To help protecting Windows and installed software against known and unknown attacks, Microsoft has released a really cool and fairly easy-to-use tool named EMET - Enhanced Mitigation Experience Toolkit. It uses several protection and detection techniques with cryptic-like names (such as ASLR, EAF+, ASR, SEHOP) to provide mitigation against known hacks and even zero-day flaws.
Older and current versions (the current stable version is 5.2) of EMET have successfully protected from several unpatched security flaws in Microsoft, Adobe and Oracle software without any additional configuration.
While EMET has set-and-forget style configuration, there is no reason to ditch patching Windows and other software or using anti-virus and anti-malware programs. Microsoft's Enhanced Mitigation Experience Toolkit is just an additional (and effective) security layer for Windows PC-s.
EMET version 5.2 works in Windows XP (Service Pack 3 required; not officially supported, but it works well), Vista (Service Pack 2 required), 7 (Service Pack 1 required), 8 and 8.1; and Windows Server 2003 and 2003 R2 (Service Pack 1 required), 2008, 2008 R2, 2012 and 2012 R2. Both 32-bit and 64-bit editions are supported.
EMET notifies users when a mitigation event occurs (via an application in Taskbar Notification Area, aka System Tray) and events are recorded into Application log of Event Viewer.
Since version 4, you can also use the icon to open EMET.
If you feel that Microsoft EMET provides too many configuration options, try free Malwarebytes Anti-Exploit instead. It requires no expertise and protects well-known web browsers and Java.
You must have Microsoft .NET Framework 4 installed to satisfy EMET version 5 requirements. If your computer does not have it installed, EMET Setup Wizard offers to download and install it automatically. Please note that you must launch EMET setup again after installing .NET Framework.
Windows 8 users must have compatibility update KB 2790907 installed for using EMET with Internet Explorer 10.
If you have an older or beta version of EMET installed, it is strongly recommended to uninstall it first. This will avoid configuration problems that might cause protected programs to crash at startup.
Those who have created some complicated custom configuration for an older version of EMET, can export it: open EMET, click Export and save the file to their Documents folder before upgrading to the latest version.
Open EMET 5.2 download page and click the Download button. Choose only EMET Setup.msi in the next dialog. Please note that most of the screenshots in this guide were taken with EMET 5.0, but version 5.2 looks exactly the same.
After downloading and launching the setup file, EMET Setup Wizard opens. Click Next.
The default installation folder is fine, click Next.
License Agreement opens, click to select I Agree and then click Next. Microsoft seems to have too many next-buttons in stock, apparently.
Now Microsoft ask whether you are really sure you want to install EMET. Dooh, of course - click the next Next button!
In case of an upgrade, you might see a list of open programs that must be closed. These programs are protected by an earlier version of EMET.
You can close the listed programs, wait a few seconds and click Try Again; or if you're happy to restart your computer, click Continue.
After setup completes copying new files, EMET Configuration Wizard appears.
If this is the first ever installation of EMET on this PC, you have Use Recommended Settings and Configure Manually Later options available. I recommed using the first one to get the default, fail-safe configuration and start protecting Microsoft Office applications, Internet Explorer, Adobe Reader and Oracle Java automatically. Click Finish.
Those upgrading have the Keep Existing Settings option instead of manual configuration option. This should be selected only if you have added really many programs to the mitigation list and you do not want to go through the configuration again - but please be sure to tick the Add Certificate Trust rules for Microsoft online services check box, too!
The Early Warning Program is an addition to Windows Error Reporting Services that uploads anonymous data about detections to Microsoft's servers to help create better mitigations in the future. Those very concerned about their privacy can clear this check box. You can disable or enable the feature later, too.
Please note that you can also relaunch this wizard any time later from EMET's GUI - just click the Wizard button.
After completing the Setup Wizard, click Close. EMET is now installed and it is time to configure it.
The easiest way to launch EMET is to right-click its icon in Taskbar Notification Area and click Open EMET.
To run EMET in Windows XP, open Start menu, click All Programs, Enhanced Mitigation Experience Toolkit and then click EMET GUI.
