Sunday, March 08, 2015

Harmonizing EMET and MBAE

In the GSD post “Anti-Virus Software Update - GSD Thoughts” I outlined the layered security approach I generally take on our Windows systems.

My layered use of the following products meets my own household needs but may not be adequate for less-than-advanced users.

  1. Free Firewall Software by GlassWire - Monitors and logs network connections…more used for logging than “active firewall blocking”.
  2. Sysmon - Sysinternals core service to log application/network executions
  3. Enhanced Mitigation Experience Toolkit - EMET - TechNet Security
  4. Microsoft Security Essentials - Microsoft Windows - Core AV protection
  5. Malwarebytes Premium - Supplemental real-time AV/AM protection
  6. (Optionally) Malwarebytes Anti-Exploit - Free Zero-Day Exploit Protection - browser layer protection

What I failed to clearly explain in that list is the following potential “gotcha” one may trip over.

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) – while generally very compatible both with Malwarebytes and Malwarebytes Anti-Exploit (MBAE) – seems to prevent smooth launching of the Internet Explorer web-browser when both are using default settings.

On both my Win 7 x64 and Lavie’s Win 8.1 x64 systems Firefox, Chrome/Chromium, and Vivaldi browsers all seem to work just fine with EMET and MBAE running…though I just keep to the default EMET configurations on install and don’t specifically add custom protection for Firefox/Chrome/Vivaldi to EMET. Internet Explorer (iexplore.exe) is included in the default EMET protection. And the free version of MBAE protects Firefox, Chrome, Internet Explorer and Opera browsers.

Many MBAE users recommend just skipping (or uninstalling) EMET but I find they do compliment each other nicely with the exception of Internet Explorer so I continue to run them together at the same time. With the following conditions noted below.

On Lavie’s Windows 8.1 system I actually - though great trial and error – arrived at a combination of EMET iexplore.exe protection feature checks/unchecks to get IE running smoothing with no issues along site MBAE. (When I can get Lavie’s laptop away from her, I’ll update this post with a screen shot of her Windows 8.1 MBAE configuration.)

On both my Windows 7 systems I just punted and disabled EMET protection for Internet Explorer entirely as I almost never use IE myself and will just trust MBAE to cover the EMET opening I’ve created with that strategy.

image

Likewise if you have the paid version of MBAE, you could optionally disable the IE protection in MBAE and leave the EMET protection in place; the free version doesn’t allow adding of processes or disabling of protections.

There are some Malwarebytes MBAE forum threads that try to address the tweaking of EMET more methodically.

Again, I managed to do that on Lavie’s Win 8.1 system and will eventually get around (probably) to either confirming the configuration for iexplore.exe in EMET 5.1 noted in the forum post above. Or I will find the combo that works on my Win 7 systems and post an update here as well.

In case you are curious to know if MBAE is actually protecting  your system, they do offer a series of tests files you can use to trigger the MBAE protection alert for validation.

In case you are curious, while working on researching this post, I found a few notices that a new version of Malwarebytes Anti-Malware (2.1) will be on the way soon. It is currently available in a Beta form if you are daring.

I’m looking forward to the changes and promised performance improvements.

Finally, in case you are interested, the Vivaldi browser I’ve been crushing on lately isn’t included in the free-version of MBAE protection. Again, if I was using the paid version, I’m pretty sure I could add the exe file to the list manually to provide customized protection. I imagine it should play well as it is based on Chrome/Chromium which does get protected by MBAE via its chrome.exe host process coverage.

I did pop into the Protection for new browsers - News, Questions and Comments Malwarebytes Forum and did the responsible thing by asking for vivaldi.exe to be added to the default protected browser list in MBAE.

Time will tell.

Cheers,

Claus Valca

No comments: