Protecting your Windows PC with Microsoft EMET 2.1
MAY/23/2012 UPDATE: Microsoft released EMET 3.0 on May 15 2012. We have written an article for that version which we recommend our viewers to read unless you wish to continue with the EMET 2.1 version.
This is a user guide for installing and configuring Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) version 2.1. Using EMET is an extremely easy way to add additional protection mechanisms to a Windows system in order to make successful exploitations of commonly targeted applications (ex: Adobe Reader, Sun Java, Firefox, MS Office suite, etc.) more difficult. Likewise, it can also be used to protect internet-facing services from 0-day vulnerabilities, or to harden legacy applications that are no longer supported by their vendors. With the release of the 2.1 version, EMET became an officially-supported Microsoft product (visit the Microsoft EMET forums for assistance).
As always, and as recommended by Microsoft, you should thoroughly test EMET in all target use scenarios before rolling it out to a production environment.
For those in a hurry who do not wish to read through the entire guide, the overall process to using EMET is quite simple: Install EMET, then launch it and define which process executables you wish to have EMET protect. Once done, restart those applications or reboot your computer for the changes to take effect, and test to confirm that your applications still work properly.
For an eye-opening explanation on why you may wish to seriously consider using EMET, please read our article that demonstrates how even with a fully-patched, firewalled system running antivirus software, your computer remains at high risk of being compromised from an endless barrage of actively exploited 0-day vulnerabilities. Using EMET is an excellent way to help mitigate this risk.
Download and install
Begin by downloading EMET and install it using an account that has administrator privileges. The installer is digitally signed by Microsoft, however below are the hashes for the 2.1 version published on 5/18/2011:MD5: af1747497fdbba56afc391a50c43e082
(The hashes for the 126.96.36.199 version relevant to when this article was initially published are):MD5: d498b527661c00245f3add66a357724c
Note: If you are upgrading EMET from the previous 2.0 version, the installer will prompt you to close any window for applications currently protected by EMET that are in use during the upgrade. Although your previous EMET configuration should be automatically imported, it is recommended to confirm after rebooting your system that your previously protected applications still show the "Running EMET" checkmark within the running processes table of the EMET GUI. If this checkmark is missing, try removing then adding back an application process within EMET.
The installation is very straightforward with the only setting that you may wish to change being whether or not to install EMET for yourself or for anyone using the computer. Once installed, launch EMET by clicking on Start | Programs | Enhanced Mitigation Experience Toolkit | EMET
Depending on which Windows version you are using you will immediately see differences in the default settings. Below is the EMET GUI after installation on Windows XP SP3. The screen captures below are from the 188.8.131.52 version but are nearly identical to the 2.1 version:
As you can see, Structured Exception Handler Overwrite Protection (SEHOP) and Address Space Layout Randomization (ASLR) show as unavailable, and these security mechanisms will remain greyed out on Windows XP (and Windows 2003) systems. This does not imply that EMET provides no benefits for systems running those versions of Windows, as will be seen later in this guide. But you can compare the immediate differences between Windows XP and Windows 7 (32-bit):
The following table taken from the Microsoft EMET 2.0.0 User Guide summarizes the differences in mitigation options for each Windows system. New with EMET 2.1 is an additional application-specific mitigation feature called "bottom-up randomization":
Note that as explained within the EMET user guide (located within C:\Program Files\EMET), not all systems, including virtual machines, support DEP, but the option will remain available even if EMET is being run on a machine that does not support it.
With this aside, we continue to configuring EMET.
There are two main categories of settings that you can configure: System and Apps. Each category can be set by clicking on the respective button at the right of the main EMET window. Clicking on Configure System brings you to this screen:
On Windows XP, setting System Configuration to Maximum will set DEP to Always On, however the recommendation for stability is Application Opt In.
Back on the previous screen, click on Configure Apps in order to add protection for specific applications. This is where you will be spending most of your time in EMET.
The list above has already been populated with some entries, but by default it will be blank. Click on the Add button in order to drill down and select specific executables to be protected, specifying the path where they are installed. By default all application security mechanisms will be enabled, and it is recommended to leave this as-is unless you discover that a specific application does not work properly while running EMET, in which case you would either unselect some of the mechanisms, or remove the application from EMET altogether.
Many of you likely have an idea of which applications would benefit from having additional protections enabled. Below are some suggestions for Windows desktops:* Any/all web browsers installed on your computer (Internet Explorer, Firefox, Chrome, Opera)
* Entire MS Office suite (Access, Excel, Outlook, PowerPoint, Word)
* Sun (now Oracle) Java
* Any media player (Windows Media Player, VLC, iTunes, RealPlayer, QuickTime, Winamp)
* Any software that waits and listens for a network connection
* Any Adobe product that you see frequently listed within Adobe's Security bulletins and advisories.
