Protecting PCs from the next zero-day threat

Topic

New Reply

	TOP STORY Protecting PCs from the next zero-day threat
	By Susan Bradley One of the better tools for protecting our systems from the new threats is Microsoft’s oddly named Enhanced Mitigation Experience Toolkit. If you must use Internet Explorer for specific applications, use another browser as much as possible and remove or disable Java.

---

The full text of this column is posted at windowssecrets.com/top-story/protecting-pcs-from-the-next-zero-day-threat (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Good information. Thank you. (I’ve downloaded it …)

I understand why you focus on XP, but could you follow up and expand on the benefits to Vista, Win7 and even Win8. Just a table listing the EMET mitigations that benefit the other Windows versions would help sell management on supporting the effort required to implement this free tool.

Reply | Quote

Thanks for the update. One point of note…if EMET 3.0 is installed it must be removed using Control Panel before EMET 3.5 can be installed…At least in Windows 7 Professional (X64).

Reply | Quote

Am I correct that all the column content (9/26) applies to Internet Destroyer, not other browsers?

As an aside, it has finally happened to me: I never thought I’d be in the situation of not understanding over 70% of the terminology in a computer tech article. I feel like the truck drivers who strayed across the CanAm border in the ’40’s and wound up in a small diner in Canada around 4AM…

“Say, Sister, we’re lost! Can you tell us where we are?”

“Saskatoon, Saskatchewan!”

(Turns to his co-driver) “Nice job of navigating…. they don’t even speak ENGLISH here!”

I feel his pain.

Reply | Quote

I appreciate very much the information in this article as well as the others WS publishes which help us keep our computers ASAP (as safe as possible). I use a simple and brutally effective way to protect my valuable data: I don’t make it accessible to the internet. When I purchased my most recent PC, I saved the old one, upgraded it a touch, pulled it offline, and use it for the data that absolutely must be kept intact. That may be extreme, and yes, I have to do some minor data manipulation via flash drives, but I live in comfort knowing that my financial, tax, business, and other vital information is safe from the reach of internet hackers. And, the offline computer runs crazy fast, because it is not loaded down with malware, virus and other such software running in the background. I will soon replace the offline computer with a newer one; basic PCs are very inexpensive these days, and it seems like cheap but reliable insurance to me.

Reply | Quote

When I got to the part about enabling internet explorer and clicked ‘open’ on the profile file I got a warning about Active X ( I guess I should not trust Microsoft, eh?) After electing to run the Active X item nothing happens. After reboot EMET is not protecting anything. I guess I got this all wrong, eh? (Windows XP system).

Reply | Quote

I uninstalled 3.0 and installed 3.5. When I tried to “Configure Apps,” the window is much more basic than in the article and there was no “Import” feature. Is that because I use Windows 7 Home Premium rather than Professional? Or some other reason?

Thanks.

Reply | Quote

I uninstalled 3.0 and installed 3.5. When I tried to “Configure Apps,” the window is much more basic than in the article and there was no “Import” feature. Is that because I use Windows 7 Home Premium rather than Professional? Or some other reason?

Thanks.

Using Windows 7 Pro, I clicked “File” and then “Import.” Next, double click in this order: “Local Disk (C:),” “Program files,” “EMET (Tech Preview),” “Deployment”, “Protection Profiles,” and “Internet Explorer”. When the the last page listing all the defaults for IE came up, all the checkboxes were selected. Just to make sure all the checkboxes would remain selected, I clicked “Okay,” closed EMET, and rebooted my computer.

Using Windows 7 is apparently the reason the window you refer to is more basic than in the article. When my operating system was Windows XP, the window was the same as in Susan Bradley’s excellent article.

Reply | Quote

Hopefully this excellent article on deploying EMET on systems using Windows XP is the first of several. In particular, I’d like to see articles on deploying EMET with Windows 7 and 8.