Users of Windows Vista and 7 can type "emet" into Start menu Search Box and click EMET GUI.
In Windows 8 and 8.1, open Start screen by pressing Windows Key, type "emet" and click EMET GUI.
FYI: GUI stands for Graphical User Interface.
This is how EMET 5 program window looks like. At the top there is an Office 2013-themed toolbar (aka Ribbon) with common options and command buttons.
Import and Export buttons (keyboard shortcuts Ctrl+Shift+I and Ctrl+Shift+E respectively) allow restoring and backing up EMET settings (including the list of protected programs and their mitigations). Another use for these is deploying the same configuration on many PC-s quickly.
Microsoft also provides Protection Profiles for recommended (the default list) and popular software (default list + common third-party web browsers, media players, packers, etc) in the C:\Program Files (x86)\EMET 5\Deployment\Protection Profiles folder. On 32-bit Windows, the location begins with Program Files (without the (x86) part).
Wizard button (keyboard shortcut Ctrl+Shift+W) closes EMET and runs Configuration Wizard where you can revert to recommended defaults (set system protection and replace the protected apps list with Microsoft-provided wildcards).
System Status section lists current settings that apply to all installed programs.
Skin combo box in the System Settings section allows changing the looks of EMET; Reporting section has options to toggle logging to Windows Event Log and displaying alerts in Tray icon (the EMET Notification program). Early Warning turns sending anonymous reports on detected mitigations to Microsoft on or off.
Running processes displays all active programs and services, and reveals whether they're protected by EMET. The list is updated every 30 seconds, but there's also the Refresh button on the bottom right for manual updating.
Please note that SEHOP and ASLR (in System Status section) are not available in Windows XP, so they are grayed out there.
All geeky protection techniques are described in more detail in EMET User Guide (PDF format) that can be accessed using keyboard shortcut Ctrl+Shift+F1, or by clicking Help button and choosing User Guide.
Those who have just finished upgrading from an older or beta version of EMET should open Quick Profile Name combo box and select Recommended Security Settings. This will enable the default system protection settings, but it will not touch applications list. Changing the System Configuration often requires restarting Windows for all the changes to take effect.
OK, let's get started! Click the Apps button in the toolbar, or use keyboard shortcut Ctrl+Shift+A.
This opens the Application Configuration window. By default, this list is populated by wildcard definitions supplied by Microsoft.
Please note that all wildcard definitions are in bold. Programs not found in the pointed path are in italic - these can be safely removed.
Protected applications are sorted by name and there are Excel-like filtering capabilities available if you move mouse pointer over a column head and click the small icon that appears.
The leftmost section in Ribbon, Mitigation settings, lists additional protections that can be turned on to enhance EMET's efficiency. Deep Hooks, Anti Detours and Banned Functions apply to all applications that have been added to EMET.
The Default action section should have Stop on exploit selected at all times - this setting will provide the actual protection from exploits.
The File section has Export and Export Selected buttons (keyboard shortcuts Ctrl+Shift+E and Ctrl+Shift+E,S) - these can be used to export all or selected application definitions to an XML file. The file can be used as a settings backup or be imported on other computers to avoid repeated manual configuration. Import button is available in EMET GUI as shown before.
Internet Explorer, Microsoft Office programs, Adobe Reader and Oracle Java are protected by default. To enable EMET for another program, click the Add Application button or use keyboard shortcut Ctrl+plus sign.
A common browse dialog opens. Click My Computer or This PC on the left and open the drive that has Windows installed on it - usually named "Local Disk" and ending with "(C:)". Most programs are installed in the subfolders of Program Files and Program Files (x86) folders. Locate and click the application you want to add and click the Open button.
Now the program is on the list of protected applications and it has all protections enabled, except for EAF+ and ASR: the two require more expert knowledge and approach.
In Windows XP, only SEHOP is not enabled because it is not a supported feature on the aging operating system. Also, Mandatory ASLR is not available at all.
Please note that on 64-bit Windows Vista, 7, 8 and 8.1, the Program Files folder includes far less used 64-bit version of Internet Explorer. To also add the 32-bit version of Internet Explorer (the version typically used) to EMET, navigate to Program Files (x86), Internet Explorer folder instead.
