The Enhanced Mitigation Experience Toolkit

Support for Windows Vista Service Pack 1 (SP1) ended on July 12, 2011. To continue receiving security updates for Windows Vista, make sure that you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft webpage: Support is ending for some versions of Windows.
Notice

End of Life Statement

We have listened to customers' feedback regarding the January 27, 2017 end of life date for EMET and we are pleased to announce that the end of life date is being extended 18 months. The new end of life date is July 31, 2018. There are no plans to offer support or security patching for EMET after July 31, 2018. For improved security, we recommend that customers migrate to the latest version of Windows 10.
INTRODUCTION
This article describes the Enhanced Mitigation Experience Toolkit. A link is provided to download the toolkit.
More information

Known issues in EMET 5.5 and 5.51

The EMET User Guide isn't available in the GUI

The EMET 5.5 and 5.51 User Guides are available for download. In this way, we can update the guides as need. However, the guides not available in the EMET GUI.

To resolve this issue, follow these steps:
  1. Download the EMET User Guide from https://www.microsoft.com/en-us/download/details.aspx?id=50802.
  2. Rename the file as EMET User's Guide.pdf.
  3. Paste the file into the EMET directory (usually C:\Program Files\EMET 5.5" or "C:\Program Files (x86)\EMET 5.5).

EMET 5.5 GUI crashes at startup

In some cases, the EMET 5.5 GUI crashes when it's started. When this occurs, Windows Event Viewer shows a call stack that resembles the following:
Application: EMET_GUI.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Exception at HelperLib.Config.GetStringValue(System.String, System.String, Boolean) at GraphicalApp.MainForm..ctor() at GraphicalApp.Program.RunEmetGUI() at GraphicalApp.Program.Main(System.String[])
To resolve this issue, use either of the following methods:
  • Type the following command from an elevated command prompt:
    reg add HKCU\Software\Microsoft\EMET
  • Install EMET 5.51.

Unexpected BitLocker warning in EMET 5.5 when you change the system-wide DEP setting

EMET 5.5 displays the following BitLocker warning when you change the system-wide DEP setting on a computer that doesn't have BitLocker installed:

In order to safely change the system-wide DEP settings, BitLocker needs to be suspended. If applied, you are advised to reboot at your earliest convenience. Are you sure you want to make this change?


If you select Yes, you receive an error message that resembles the following:

BitLocker could not be suspended. You will not be able to start Windows on your next reboot without your BitLocker recovery key. Are you sure you want to make this change?


To resolve this issue, do any of the following:
  • Install BitLocker. To do this, type the following command in PowerShell:
    Install-WindowsFeature BitLocker
  • Do not use EMET UI to change the DEP system-wide setting because it won't reflect the DEP configuration state. Instead, any updates should be done by using registry settings.
  • Install EMET 5.51.

EMET ASR mitigation is logged when you open a trusted site in Internet Explorer

EMET triggers an ASR mitigation notification and an entry in the event log when you open a trusted site in Internet Explorer.

In this situation, ASR is looking for the DLL file that's being loaded into the process. For iexplore.exe, one of the DLLs it looks for is vbscript.dll. Therefore if ASR is enabled for iexplore.exe (with the default settings), when iexplore.exe loads vbscript.dll, the ASR mitigation is triggered.

To resolve this issue, make sure that the zone exclusions for Trusted Sites and Intranet Zones are configured, and that all the content that uses VBScript is associated with one of those two zones.

To resolve this issue, do any of the following:
  • Add the URL domain name that's triggering Internet Explorer to load vbscript.dll to the Internet Explorer Trusted Sites list.
  • Work with the developers of the web application that owns that URL to recode it so that vbscript.dll isn't invoked.
  • Create an exception in EMET ASR for iexplore.exe by removing vbscript.dll from the list of DLLs that are being monitored. We do not recommend this option.
If you have already added the URL domain name to the Internet Explorer Trusted Sites list, you may want to investigate and troubleshoot the issue. The webpage may have some redirect or iframe that's receiving code from a different URL domain name that's not in the Internet Explorer Trusted Sites list. This could cause the vbscript.dll to be loaded.