Reply | Quote

I appreciate very much the information in this article as well as the others WS publishes which help us keep our computers ASAP (as safe as possible). I use a simple and brutally effective way to protect my valuable data: I don’t make it accessible to the internet. When I purchased my most recent PC, I saved the old one, upgraded it a touch, pulled it offline, and use it for the data that absolutely must be kept intact. That may be extreme, and yes, I have to do some minor data manipulation via flash drives, but I live in comfort knowing that my financial, tax, business, and other vital information is safe from the reach of internet hackers. And, the offline computer runs crazy fast, because it is not loaded down with malware, virus and other such software running in the background. I will soon replace the offline computer with a newer one; basic PCs are very inexpensive these days, and it seems like cheap but reliable insurance to me.

And the best way to avoid electrical shocks is to live without electricity, I suppose.

-- rc primak

Reply | Quote

Your article says:

“For example, EMET will add Structured Exception Handling Overwrite Protection (SEHOP; more info) to Windows XP.”

But your own grahic in the article shows the program’s main window saying that SEHOP remains “unavailable”. After some digging, I determined that this means Windows *itself* won’t use SEHOP but applications can be configured to use it (as one does by following your very-nearly-complete instructions). This is an unfortunate opportunity for confusion in EMET’s user interface.

Another thing that seems puzzling is the presence of “EMET Notifier” in the Windows System Tray after closing the EMET program. And its absence after the PC has been rebooted. This would seem to imply that one must have the EMET program within one’s Strartup programs for it to take effect… or at least, for whatever the “Notifier” is, to take effect.

Reply | Quote

Your article says:

“For example, EMET will add Structured Exception Handling Overwrite Protection (SEHOP; more info) to Windows XP.”

But your own grahic in the article shows the program’s main window saying that SEHOP remains “unavailable”. After some digging, I determined that this means Windows *itself* won’t use SEHOP but applications can be configured to use it (as one does by following your very-nearly-complete instructions). This is an unfortunate opportunity for confusion in EMET’s user interface.

Another thing that seems puzzling is the presence of “EMET Notifier” in the Windows System Tray after closing the EMET program. And its absence after the PC has been rebooted. This would seem to imply that one must have the EMET program within one’s Strartup programs for it to take effect… or at least, for whatever the “Notifier” is, to take effect.

This article from Tech Republic contains an explanation of the EMET Notifier. It is a Real-Time notification of any event where an application was terminated due to an EMET violation.

The EMET Notifier, a new feature added in this version, also helps organizations in monitoring EMET, as it can write events to the Application log and present the user with notifications on the taskbar area when an application has been terminated due to an attempted exploit.

This would appear to be useful, but not a necessary component. And yes, it could be added to Startups to run whenever Windows is running. Just an added layer of protection, it seems. Logging is also possible with EMET.

-- rc primak

Reply | Quote

Am I correct in assuming this adds no extra protection for someone who uses Firefox rather than IE on an XP machine?

Reply | Quote

Am I correct in assuming this adds no extra protection for someone who uses Firefox rather than IE on an XP machine?

EMET can add protections for all or any selection of programs. Yes, Firefox can benefit — just not as much in this current issue as IE.

-- rc primak

Reply | Quote

One thing I noticed when importing the “Office Programs” protection settings is that it left DEP unchecked for certain Microsoft Office programs, specifically ones in the “Office10” folder (see screenshot). Does this mean that there are certain programs that won’t run correctly or will run with reduced performance if DEP is forced on them? Why does EMET leave DEP disabled for them by default?
32054-image_2012_9_29_0

Reply | Quote

One thing I noticed when importing the “Office Programs” protection settings is that it left DEP unchecked for certain Microsoft Office programs, specifically ones in the “Office10” folder (see screenshot). Does this mean that there are certain programs that won’t run correctly or will run with reduced performance if DEP is forced on them? Why does EMET leave DEP disabled for them by default?
32054-image_2012_9_29_0

Probably yes. The article warns to go slowly for this reason.

-- rc primak

Reply | Quote