Here is a list of common programs requiring protection, and their location on system disk (C:) in 32-bit Windows XP, Vista, 7, 8 and 8.1:
- Adobe Flash Player - Flash Player runs inside a web browser. Just add Internet Explorer, Google Chrome, Mozilla Firefox or other web browser as described above.
- Adobe Reader - Program Files\Adobe\Reader <version number>\Reader\AcroRd32.exe
- Adobe Shockwave Player - Windows\System32\Adobe\Shockwave <version number>\Swinit.exe and SwHelper_<version number>.exe
- Apple iTunes - Program Files\iTunes/iTunes.exe
- Apple QuickTime Player - Program Files\QuickTime\QuickTimePlayer.exe
- Apple Safari - Program Files\Safari\Safari.exe
NB! Disable Mandatory ASLR, EAF and DEP if Safari crashes.
- Foxit Reader - Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
- Google Chrome - on Windows XP: Documents and Settings\<your user name>\Application Data\Google\Chrome\Application\chrome.exe;
on Windows Vista, 7, 8 or 8.1: Users\<your user name>\AppData\Local\Google\Chrome\Application\chrome.exe.
Alternative location for administrative/corporate install is Program Files\Google\Chrome\Application\chrome.exe.
NB! If Shockwave Flash (aka Flash Player/Pepper Flash) does not load in Google Chrome, disable SEHOP mitigation. Depending on installed extensions, you might also have to turn off DEP and Caller mitigations for Chrome.
Do not use wildcards for adding Google Chrome to EMET.
- Microsoft Access - Program Files\Microsoft Office\Office<version number>\MSACCESS.EXE
- Microsoft Excel - Program Files\Microsoft Office\Office<version number>\EXCEL.EXE
- Microsoft Internet Explorer - Program Files\Internet Explorer\iexplore.exe
NB! Disable Mandatory ASLR, EAF and DEP if IE crashes.
- Microsoft Outlook - Program Files\Microsoft Office\Office<version number>\OUTLOOK.EXE
- Microsoft Outlook Express - Program Files\Outlook Express\msimn.exe
- Microsoft Powerpoint - Program Files\Microsoft Office\Office<version number>\POWERPNT.EXE
- Microsoft Word - Program Files\Microsoft Office\Office<version number>\WINWORD.EXE
- Mozilla Firefox - Program Files\Mozilla Firefox\firefox.exe and plugin-container.exe
NB! Disable Mandatory ASLR, EAF and DEP if Firefox crashes.
- Mozilla Thunderbird - Program Files\Mozilla Thunderbird\thunderbird.exe and plugin-container.exe
- Opera - Program Files\Opera\opera.exe or Program Files\Opera\<version number>\opera.exe
NB! Disable Mandatory ASLR, EAF and DEP if your browser crashes.
- Oracle (Sun) Java - Program Files\Java\jre<version number>\bin\java.exe , javaw.exe and javaws.exe; plus Windows\System32\java.exe
NB! Turn off HeapSpray mitigation for Java.
- Skype - Program Files\Skype\Phone\Skype.exe and Program Files\Skype\Plugin Manager\skypePM.exe
NB! Disable EAF mitigation for Skype.
- WinAmp - Program Files\Winamp\winamp.exe
- Windows Live Mail - Program Files\Windows Live\Mail\wlmail.exe
- Windows Live Messenger - Program Files\Windows Live\Messenger\msnmsgr.exe
- Windows Media Player - Program Files\Windows Media Player\wmplayer.exe
NB! Disable Mandatory ASLR and EAF mitigations for Media Player.
- VLC Media Player - Program Files\VideoLAN\VLC\vlc.exe
For 64-bit Windows Vista, 7, 8 or 8.1, some programs might need replacing Program Files with Program Files (x86) and System32 with SysWOW64.
Several programs (for example, Internet Explorer, Java and Windows Media Player) can have both 32- and 64-bit versions installed, check both Program Files and Program Files (x86).
