I've been pushing to get Microsoft's EMET installed at my company, but we've been encountering numerous issues with false positives where processes are getting blocked and/or crashing. Any suggestions on how to fight this battle?
Ask the Expert
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
I'm not exactly sure which battle you need help in fighting: the battle to convince your company that a Microsoft EMET deployment is a good move, or the battle against false positives, so I'll do my best to tackle both.
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) version 4.0 is an extremely valuable mitigation technology for any organization running older Windows applications or operating system software. EMET is free and works by retroactively applying various security mitigation technologies to applications, making it more difficult for an attacker to exploit common attack vectors such as buffer overflows and memory corruption. As opposed to regular signature-based antimalware software, EMET is better at defending against automated attacks and zero-day exploits, as it's based around detecting malicious behaviors.
If senior management isn't convinced that deploying Microsoft EMET is worth the time and effort, remind them that legacy software is always an attractive target for attackers, particularly if it's no longer supported by the original vendors. For example, Windows XP Service Pack 3 and Office 2003 will both go out of support in April 2014. After this date, there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. Running end-of-life software is a big risk and is seen as a control failure by most compliance and regulatory standards. Implementing EMET can provide important protection whilst legacy systems are being updated. EMET can also provide additional protection for in-support versions of Windows by offering supplementary mitigations and enforcing mitigation for software that has not opted to use Microsoft's latest defensive controls, such as data execution prevention.
If your EMET configuration is causing problems with false positives, it will probably require time spent reading the user guide to find the best way forward. Issues to check include ensuring machines have sufficient free memory to run EMET. If this is a concern, disable the logging feature and notifications to conserve memory via settings in the registry. EMET may cause some programs to crash, but this can be down to bugs within those specific applications and not necessarily an EMET problem. Disable the particular mitigation that is causing the problem and continue with the other mitigations enabled. At least you will gain some improvement in security without losing functionality. The graphical user interface makes it easy to configure mitigations and see which processes have been opted-in to EMET.
Getting newly installed software working correctly can be frustrating, but keep persevering, as EMET provides an additional layer of protection for enterprise networks. Version 4.0 features new updates and mitigations, including a certificate pinning feature called Certificate Trust that can detect man-in-the-middle attacks.
This was first published in July 2013