A few years ago, Microsoft quietly released a security tool called EMET–the Enhanced Mitigation Experience Toolkit. EMET is now in version 4.0, and it’s probably the best security tool you’ve never heard of. And that’s a real shame.
Modern versions of Windows and modern CPUs include several security-enhancing technologies that aren’t necessarily switched on by default. EMET is a wrapper that forces software to use these technologies, even if they weren’t designed from the get-go to use them. The idea, then, is that if a badly behaving data file tries to exploit a traditional vulnerability in one of these programs, EMET steps in and shuts it down. A real-world example would be if you visit a web page that’s playing a malicious Flash video, or that contains a malicious Acrobat PDF. The malicious data loads, starts to execute, and the minute it misbehaves, EMET slams the browser tab shut. You won’t know right away what happened, but your computer didn’t get infected, either.
Brian Krebs wrote about EMET this month, and a myriad of commenters came out of the woodwork with excuses not to run it. My coworker, Chris, was dismissive.
“Load the template with the most popular applications, set it to log, and forget about it,” Chris said. “Microsoft tested that list pretty thoroughly, so they know it works. Your weird app that might break under EMET isn’t a problem, because an attacker won’t be targeting that anyway, so just don’t bother trying to run it under EMET. And when a program stops suddenly, look in the event log under EMET, and you’ll see why EMET shut it down.”
I asked if he’d be comfortable putting it on his mother’s computer. He didn’t hesitate.
“My mother needs this program.”
Chris has a two-page writeup that he’ll show anyone who’ll listen, showing how to set it up. Most of the document is screenshots. I won’t bother with screenshots. If you made it through Optimizing Windows with me, you can make it through this.
Download EMET 4.0 and install it. Just accept all the defaults and go. It runs on Windows XP and newer. Not all the features are available in XP, and you really need 64-bit Windows 7, 8, or 8.1 with a relatively recent CPU to get all the features, but a subset is better than none. And let’s face it. Some of you are going to be running XP after April 2014. I don’t recommend it, but that’s not going to stop people from doing it. If you have to do it, run it with EMET. It will protect you against some of the never-to-be-patched vulnerabilities in XP. Some of them.
It’s not perfect protection, but it’s the best protection you’re going to get once Microsoft washes its hands of XP.
Once you’ve installed EMET, launch it. You’ll probably find it in Start -> Programs -> Enhanced Mitigation Experience Toolkit -> EMET GUI. If you get a warning, click OK.
In the top-left corner of the screen, click “Import.” Double-click “Recommended Software.xml.” In the top-center of the screen, you’ll find a dropdown labeled “Quick Profile Name.” Select “Recommended Security Settings,” or, if you’re feeling adventurous,select “Maximum Security Settings.” I stick with recommended. In the section labeled “Reporting,” make sure “Windows Event Log” is checked. It’s checked by default, so you’re probably fine there.
That’s all there is to it. Close all your other programs, then launch Firefox, or Acrobat Reader, or Wordpad, or Microsoft Word. In the EMET window, you’ll see a checkmark next to its task. That tells you it’s protected.
Now you can close EMET and you can pretty much forget that it’s there.
What if something goes wrong?
Well, if a program stops suddenly, there’s a pretty good chance it misbehaved and EMET zapped it. Start the Event Viewer (the fastest way is to hit Windows-R, then type “eventvwr” and hit <Enter>). Open the Application log and look for a recent event marked with EMET as a source. The event will tell you why EMET stopped the process.
Chris says the drag on performance is negligible–a small amount of memory, and little or no additional CPU overhead. He runs it on his gaming computer and doesn’t notice a difference. I can vouch for that. I installed it on a netbook with 2 GB of RAM and a first-generation single-core Atom CPU, and didn’t notice a difference. If my little HP Mini 110 can run it, then pretty much anything else still out there can too.
You can use it in commercial environments too, and you can control it via Group Policy. I very much recommend that you do.
At a job interview a few months ago, someone asked me if they should get rid of Java, Flash, and Acrobat. I said I wished he and everyone else could do that, but it’s not realistic. You might be able to get rid of Java on desktops at this point, but you can’t on servers. There’s too much expensive enterprise software written in Java out there. Don’t install if if you don’t need it, of course, but you’ll never eradicate it 100% from an enterprise of any significant size and age. Getting rid of Flash and Acrobat is harder. There are alternatives to Acrobat Professional and Acrobat Reader too, but you may face resistance trying to deploy those. Boxing in Flash and Acrobat with EMET is more realistic. It lets people keep the software they’re used to using, while stopping bad things from happening when people click on things they shouldn’t. Probably not 100% of the time, but often enough to more than pay for the effort.
How it works
Your antivirus software protects you against threats it knows about, but some threats can get past antivirus by using a variety of subversive tricks. EMET forces applications to use modern protections against these. For example, on a 64-bit operating system, EMET can force 64-bit address randomization. That way, rather than an application storing things at predictable places in memory, where they can be attacked, EMET and Windows will force the application to spread its code and data across random stretches of memory, so that an attacker can’t access the memory directly and steal the data.
When a bad piece of code is discovered, antivirus and antimalware software get signatures to help them detect it. But EMET’s approach is proactive. Go ahead and bury your exploit in a Flash applet and make me run it–as soon as the exploit makes its move, EMET will intervene and shut it down. Since EMET looks for the behavior, rather than for specific code, it will block undiscovered exploits.
Chris went out of his way to say it isn’t foolproof, but that it escalates the cost of attack to the point that people are going to move on elsewhere. Imagine a burglar looking for a house to rob. If I have three Grade 1 (commercial grade) deadbolts on my door and a couple of surly dogs inside, the burglar isn’t going to pick my house. He’ll rob the house down the street that doesn’t have any dogs and has a $10 lock on the front door.
Antivirus is a $10 lock. You can run more than one of them, but you need more than that. EMET gives you an industrial-grade supplement to traditional antivirus protection.