Windows: Moving Beyond Enhanced Mitigation Experience Toolkit (EMET)

  1. Brink's Avatar
    Posts : 41,478
    64-bit Windows 10 Pro build 18965

    Windows: Moving Beyond Enhanced Mitigation Experience Toolkit (EMET)

    EMET – Then and Now

    Microsoft’s Trustworthy Computing initiative was 7 years old in 2009 when we first released the Enhanced Mitigation Experience Toolkit (EMET). Despite substantial improvements in Windows OS security during that same period, it was clear that the way we shipped Windows at the time (3-4 years between major releases) was simply too slow to respond quickly to emerging threats. Our commercial customers were particularly exposed since it often took years to deploy new OS versions in large scale environments. And thus, EMET was born as a stop-gap solution to deliver tactical mitigations against certain zero-day software vulnerabilities.

    For Microsoft, EMET proved useful for a couple of reasons. First, it allowed us to interrupt and disrupt many of the common exploit kits employed by attackers at the time without waiting for the next Windows release, thus helping to protect our customers. Second, we were able to use EMET as a place to assess new features, which directly led to many security innovations in Windows 7, 8, 8.1, and 10.

    But EMET has serious limits as well – precisely because it is not an integrated part of the operating system. First, many of EMET’s features were not developed as robust security solutions. As such, while they blocked techniques that exploits used in the past, they were not designed to offer real durable protection against exploits over time. Not surprisingly, one can find well-publicized, often trivial bypasses, readily available online to circumvent EMET.

    Second, to accomplish its tasks, EMET hooks into low-level areas of the operating system in ways they weren’t originally designed. This has caused serious side-effects in both performance and reliability of the system and the applications running on it. And this presents an ongoing problem for customers since every OS or application update can trigger performance and reliability issues due to incompatibility with EMET.

    Finally, while the OS has evolved beneath it, EMET hasn’t kept pace. While EMET 5.5x was verified to run on Windows 10, its effectiveness against modern exploit kits has not been demonstrated, especially in comparison to the many security innovations built-in to Windows 10.

    Windows 10 – A New OS for a Dangerous World

    Not surprisingly, the top customer feedback on EMET has consistently been to build such protections directly into the operating system. But to do that, Microsoft first had to change how we shipped Windows so that customers won’t have to wait years for new protections to come online.

    Beginning with Windows 10, that’s exactly what we did with the move to Windows as a Service. Since its initial launch in July 2015, there have already been two major updates released and that pace is expected to continue. More importantly, each major update of Windows 10 has brought with it substantial new innovations in security. For example, the Microsoft Edge browser was built from the start with security as a top feature. Revolutionary new Windows 10 features like Device Guard, Credential Guard, and Windows Defender Application Guard (coming soon) use hardware virtualization to protect against vulnerability exploits and malware. Windows Defender Advanced Threat Protection (ATP) provides post-breach detection and response for Windows 10 enterprise users. And, of course, Windows 10 includes all of the mitigation features that EMET administrators have come to rely on such as DEP, ASLR, and Control Flow Guard (CFG) along with many new mitigations to prevent bypasses in UAC and exploits targeting the browser.

    With the types of threats enterprises face today, we are constantly reminded of this simple truth: modern defense against software vulnerabilities requires a modern platform. That platform is Windows 10 – an always up-to-date version of Windows that is continually improved to help protect against the latest threats. To help make the transition to Windows 10, we will publish a detailed guide for administrators currently using EMET.

    Updated Support End Date for EMET 5.5x

    Finally, we have listened to customers’ feedback regarding the January 27, 2017 end of life date for EMET and we are pleased to announce that the end of life date is being extended 18 months. The new end of life date is July 31, 2018. There are no plans to offer support or security patching for EMET after July 31, 2018. For improved security, our recommendation is for customers to migrate to Windows 10.

    – Jeffrey Sutherland

    Source: Moving Beyond EMET Defense

    See also: How to Change Exploit Protection Settings from Windows Defender Security Center in Windows 10
    Last edited by Brink; 06 Jul 2017 at 14:23.
      My ComputersSystem Spec

  2.    #1

    I replaced it with Malwarebytes anti exploit.
      My ComputerSystem Spec

  3. TairikuOkami's Avatar
    Posts : 3,807
    Home 1903 x64 10.0.18362.267

    Moving from local protection to online. I can imagine many security wise people not be very happy about it. RIP EMET.
      My ComputerSystem Spec

  4. Posts : 69
    Windows 9 (aka Windows 10)

    I had been using EMET 5.5 for a long time under Win10, but today I decided to remove it. After doing so, I manually deleted all the "MitigationOptions" values under the various keys beneath "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", and the one under "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel".

    After deleting that stuff, I wondered if the EMET uninstaller had left it behind for a reason. Do anyone know if the "MitigationOptions" values are used by Win10 itself, apart from EMET? I can easily restore if needed, but I'd rather not have crap just to have crap. (Yes, it's neurosis.)

    I guess if someone has Win10 but has never installed EMET, yet still has "MitigationOptions" values, that would be telling.

    Edit: Actually, I think the values themselves under "Image File Execution Options" were all added (and pertain only to) EMET (e.g. "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe" where "excel.exe" is a key).
      My ComputerSystem Spec


Related Threads
Hi 10forums, I've been finding this hard to describe and search for so I'm just going to upload a .gif to illustrate my problem. 81615 I want to stop the window moving back onto the screen when the mouse is against the screen edge. Does...
Enhanced Mitigation Experience Toolkit (EMET) for Windows 10 in AntiVirus, Firewalls and System Security
See: Windows: Moving Beyond Enhanced Mitigation Experience Toolkit (EMET) - Windows 10 Forums Features removed or Deprecated in Windows 10 Fall Creators Update - Windows 10 Forums Update: How to Change Exploit Protection Settings from...
How to Turn On or Off Hyper-V Enhanced Session Mode in Windows 10 Hyper-V enables running virtualized computer systems on top of a physical host. These virtualized systems (aka: guests) can be used and managed just as if they were physical...
Solved Microsoft: Windows 10, Edge so secure they don't need our EMET in AntiVirus, Firewalls and System Security
Microsoft: Windows 10, Edge so secure they don't need our EMET anti zero-day shield | ZDNet
Read more... See also: Enhanced Mitigation Experience Toolkit (EMET) - Windows 7 Help Forums
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:26.
Find Us