And so on. You may wish to make an inventory of which applications you have installed on your computer, and visit exploit-db.com in order to see if those applications are being exploited, and if yes how frequently and how severe. For example, does the exploit result "only" in a denial of service, or in execution of arbitrary code? Although we realize that selecting specific processes to be protected while leaving the rest unprotected has similarities to the "Default Permit" that Marcus Ranum discussed in his security paper Six Dumbest Ideas in Computer Security since this effectively places you "in an endless arms-race with the hackers", the purpose here is taking a reasonable approach to increasing the security of a Windows system by protecting vulnerable applications, especially those that are highly targetted. However it is worth mentioning that nothing prevents you from adding virtually ALL processes to EMET. Note however that the more you add, the more you'll need to test, and some applications are observed to not work properly through EMET, or with trial and error are discovered to only work when a specific EMET application configuration protection such as EAF is disabled.
Once you are done adding applications, click on OK and EMET will likely tell you that you need to restart one or more applications. As a quick test close and open one of your protected applications, and click on the refresh button within EMET to see whether a green checkmark appears within the Running EMET column. If no green checkmarks appear, there may be something wrong. If it does work (and it should), it will look something like this:
If you use Windows Sysinternals Process Explorer and view the DLL pane of a process that you have added to EMET, you will notice a new DLL file emet.dll with the description "EMET Shim" for that process (to enable the lower pane DLL view select View | Lower Pane View | DLLs).
Within Process Explorer you will also notice that if you right-click on an EMET-protected process and select Properties | Environment, there will be a variable present called EMET_Settings that lists the mitigations you have enabled for that process.
After you have finished adding processes to EMET, you will want to test your system to confirm that everything still works. At minimum reboot your computer and launch each program that you have added to confirm that they still open properly. Use each application as you normally would and watch for error messages, unresponsiveness, and sudden application exit.
Using EMET through the command-line
EMET can also be configured from the Windows command line, in order to add, remove, or list applications protected by EMET. Like for the GUI, these commands need to be executed through an account that has administrator privileges:
With EMET 184.108.40.206: Usage: EMET_Conf.exe --list | --add path\program.exe | --delete path\program.exe | --delete_all With EMET 2.1: Usage: EMET_Conf.exe --list | --set [--force] path\program.exe [(+|-)AppMitigation ...] | --delete path\program.exe | --delete_all | --export file.xml | --import file.xml | --system [--force] SysMitigation=State [SysMitigation=State ...] AppMitigations are: DEP, SEHOP, NullPage, HeapSpray, EAF, BottomUpRand SysMitigations are: DEP, SEHOP, ASLR Possible states are: Disabled, ApplicationOptIn, ApplicationOptOut, AlwaysOn
An important difference between the two versions is that starting version 2.1 the parameter --add has been replaced with --set. Below are some examples of how you would use the command line to protect specific applications:Protect notepad.exe with all application-specific mitigations (the default):
C:\Program Files\EMET>EMET_Conf.exe --set "c:\WINDOWS\system32\notepad.exe"Protect calc.exe with all application-specific mitigations excluding EAF and Bottom-Up Randomization:
C:\Program Files\EMET>EMET_Conf.exe --set "c:\WINDOWS\system32\calc.exe" -EAF -BottomUpRandAdd EAF mitigation to the already-protected calc.exe from above which currently has EAF and Bottom-Up Randomization excluded:
C:\Program Files\EMET>EMET_Conf.exe --set "c:\WINDOWS\system32\calc.exe" +EAF
Recommended applications to add
Below is a list of applications with their default installation paths (for 32-bit Windows systems) that you will likely want to add to EMET. We have separated these into two categories: Class I and Class II. The first class represents software that is either standard on Windows or that is so frequently deployed that it has become almost ubiquitous in any Windows environment. The second class represents popular software that is optionally installed. Some of our entries include applications that currently aren't observed to be frequently (or at all) targeted but due to their popularity and nature may become so at some point in the future.