EAF+ and ASR in EMET
Export Address Table Access Filtering Plus (EAF+) is enabled by default for a few programs: Adobe Acrobat and Reader, Internet Explorer and Mozilla Firefox. This protection disables the reading of program location in RAM (Random Access Memory) via commonly used modules. To see its exact configuration, click Show All Settings (keyboard shortcut Ctrl+Shift+L) on the top of Application Configuration window and then select the program you want to check from the left side.
Attack Surface Reduction (ASR) prevents loading certain modules into program's memory and therefore reduces attacks that try to exploit some vulnerable third-party software to break out of protected program's memory space. In Microsoft Excel, PowerPoint and Word, EMET 5 disables the loading of Adobe Flash Player by default - such technique has already been used in targeted attacks. In Internet Explorer, more modules are listed by default, including the outdated MSXML version 4, and the default configuration disables the ASR mitigation in Local intranet and Trusted Sites zones.
EMET 5.2 adds VBScript (vbscript.dll) blocking to IE in order to protect the browser from the so-called "VBScript God Mode" exploits.
Using wildcards in EMET
To add a wildcard location instead of a fixed program path, click Add Wildcard in Ribbon, or use keyboard shortcut Ctrl+Asterisk.
Here's an example on how to add local installations of Google Chrome in Windows Vista and later. The asteriks (*) mean anything any length, for example any drive letter, any folder name, etc.
You can also use question marks to specify any one character - for example, "Unreal?" matches Unreal2, Unreal3, but not Unreal12; and "Unreal??" matches Unreal12, but not Unreal2 or Unreal3.
Click OK after specifying a wildcard. As said before, all wildcards are listed in bold.
Several users experience app crashes for programs that have been added to EMET using wildcards. Common examples are Office 2003 and 2007 apps (Word, Excel, Outlook, etc), Firefox and Google Chrome. If you run into such trouble, please remove the wildcard definitions and add the programs without wildcards.
Getting a bit paranoid with EMET
Those requiring extra security can also add the following important Windows files to the list.
Please note that adding the programs listed below might reduce performance of your computer !
- Services and Controller app - Windows\system32\services.exe
- Windows Client/Server Runtime Server Subsystem - Windows\system32\csrss.exe
- Windows Local Security Authentication Server - Windows\System32\lsass.exe
- Windows Logon Application - Windows\system32\winlogon.exe
- Windows Logon User Interface Host - Windows\system32\LogonUI.exe
- Windows Print Spooler - Windows\system32\spoolsv.exe
- Windows Session Manager Subsystem - Windows\system32\smss.exe
- Windows Start-Up Application - Windows\system32\wininit.exe
NB! Print Spooler and Local Security Authentication Server are always in Windows\System32 folder, even in 64-bit Windows.
The files above are often targeted by malware and protecting these from zero-day flaws can save your computer from trouble.
Click OK after adding applications to the list.
EMET usually displays an orange exclamation mark with text "The changes you have made may require restarting one or more applications". It is usually best to restart your computer after making first changes in EMET - this will ensure that Windows processes already running, such as Print Spooler and Local Security Authentication Server, are restarted with EMET protection enabled.
After restarting your computer or programs added to EMET 5.2, you can then see the Running Processes list to check if protection techniques have taken effect. Each program that is protected by EMET has a green check mark in Running EMET column.
Please note that stopping mouse pointer on any entry reveals the full path to the program. This makes is easier to add unprotected applications to EMET's configuration.
EMET's detection and configuration events are recorded in Application log of Event Viewer. Event source is always EMET and Event ID-s are 0 for adding an application to EMET configuration, 1 for removing an application, 2 for software mitigation events and 42 for certificate trust mitigation events.
By default, all protection techniques are enabled. For some programs, such as Skype, Dropbox or Office 2003 programs (Word, Excel, PowerPoint, etc) it is recommended to turn EAF off in case they crash after launching. Office XP (and older) programs do not seem to run with EMET protections enabled.
Microsoft recommends disabling EAF for all third-party anti-virus, sandboxing and firewall programs.
