EMET mitigations guidelines

Summary
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform. For more information about EMET, click the following article number to view the article in the Microsoft Knowledge Base:
2458544 The Enhanced Mitigation Experience Toolkit
When EMET mitigations are applied to certain software or certain kinds of software, compatibility issues may occur because the protected software behaves similarly to how an exploit would behave. This article describes the kind of software that usually presents compatibility issues with EMET’s mitigations and a list of products that exhibited compatibility issues with one or more of the mitigations that are offered by EMET.
More information

Generic guidelines

EMET mitigations work at a very low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they are configured to be protected by using EMET. The following is a list of the kinds of software that should not be protected by using EMET:

  • Anti-malware and intrusion prevention or detection software
  • Debuggers
  • Software that handles digital rights management (DRM) technologies (that is, video games)
  • Software that use anti-debugging, obfuscation, or hooking technologies
Certain host-based intrusion prevention system (HIPS) applications may provide protections that resemble those of EMET. When these applications are installed on a system together with EMET, additional configuration may be required to enable the two products to coexist.

Additionally, EMET is intended to work together with desktop applications, and you should protect only those applications that receive or handle untrusted data. System and network services are also out-of-scope for EMET. Although it is technically possible to protect these services by using EMET, we do not advise you to do this.

Application compatibility list

The following is a list of specific products that have compatibility issues in regards to the mitigations that are offered by EMET. You must disable specific incompatible mitigations if you want to protect the product by using EMET. Be aware that this list takes into consideration the default settings for the latest version of the product. Compatibility issues may be introduced when you apply certain add-ins or additional components to the standard software.

Incompatible mitigations

ProductEMET 4.1 Update 1EMET 5.2EMET 5.5
7-Zip Console/GUI/File ManagerEAFEAFEAF
AMD 62xx processorsEAFEAFEAF
Beyond Trust Power BrokerNot applicableEAF, EAF+, Stack PivotEAF, EAF+, Stack Pivot
Certain AMD/ATI video driversSystem ASLR=AlwaysOnSystem ASLR=AlwaysOnSystem ASLR=AlwaysOn
DropBoxEAFEAFEAF
Excel Power Query, Power View, Power Map and PowerPivotEAFEAFEAF
Google ChromeSEHOP*SEHOP*SEHOP*
Google TalkDEP, SEHOP*DEP, SEHOP*DEP, SEHOP*
Immidio Flex+Not applicableEAFEAF
McAfee HDLPEAFEAFEAF
Microsoft Office Web Components (OWC)System DEP=AlwaysOnSystem DEP=AlwaysOnSystem DEP=AlwaysOn
Microsoft WordHeapsprayNot applicableNot applicable
Oracle JavaǂHeapsprayHeapsprayHeapspray
Pitney Bowes Print Audit 6SimExecFlowSimExecFlowSimExecFlow
Siebel CRM version is 8.1.1.9SEHOPSEHOPSEHOP
SkypeEAFEAFEAF
SolarWinds Syslogd ManagerEAFEAFEAF
VLC Player 2.1.3+SimExecFlowNot applicableNot applicable
Windows Media PlayerMandatoryASLR, EAF, SEHOP*MandatoryASLR, EAF, SEHOP*MandatoryASLR, EAF, SEHOP*
Windows Photo GalleryCallerNot applicableNot applicable
* Only in Windows Vista and earlier versions

ǂ EMET mitigations might be incompatible with Oracle Java when they are run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).

Frequently asked questions

Q: What are the exploits for which CVEs have been blocked by EMET?

A: The following is a partial list of the CVEs for which the known exploits are successfully blocked by EMET at the time of discovery:

CVE numberProduct family
CVE-2004-0210Windows
CVE-2006-2492Office
CVE-2006-3590Office
CVE-2007-5659Adobe Reader, Adobe Acrobat
CVE-2008-4841Office
CVE-2009-0927Adobe Reader, Adobe Acrobat
CVE-2009-4324Adobe Reader, Adobe Acrobat
CVE-2010-0188Adobe Reader, Adobe Acrobat
CVE-2010-0806Internet Explorer
CVE-2010-1297Adobe Flash Player, Adobe AIR, Adobe Reader, Adobe Acrobat
CVE-2010-2572Office
CVE-2010-2883Adobe Reader, Adobe Acrobat
CVE-2010-3333Office
CVE-2010-3654Adobe Flash Player
CVE-2011-0097Office
CVE-2011-0101Office
CVE-2011-0611Adobe Flash Player, Adobe AIR, Adobe Reader, Adobe Acrobat
CVE-2011-1269Office
CVE-2012-0158Office, SQL Server, Commerce Server, Visual FoxPro, Visual Basic
CVE-2012-0779Adobe Flash Player
CVE-2013-0640Adobe Reader, Adobe Acrobat
CVE-2013-1331Office
CVE-2013-1347Internet Explorer
CVE-2013-3893Internet Explorer
CVE-2013-3897Internet Explorer
CVE-2013-3906Windows, Office
CVE-2013-3918Windows
CVE-2013-5065Windows
CVE-2013-5330Adobe Flash Player, Adobe AIR
CVE-2014-0322Internet Explorer
CVE-2014-0497Adobe Flash Player
CVE-2014-1761Office, SharePoint
CVE-2014-1776Internet Explorer
CVE-2015-0313Adobe Flash Player
CVE-2015-1815Internet Explorer


Q: How do I uninstall Microsoft EMET 5.1 by using an MSIEXEC command or a registry command?

A: See the references in the following TechNet topic:

Q: How do I disable Watson Error Reporting (WER)?

A: See the references in the following Windows and Windows Server articles:

Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Properties

Article ID: 2909257 - Last Review: 11/09/2016 20:57:00 - Revision: 19.0

  • kbexpertiseinter kbsecurity KB2909257
Feedback