Note: An entry for a program below does not imply that it has been thoroughly tested to work properly with EMET, and compatibility may suddenly change in new versions of the software. Readers are responsible for their own testing. This list is not meant to be exhaustive as there is an almost endless possibility of software that can be installed:
CLASS I ------- Adobe Reader 9.x C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Internet Explorer C:\Program Files\Internet Explorer\iexplore.exe Firefox C:\Program Files\Mozilla Firefox\firefox.exe Firefox container C:\Program Files\Mozilla Firefox\plugin-container.exe MS Access 2003 C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE MS Excel 2003 C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE MS Outlook 2003 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE MS PowerPoint 2003 C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE MS PowerPoint 2003 Viewer C:\Program Files\Microsoft Office\OFFICE11\PPTVIEW.EXE MS Word 2003 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE MS Access 2007 C:\Program Files\Microsoft Office\OFFICE12\MSACCESS.EXE MS Excel 2007 C:\Program Files\Microsoft Office\OFFICE12\EXCEL.EXE MS Outlook 2007 C:\Program Files\Microsoft Office\OFFICE12\OUTLOOK.EXE MS PowerPoint 2007 C:\Program Files\Microsoft Office\OFFICE12\POWERPNT.EXE MS PowerPoint 2007 Viewer C:\Program Files\Microsoft Office\OFFICE12\PPTVIEW.EXE MS Word 2007 C:\Program Files\Microsoft Office\OFFICE12\WINWORD.EXE MS Wordpad C:\Program Files\Windows NT\Accessories\wordpad.exe Sun Java JRE SE 6 C:\Program Files\Java\jre6\bin\java.exe Sun Java JRE SE 6 C:\WINDOWS\system32\java.exe Windows Media Player C:\Program Files\Windows Media Player\wmplayer.exe Windows Print Spooler C:\WINDOWS\system32\spoolsv.exe Windows LSASS C:\WINDOWS\system32\lsass.exe CLASS II -------- VLC Media Player C:\Program Files\VideoLAN\VLC\vlc.exe Winamp C:\Program Files\Winamp\winamp.exe Apple QuickTime Player C:\Program Files\QuickTime\QuickTimePlayer.exe Apple iTunes C:\Program Files\iTunes\iTunes.exe Windows Live Messenger C:\Program Files\Windows Live\Messenger\msnmsgr.exe OpenOffice.org C:\Program Files\OpenOffice.org 3\program\soffice.exe OpenOffice.org Base C:\Program Files\OpenOffice.org 3\program\sbase.exe OpenOffice.org Calc C:\Program Files\OpenOffice.org 3\program\scalc.exe OpenOffice.org Draw C:\Program Files\OpenOffice.org 3\program\sdraw.exe OpenOffice.org Impress C:\Program Files\OpenOffice.org 3\program\simpress.exe OpenOffice.org Math C:\Program Files\OpenOffice.org 3\program\smath.exe OpenOffice.org Writer C:\Program Files\OpenOffice.org 3\program\swriter.exe Skype1 C:\Program Files\Skype\Phone\Skype.exe 1 You may need to disable EAF protection for skype.exe in EMET.
You will notice that Adobe Flash is not listed above. On a Windows system that has Adobe Flash installed for Internet Explorer, Flash will run as an ActiveX control and will not appear as a separate standalone executable process. Although there are files named FlashUtil10k_ActiveX.exe and FlashUtil10k_Plugin.exe within C:\WINDOWS\system32\Macromed\Flash\, these are not the processes that render Flash content. If you right-click on either file (which have the exact same byte length -- at least for the 10.1.85.3 version) and view their properties, you will see that they are the uninstaller (you can find the same type of information if you do a string search on the binaries), and double-clicking on either will produce a pop-up prompting you whether you wish to uninstall Flash. Doing so will uninstall Flash for both Firefox and Internet Explorer.
When Flash is installed within Firefox versions 3.6.4 and above, Flash will be offloaded to plugin-container.
This can be seen below. In this example both Internet Explorer and Firefox have Adobe Flash installed and are both visiting the Flash test page at http://www.adobe.com/software/flash/about. For Internet Explorer, accessing Flash content will cause Flash10k.ocx to appear within the iexplore.exe process, and for Firefox doing the same will cause plugin-container.exe to appear with Adobe Flash library NPSWF32.dll within it. No Flash*.exe processes appear anywhere.
Does EMET make a difference?
The answer to this question could span its own separate article. However as a quick test we used Metasploit to create a malicious PDF file embedded with the Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow vulnerability (adobe_cooltype_sing, which the Metasploit description states affects Adobe Reader 9.3.4 and earlier), and configured the payload for this exploit to execute a Windows process (we instructed it to launch notepad.exe). Opening this file on a Windows XP SP3 computer running the latest version of Adobe Reader (9.3.4 at this time of writing) caused notepad to appear, indicating that the exploit was successful. We then installed Microsoft EMET using the default options (DEP set to "Application Opt In") and added only Adobe Reader as a protected process, and tried again. This time opening the PDF file caused the Adobe Reader window to suddenly close instead of executing the payload, thereby protecting our computer. Rebooting the computer and trying again yielded the same results.
The BlueHat team has helped create a video in which in they show EMET successfully blocking the exploit used in the Operation Aurora attacks that targeted Internet Explorer (4:30 mark in the video). Quite similarly to the example above, when protected with EMET, Internet Explorer simply closes instead of allowing compromise of the computer. The Microsoft TechNet blogs also show a few examples of how EMET is used to block real-life attacks.
If you are using BitLocker and modify the system setting for DEP, BitLocker will ask you for the recovery key when you reboot. BitLocker users who wish to modify the system settings for DEP should make sure to read section 6.3 of the EMET user guide located in the EMET directory for information on how to address this issue.
If you decide that you no longer want EMET, you can easily uninstall it through Add/Remove programs. EMET is light-weight (the installer is 5.0 MB) and so uninstalls very easily.