Windows 10: EMET or Malwarebytes Anti exploit?

Attackers can turn Microsoft exploit defense tool EMET against itself - Windows 10 Forums

Just google "EMET vulnerability" and you'll see links to many articles at a range of reputable sites.
Most date to the Feb 2016 disclosure/announcement by MS.
This is more recent:
Zero-day Windows vulnerability that can supposedly bypass EMET up for sale for $90,000


MM

 

I will double-check on that, but I am pretty sure it does not work that way.

Disabling the auto-update setting will only disable exactly that: automatically installing the new program version when it is available to that system.
If one disables that setting, one will still be NOTIFIED that a new program version is available.
The user can then elect to upgrade or not.

At least that's how MBAE Premium behaves on all 3 of my systems with that setting disabled.
(Free should behave the same for this particular feature.)

Thanks,
MM

 

So, for people i try to help
Should i recommend don't use EMET, and tell them they have to pay x$ for MBAE yearly ?

These are mostly senior citizens on fixed income, non-techies, and won't pay online, etc.
The only thing i see MBAE free protects for them is a browser protection (maybe).
I remove Adobe, Java, etc. for them.
They may have MS Office, and often do.
Their OS could be W7 to W10 (or Vista).

 

Hi:

You can advise them however you see fit.

For what it's worth, most exploits are delivered via browsers.
Since MBAE Free shields most common browsers and Java, it is sufficient for most users.

Users who wish to expand protection for other types of applications can purchase the Premium version.
The rationale behind what is or is not shielded by default in MBAE Free is explained here.
HMPA, the other, major, third-party anti-exploit application is also a paid program.

It's always up to each computer user how to protect his/her system.
I have no financial interest in any product.
I merely pointed out the well-publicized vulnerability of EMET and tried to correct some misconceptions about MBAE.
But if you prefer EMET over other similar applications for your computer or for friends, family and clients, then that's certainly 100% fine with me.

>>NONE of these applications will protect 100% of computers from 100% of malware 100% of the time.
>>For users who practice "unsafe hex", they will likely fall victim eventually to some adverse event, no matter what security programs are installed.
>> The key is to educate one's customers on how to protect themselves with "best practices" for personal computing.

I'm not interested in arguing with you, especially since the OP on this thread was satisfied with the information presented.
Please do as you see fit.

Cheers,
MM

 

Understood and thanks.
I'm also not interested in arguing.
Guess I know i can't support re-installing MBAE or MBAM remotely for others based on my own experience.
*Tongue

 

Harden Windows 10 - A Security Guide. How to secure Windows 10

use find (ctrl+f) and type EMET

 

I would still like some insight into the Secondary Logon service/runas command line tool vulnerability in EMET and if it is enough to stop using EMET all together...

 

I'd like more explanation on this quote from the link:

what does this really mean ?

let's ignore the looking over the shoulder idea, that's, well, i won't comment.

how did the attacker get an admin pw if the user logs in with a standard account ?
if you already have a key logger installed, aren't you already in serious trouble, no matter what ?
does MBAE or EMET protect against keyloggers ?

 

Maybe a keylogger can get into your system on a standard account and log the admin password if it's entered? Does really make much sense to me either.

Does MBAE or EMET protect against keyloggers? I'll have to let someone else answer that...

I've noticed that no one has replied to my thread "Is a standard user account really necessary for extra security" What are your guys opinions? Is it an overkill for the home user or just an extra security measure that can be taken?

 

Hi:

I do not know about EMET.

MBAE does not protect against keyloggers, but MBAM does-- at least illegal ones (there are certain legal keyloggers used for legitimate purposes, e.g. in an Enterprise environment).
Your AV may also protect against some of them.

Unlike MBAM and your AV, MBAE does not protect against the "what" of malware.
It protects against the "how" of malware.
It is a pre-infection, preventative protection mechanism.
There are a number of informative pinned topics and webinars/videos on the internet that explain further.

>>As an aside: to work properly (as with most security software), MBAE (and MBAM) need to be installed and configured from a Windows Admin account.

Cheers,
MM

 

Hi:

I apologize for back-to-back posts, but I have received confirmation from the VP of Technology (and former Senior Technical Product Manager for MBAE), Pedro Bustamante.

So, for the OP, for @DavidE and for anyone else who might read this thread....

That confirms the behavior I reported earlier.

Ditto.

Ditto. So, if the program was installed under a limited/standard user account, it should be cleanly removed and reinstalled from an Admin account in order for the program to perform correctly. I would be happy to provide tips/best practices for such a clean reinstall, if needed.

Thank you again,

MM

 

Thanks for that info.
I unchecked Automatically upgrade to new versions
I'll see if that change makes any difference the next time a new version is available.

The problem for me is there is no way for me to manually Check for new versions and run the update when i want to.
The Auto check only happens once per day, so i can't control when the update is offered and i can choose to update.

I normally log in with a Standard account, and that's when i get notified of a new version.
If i log off and log back in as an Admin, i don't get the new update message for a day or so, and i can't manually check and update to the new version.

I don't want to be logged in as an Admin for a day waiting for the message/option to update MBAE is re-offered.
I don't want to update the program when i am logged is with a Standard account.

Most programs i use have a "Check for updates" option.
I don't see this option in MBAE (free).

I don't think this affects most users, they probably normally log in with an Admin account.
They can do the program update when it is offered if they want to.
I consider my situation a one-off personal problem because of the way i use Windows, with a Standard account.

 

Well I still don't have an answer to whether I should do away with EMET due to the secondary logon vulnerability. Anyone?

 

I would Suggest to stay away from EMET I have had some problems with is as far as configuring it

if you are still looking for advice i would recommend this

https://www.abelssoft.de/en/windows/...AntiBrowserSpy free

and

Malwarebytes Anti-Exploit free but better is paid verstion Both togather work fine

good luck

 

Hi, @DavidE:

A "check for updates" button has been an RFF by one or two users for future program versions. I do not know if or when it will be implemented. However, the best place to reiterate such a request would be at the MBAE Forum (Questions/Comments) section. That way, your request will be seen by the developers.

Having said that, MBAE does not use definitions or databases. So, the only updates are PROGRAM updates. Those occur only a few times a year. There's really no need to perform manual, frequent update checks. As previously explained, the ~once day automatic and silent update check is more than sufficient. You will be notified when/if a new program version is available. If you have auto-updates disabled and choose not to update at that time, you will be notified again ~a day (or a system cold start) later. Other strategies include checking the MBAE forum from time to time -- new beta and release builds, with changelogs, are posted there. There is a dedicated forum pinned topic devoted solely to MBAE updates. And one can always manually download the latest release build from the MBAE product page. Unless it's announced otherwise by the developers, new builds may be installed on top of one's existing installation. But, again, new program updates are released only a handful of times a year.

And, to respectfully reiterate the information here, it's critically important that MBAE be installed and configured from an Admin account. This includes any configuration changes. Once installed and configured from that Admin account, it will run pretty much silently, with no user interaction needed by any user. There should be no need for a standard/limited user to interact with or change anything in the program. Attempts to do so may cause performance or stability problems, as such accounts do not have access to the system files needed for the program's operation.

Thank you again,

MM