you??]

    I'm not sure if I accidentally changed another setting somewhere [in EMET or in Reader, because I  **thought**  Reader had been working for me], but I soon discovered that Adobe Reader was shutting itself down as soon as it tried to open a document.   By UNchecking the (Emet) SEHOP option for Reader, .pdf documents then opened normally.

    UPDATE:   On a second Win7x64 SP1 system, I double-checked the EMET 3.0 settings for Adobe Reader, and it's running just fine with SEHOP enabled.   Indeed, the only mitigations UNchecked here are DEP for Office10, EAF for Skype [which I haven't ever used], and EAF & Mandatory ASLR for Windows Media Player.   I'm going to wait a while before upgrading to EMET 4 on this other system.

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [set to BLOCK]; KeyScrambler for IE), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]

  • MBAM database v2013.06.19.04 is picking-up on the following 8 registry keys changed by EMET 4:

    Registry Keys Detected: 8
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack)
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe (Security.Hijack)
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iTunes.exe (Security.Hijack)
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack)
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe (Security.Hijack)

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe (Security.Hijack)
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe (Security.Hijack)
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe (Security.Hijack)

    ---------------------

    MBAM database v2013.06.19.05 is partially fixed, picking-up on only 2:   those for Opera and WMPlayer

    ---------------------

    Completely "fixed" with MBAM database v2013.06.19.06

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [set to BLOCK]; KeyScrambler for IE), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]

  • I'm back at the first machine, and decided it was worth trying EMET again "from scratch".

    So I UNinstalled EMET 4 (and deleted the EMET folders).   I did NOT attempt to clean the registry of any remnants that EMET may have left there.

    I reinstalled EMET 4, and had the same issues:   The TRUST button did nothing (other than freezing the GUI), and I had to UNcheck SEHOP in order for Adobe Reader to work without crashing.  

    Unless there were some lingering registry entries that survived, or I inadvertently changed some setting in Reader, I don't believe the SEHOP-based Reader crash should be happening.   And I have no idea if the TRUST button issue is local to my system, or a bug in the EMET program.   I'm hoping to read (here, or elsewhere) what's happening to other EMET users.

    Aside from these two "flaws", I haven't noticed anything else overt resulting from the upgrade to EMET 4.   Of course, one never realizes that EMET is activated unless/until it successfully intercepts an exploit attempt.   So only time will tell.   As long as it doesn't interfere with anything, I'll keep it around.

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [set to BLOCK]; KeyScrambler for IE), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]

  • I've only installed EMET 4 on my XP to date, after first uninstalling EMET 3. (As I have limited experience with EMET, I was reluctant to install over the last version) so I can only say I have v4 only currently installed. So far it has given me no grief.

     I opened the GUI, but haven't configured anything from the default settings yet. SEHOP and ASLR modules are listed as unavailable, and are grayed out.

    An updated MBAM scan (db v2013.06.19.06) detected no registry changes  related to WMP or Opera, both of which I have. I don't use Adobe Reader, but Sumatra Reader works well.

    I am reluctant to install EMET (either version) on my primary Win7 systems, until I understand it better, and any bugs have been worked out.

    _________________________________________

    Dell Forum Member since 2,000

    WOT Web of Trust    Use OpenDNS   MalwareBytes' Anti-Malware Free

    (Mostly) Free Security Software- A Primer

  • Well, I decided to install EMET 4 on a second Win7 system, this time 32-bit.   I did not run into any compatibility issues with Adobe Reader (it's running fine WITH the SEHOP checked... as I believe it should)... but the EMET GUI still freezes when I click the TRUST button.

    This being the case, I'm inclined to conclude there's a bug in the TRUST button mechanism... but my Reader issue (on the first system) may just be some "fluke".

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [set to BLOCK]; KeyScrambler for IE), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]

  • Looking at my XP system, I see I only have EMET 2.1 installed.  It's possible I might be able to update to 3.0... but I won't be going to 4.0 there, since I only have .NET 3.5 on XP... and don't see being burdened with installing .NET 4 (with all of its ongoing updates) which is a prerequisite for EMET 4.

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [set to BLOCK]; KeyScrambler for IE), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]

  • ky331

    Looking at my XP system, I see I only have EMET 2.1 installed.  It's possible I might be able to update to 3.0... but I won't be going to 4.0 there, since I only have .NET 3.5 on XP... and don't see being burdened with installing .NET 4 (with all of its ongoing updates) which is a prerequisite for EMET 4.

    Your instincts are good, ky.

    Your remark prompted me to check out the MS Update site, and sure enough, it offered no less than 5 "Important updates" for  .Net Framework 4 for XP, which took about 30 minutes to download/install/reboot. It went uneventfully, but ...

    Secunia PSI 3.0 scans no longer work at all.

    This exceeds my tolerance for the "grief factor". So I uninstalled EMET 4, then .Net Framework 4 Extended, and rebooted. Then I uninstalled .Net Profile 4 Client Profile, rebooted. Secunia PSI 3.0 scans still don't work. So I uninstalled/reinstalled Secunia PSI 3. It still does not work.

    So I will restore my system from a recent backed-up image from another hard drive.

    Bottom line: I don't think EMET 4, .Net Framework 4 (and its updates) play well with XP. Avoid them.

    [Edit]: Just to add, that I uninstalled EMET and Secunia PSI, then reinstalled PSI version 2. It works ok.


     

    _________________________________________

    Dell Forum Member since 2,000

    WOT Web of Trust    Use OpenDNS   MalwareBytes' Anti-Malware Free

    (Mostly) Free Security Software- A Primer

  • Joe,

    Given your posts (elsewhere) about issues you were having with PSI 3.x, I'm wondering if perhaps that's something independent of .NET4/EMET4 ??

    Anyway, I see you've successfully reverted to PSI-2... which I think may be the optimal PSI version:

    1) Version 1.5 [which I continue to use] has been complaining for almost 2 years about new versions of Flash, based on an advisory that dates back to 2011.   Unless I'm mistaken, version 2.x does not offer any such objections.

    2) I find the older/simpler text-based GUI of 1.x/2.x to be preferable to the graphical-based GUI of 3.x.   I just feel like it gives me better control over everything listed.

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [set to BLOCK]; KeyScrambler for IE), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]

  • For anyone interested in trying EMET 4, here's a good guide (with lots of pictures) for its installation and setup:

    http://www.winhelp.us/microsoft-emet.html

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [set to BLOCK]; KeyScrambler for IE), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]