EMET 5.5 Beta available now

Emet IconMicrosoft has released a Beta version of its EMET tool. You can download it from here: http://www.microsoft.com/en-us/download/details.aspx?id=49166 This was released back in October but I have been running version 5.2 for a long time, so I installed the new Beta version to see whats new. If you are running an older operating system such as Windows Vista or Windows 7, you probably won’t benefit from any new features much but if you are running Windows 10 or Server 2012r2, I would suggest trying it in a lab environment first before deploying it to any production environments.

Changes to the GUI interface include most noticeably a new section that says “Block Untrusted Fonts”. This setting is included to support Windows 10 only. Other new features include better configuration of various mitigations via GPO, however I am still trying to figure out how not to crash the app when clicking on the Group Policy button. There are also EAF/EAF+ pseudo-mitigation performance improvements. More information can be found on the technet blog.

The first bug I found on my Windows 10 system was that there is a new button that says Group Policy in the toolbar on the top left. I clicked the button and a box opened up that said the name of my domain at the top but it also said LOCAL GROUP POLICY and it eventually crashed the emet gui dashboard before anything else happened. I collected a dump and I’m analyzing it as it may be related to my Domain’s group policy settings anyway, so this may not affect you as it did over here. However, this crash happens on more than one computer so I sent it in to Microsoft’s Emet feedback.

Emetv4 Beta adds new feature “Audit Only” to protect from crashes

Emet v4Beta was first introduced here on the Microsoft Security and Research Defense Technet Blog. I have deployed the v3.5 tech preview to most of my secure workstations, so I inquired about upgrade paths and it looks like you should uninstall previous releases as well as delete the Emet registry keys before installing Emet v4 Beta. The registry keys to delete are located at "HKEY_LOCAL_MACHINESOFTWAREMicrosoftEMET*"

If you want to download the Beta version, here is a link to the download page. I have just begun testing out this new version, and so far the best feature that is now included is the option to only audit and not crash the program. Also, when an application trips a mitigation response, you can see one or more little boxes that pop up in the lower right hand corner of the desktop, and in some cases the boxes quickly blink and scroll up the screen as the exception happens multiple times. Then you can go into the EMET control panel and turn off the mitigation that is mentioned in the box if you want the program to continue to run despite the issue.

For example I have only had problems with the SimExec mitigation, and it has so far affected Internet Explorer and Microsoft Word 2013. I went in and disabled the SimExec settings for these applications and have not had any more problems running Word or IE so far. Once you install the Beta you can read the manual located in the Program Files directory.
32 bit Windows: C:Programs FilesEMET 4.0 (Beta)
64 bit Windows: C:Programs Files (x86)EMET 4.0 (Beta)