Office 2010 doesn't start when EMET is enabled in Windows 7 or Windows Server 2008 R2

This issue occurs when the Enhanced Mitigation Experience Toolkit (EMET) is enabled and security update 3146706 or convenience rollup update 3125574 is installed. To resolve this issue, install the June 2016 update rollup for Windows 7 and Windows Server 2008 R2.

EMET and Edge support

EMET 5.5 and 5.51 mitigations do not apply to Microsoft Edge because of the advanced technologies that are used to protect Edge. These include industry leading sandboxing, compiler, and memory management techniques.
FAQ

What is the Enhanced Mitigation Experience Toolkit?

The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.

EMET also provides a configurable SSL/TLS certificate pinning feature that is called Certificate Trust. This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).

Are there restrictions as to the software that EMET can protect?

EMET can work together with any software, regardless of when it was written or by whom it was written. This includes software that is developed by Microsoft and software that is developed by other vendors. However, you should be aware that some software may not be compatible with EMET. For more information about compatibility, see the "Are there any risks in using EMET?" section.

What are the requirements for using EMET?

EMET requires the Microsoft .NET Framework 4.0. Additionally, for EMET to work with Internet Explorer 10 on Windows Server 20121, KB2790907 or a more recent version of the Compatibility Update for Windows Server 2012 must be installed.

Where can I download EMET?

To download EMET, go to the related Microsoft TechNet page:

How do I use EMET to protect my software?

After you install EMET, you must configure EMET to provide protection for a piece of software. This requires you to provide the name and location of the executable file that you want to protect. To do this, use one of the following methods:
  • Work with the Application Configuration feature of the graphical application.
  • Use the command prompt utility.
To use the Certificate Trust feature, you have to provide the list of the websites that you want to protect and certificate pinning rules that apply to those websites. To do this, you have to work with the Certificate Trust Configuration feature of the graphical application. Or, you can use the new Configuration Wizard. This enables you to automatically configure EMET with the recommended settings.

Note Instructions for how to use EMET are in the user's guide that is installed together with the toolkit.

How can I deploy EMET across the enterprise?

The easiest way to deploy the current version of EMET across an enterprise is by using enterprise deployment and configuration technologies. The current versions have built-in support for Group Policy and System Center Configuration Manager. For more information about how EMET supports these technologies, please refer to the EMET user's guide.

You can also deploy EMET by using the command prompt utility. To do this, follow these steps:
  1. Install the .msi file on each destination computer. Or, put a copy of all the installed files on a network share.
  2. Run the command prompt utility on each destination computer to configure EMET.

Are there any risks in using EMET?

The security mitigation technologies that EMET uses have an application-compatibility risk. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem that affects a specific mitigation, you can individually enable and disable that specific mitigation. For more information, refer to the EMET user's guide.

What is the latest version of EMET?

A new version of EMET was made available on July 31, 2014. For more information about the latest version of EMET, go to the following TechNet website:

How can I get support for EMET?

Customers who have access to Microsoft Services Premier and Professional Support, can receive fee-based advisory support through these channels. Customers who do not have Premier or Professional contracts can receive support through the following official support forum:

Which EMET versions are currently supported?

The following table displays the lifecycle of all EMET versions.

EMET versionLifecycle start dateSupport end dateNotes
EMET 5.2, and earlierSee notesEMET5.2and earlier versions are not officially supported
EMET 5.5xJanuary 29 2016July 31 2018There are no plans to offer support or security patching for EMET after July 31, 2018.

Supported operating systems

Operating System (minimum supported)EMET 5.2EMET 5.5
Windows 10 RTM, Windows 10 version 1511, and Windows 10 version 1607
Note EMET will not be supported on future versions of Windows 10.
Y
Windows 8.1YY
Windows Server 2012 R2YY
Windows Server 2012YY
Windows 7 Service Pack 1 YY
Windows Server 2008 R2 Service Pack 1 YY
Windows Server 2008 Service Pack 2 YY
Windows Vista Service Pack 2 YY
Ιδιότητες

Αναγνωριστικό άρθρου: 2458544 - Τελευταία αναθεώρηση: 10/31/2016 15:02:00 - Αναθεώρηση: 15.0

  • atdownload kbexpertiseinter kbsecurity KB2458544
Σχόλια