Microsoft EMET 3.5 Tech Preview

Updated: March 29, 2013

As the most rational and impartial person in this universe, when I tell you that Microsoft's EMET is the best thing to hit the Windows security scene ever, you will most likely feel an urge to label me as a fanboy. When you consider the fact I make a living fiddling with Linux, you will nod your heads respectfully at the enormity of this truth.

Now, version 3.5 of this great little piece of software is out there, available for nerds and friends to test. Considering myself to be one of the former, I headed over to the Microsoft site and downloaded the new version. What you're reading here is a brief tour.

Version 3.5 features

When you try to install the software, it will warn you that an existing version is already present, and you will have to remove it first. The process is not automatic and streamlined. Yet.

Uninstall old version message

Once installed, EMET 3.5 TP looks identical to previous versions, until you hit the Configure Apps button. Here, you will see the mitigations separated into tabs. You can configure Memory, ROP and other options. By default, old settings will be preserved.

New mitigations

ROP options

You can also examine all of the mitigations at one. Then, you can begin testing by checking on and off some of the options. Now, I would expect people using this software to know just a tiny bit what different mitigations really mean, but you can probably begin with a blanket coverage and then reduce as necessary.

All mitigations shown

In action & a small bug

Now, a screenshot of EMET working. Truth to be told, this is an image from the older version, the one labeled 3.0, but it makes no difference, because version 3.5 brings in new mitigations and does not remove the old ones. What I dislike is the fact the notification popup is somewhat transparent, and then you can see the Firefox status bar and its extension icons, and this irks me so.

DEP mitigation

DEP mitigation in the event viewer

One more thing that springs to mind is that when you click the notifier icon in the system tray, it will create a five-second notification that will eventually fade. However, if you do this multiple times, you will flood your screen with notifications. I consider this to be a minor bug, but still a bug. Present in version 3.5, too.

Notification bug

Suggestions

I have a few ideas that come to mind. The chances of anyone in Microsoft actually reading this are slim, but I will release them into the wild, just in case. One, I believe that EMET should be incorporated into the Windows updates and managed that way. After all, it's a Microsoft product.

Two, EMET should have an online database of software compatibility, listing or offering the most recommended settings for various programs. In other words, instead of having users check whether their software works by trying to crash it through the use of mitigations, EMET would provide the optimal checklist. This way, users would enjoy a more robust security configuration and would be less tempted to turn things off.

I am fully aware of the difficulty in having such a repository in place, as there are virtually tens of thousands of programs, but the list could at least contain the most popular top 100 items, which would include 90% of what everyone uses. Just thinking wildly, you have Microsoft software, LibreOffice, Adobe products, various Web browsers and media players, some P2P software, mail clients, and maybe a few other Internet-facing applications. That would be a great start.

Conclusion

Well, what else is there to say. I really like this program. It does what it's expected from it, and it's so lightweight and transparent. The perfect security solution, especially when it comes from the vendor itself, which ought to know best how its operating system behaves and the best way to protect it.

I would advise you to proceed slowly and carefully, as you may end up with programs hanging or crashing or plain misbehaving. Then again, that's the part of this fun called EMET. Anyhow, version 3.5 is extremely nice and does wonderfully what is expected from it. You should definitely take it for a spin and see for yourself.

Cheers.