Using wildcards in program definitions can lead to crashes for Microsoft Office 2003 and 2007 programs and Google Chrome. Please remove these wildcard definitions and add the apps without wildcards.
If web browsers do not start at all, or they crash frequently after installing EMET, the first step is to make sure that some add-on/extension/plug-in is not the cause.
First, start the browser in so-called safe mode (with all extensions disabled) and see if this resolves the startup and stability problems. Start by opening Run dialog (keyboard shortcut Windows Key+R), then type one of the following commands:
- chrome --disable-extensions for Google Chrome;
- iexplore -extoff for Internet Explorer;
- firefox -safe-mode for Mozilla Firefox;
- opera --disable-extensions for Opera (versions 15 and up).
Click OK to run the command. If the web browser starts and runs flawlessly now, you need to turn all extensions off as instructed below and see if the browser also works properly without starting it in safe mode. If it does, start enabling extensions one by one (restart your browser after enabling an add-on) to find out which one causes the crashes.
To manage browser extensions, follow these instructions:
- In Google Chrome, open the "hamburger" (three horizontal bars) menu from top right, expand More tools and click Extensions. Use the Enabled check box to turn plug-ins on or off.
- In Internet Explorer, press Alt key once to reveal menus, open Tools menu and click Manage Add-ons. Choose All add-ons from the Show dropdown box on the center left, then right-click an item on the right and choose either Disable or Enable.
Also, open Accelerators tab from the left and disable or enable items listed there.
- In Mozilla Firefox, open the "hamburger" (three horizontal bars) menu from top right and click Add-ons. Make sure that Extensions tab is selected on the left, then use Disable and Enable buttons for each listed item.
Then open Plugins tab from the left and use the dropdown box for each item to switch between Always Activate and Never Activate.
- Opera does not allow managing extensions in safe mode, so you must start it using the opera --private command instead. Then click Opera button on top left and choose Extensions from the menu. Use Disable and Enable buttons to switch extensions off and on.
EMET support forum lists all known compatibility issues and solutions.
You can also experiment turning other methods off and on for troubleshooting purposes. First, with troublesome application closed, launch EMET, click Apps and turn off a method for the program. Then close EMET and try launching the application again. Repeat the process until your application works normally.
If you want to completely remove an application, click its name once and then click the Remove Selected button or use keyboard shortcut Ctrl+Minus Sign.
In case troubleshooting EMET gives no good results, try free Malwarebytes Anti-Exploit instead. It requires no expertise or configuration, and protects well-known web browsers and Java.
A completely new feature since EMET 4.0 is Certificate Trust, accessible via the Trust button (or keyboard shortcut Ctrl+Shift+T) in Ribbon's Configuration section. This is meant to detect man-in-the-middle attacks over HTTPS. The feature validates SSL/TLS and Root CA certificates against default rules by Microsoft and user-provided pinning rules.
While it all sounds great, the feature seems to be half-baked: it supports Internet Explorer only, and user has to go through a lot of hassle to set up custom certificate pinning rules. Furthermore, Modern UI/Metro version of IE is not supported and EMET only notifies of validation errors, but does nothing to prevent an attack from happening.
Here's an example of EMET system tray notification for failed SSL certificate trust.
If you really want to set up custom rules, open EMET User Guide in PDF format using keyboard shortcut CTRL+SHIFT+F1, or by clicking Help button and choosing User Guide.
Microsoft has pre-configured the rules for its own services (Windows Live ID, Skype, Office 365), plus Facebook, Twitter and Yahoo. You can safely leave the feature on, but I recommend using free IBM Security Trusteer Rapport/Endpoint Protection and WOT Safe Surfing Tool for overall protection against phishing, malicious sites and man-in-the-middle attacks.
EMET version 5 added the ability to block sites with fraudulent certificates: open Pinning Rules tab in Certificate Trust Configuration window and tick the Blocking Rule check boxes where needed. This means that no data is sent to malicious servers over secure connections if blocking is in effect.
And then there's Google Chrome that has certificate pinning rules built-in. Although users cannot change these hard-coded rules, it is so much simpler to rely on proper, tested rules than to start creating and verifying your own ones.