Exploits Built to Circumvent Microsoft EMET: What It Means for You

Dec 18, 2014
4 minutes

Our threat research team recently published a technical analysis of an exploit found in the wild that contains code targeted at circumventing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). If you’re familiar with EMET, you will know that it’s a tool that Microsoft developed to aid in preventing some of the techniques commonly used to exploit some common applications run on Microsoft Windows. Some organizations use EMET to protect legacy systems that are no longer patched, such as Windows XP, while others use it to enhance, even if slightly, the OS integrated security in newer versions like Windows 7.

Microsoft was on to something when they developed EMET, but rather than developing it into an enterprise product, it was turned into a tool for extremely advanced users -- one that lacks robustness, depth of security, and centralized management. Because of this, some customers may be using it with a false sense of security. Attackers are already taking advantage of EMET’s flaws by developing exploits tailored to bypass its weak implementation of exploit prevention modules.

Because the approach we use in our Traps Advanced Endpoint Protection product can sound similar to that used by EMET, many customers ask how we differ. So let’s talk about how exploits that bypass EMET still get blocked by Traps, and how Traps stops malware that does not use an exploit and therefore cannot be blocked by EMET:

  • Anti-exploit effectiveness: Traps comes with more than twice the number of exploit prevention modules (EPM). This means that Traps blocks more exploit techniques, including techniques that are used specifically to bypass EMET. These EPMs are implemented at a lower level making them extremely difficult to bypass. Some of the modules in EMET only work on applications that were compiled to work with EMET, whereas the Traps EPMs are enforced on any application with no dependency on application awareness.
  • Self-protection mechanisms: Let’s face it, many of our users have highly privileged control over their own PCs. This means they can disable software and stop processes at will. While EMET can be easily disabled, sometimes even by an end-user with low privileges, Traps includes proprietary self-protection mechanisms that make it extremely difficult, even for a local administrator, to disable the agent. The specifics are top-secret but let’s just say that even successfully stopping the Traps related services is not going to stop us from blocking exploits.
  • Application coverage: Traps can prevent exploitation of any application process. Furthermore, the agent automatically discovers new processes being used on endpoints and populates a list in the admin console so the administrator can select the processes that should be protected. As an example, we have one customer that is using Traps to protect more than 250 applications in addition to the hundreds that are already included in our default policy. This is compared to roughly 10 applications covered by the EMET default policy. It’s also worth mentioning that Traps includes full protection for Java, including the very famous logic-flaws in it, whereas EMET merely stops memory corruptions in Java, which are rare.
  • Centralized Management: Traps is a scalable enterprise product with a centralized console for policy management and reporting. EMET is a tool that lacks any centralized policy management and only reports to the local event log on the endpoint.
  • Breadth of security layers: Traps components include anti-exploit, anti-malware, forensics, device control, application control and WildFire cloud integration. EMET is simply an anti-exploit tool, offering a small subset of our anti-exploit features.
  • Integration: Traps integrates with WildFire, a key component to our threat intelligence cloud, in order to leverage intelligence gathered from thousands of Wildfire customers submitting over a million suspect files each day. Traps also integrates with popular SIEM solutions, Syslog, and uses an MS SQL back end.

I invite you to learn more about Traps and our approach to Advanced Endpoint Protection. Click here to get started.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.