Microsoft Resurrecting EMET for Windows 10 Fall Creators Update

The upcoming Windows 10 "Fall Creators Update" will include the Enhanced Mitigation Experience Toolkit (EMET), which had been slated for the chopping block not long ago.

The EMET addition will be one of three security improvements coming in preview form when the Enterprise edition of the Windows 10 Fall Creators Update arrives, Microsoft said this week. The security improvements will be available to enterprise users, but not to consumer users of Windows 10.

EMET is a Microsoft solution that was originally designed as a separate solution to ward off general Windows exploit techniques used by attackers. It will be wrapped into a new "Windows Defender Exploit Guard" feature that's coming with the Windows 10 Fall Creators Update, according to Microsoft. The other two security additions coming with the Windows 10 Fall Creators Update Enterprise edition will be a new "Windows Defender Application Guard" solution and the "Windows Defender Device Guard" solution.

Windows Defender Application Guard is a protective service for browsers. It checks user downloads from browsers and isolates detected threats. Windows Defender Device Guard, on the other hand, provides a means for managing safe applications lists. The lists can be automated using the "Microsoft Intelligent Security Graph" service, which is Microsoft's machine-learning-based threat assessment technology.

All three security tools -- Exploit Guard, Application Guard and Device Guard -- will be part of the Windows Defender Advanced Threat Protection service. To get the security protections, organizations will need a subscription to that service, in addition to Windows 10 Enterprise edition licensing. Microsoft is promising that IT pros will get security dashboard overviews as well with the new services.

Microsoft expects to release previews of the three new security services "later this year around the September-October timeframe," according to a Microsoft TechNet announcement. Microsoft recently fixed its twice-per-year major Windows 10 update releases to follow a regular March and September release cadence each year.

Advanced Threat Protection Expansion
Microsoft is planning to broaden its Windows Defender Advanced Threat Protection service from just being a post-breach analysis service that's mainly used for forensic purposes. The service is now being groomed to use "the full power of the Windows security stack for preventative protection," Microsoft's announcement explained.

Moreover, Microsoft has additional platform expansion plans for the Windows Defender Advanced Threat Protection service. It'll eventually work with Windows Server releases, too, as well as other OS platforms, according to the TechNet announcement:

We plan to extend Windows Defender ATP to also cover the Windows Server platform, starting with Windows Server 2012 R2 and 2016 releases. We are also working on supporting more platforms beyond Windows, and plan to share more information about it later this year as it becomes available.

The Resurrection of EMET
It wasn't too long ago that EMET was considered by Microsoft to be a dying product, with support planned to end in July 2018. Late last year, Microsoft announced these deprecation plans for EMET, saying that the tool wasn't capable of warding off so-called "zero-day" (or unknown) software exploits.

It was a harsh critique, since EMET was designed to address general attack scenarios, rather than specific software flaws. EMET also had an advantage. It potentially protects older software. For instance, the current EMET 5.5 standalone tool is described as potentially protecting "enterprise legacy software" across various client and server Windows OSes. In addition to supporting Windows 10, EMET 5.5 currently works with "Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, Windows Vista."

Microsoft's deprecation plans for EMET were early-on contradicted by CERT, a Carnegie Mellon University-based umbrella organization that dispenses computer security advice. CERT had claimed that EMET had some "application-specific mitigations" that were lacking in Windows 10. EMET still had value, CERT argued.

Microsoft's announcements this week indicated that EMET is being added to the Windows 10 Fall Creators Update in response to feedback from users. EMET will become native to the OS.

"Their feedback to us has been a driving force for Windows Defender Exploit Guard, a new feature making EMET native to Windows 10," Microsoft indicated.

It's not clear if CERT's objections will get addressed, though. Microsoft simply claimed Windows Defender Exploit Guard will bring new protections against vulnerabilities and network intrusions, including protections against zero-day exploits. It's different from the standalone EMET solution in that it taps Microsoft's machine-learning detection service, namely the Microsoft Intelligent Security Graph.

"Using intelligence from the Microsoft Intelligent Security Graph (ISG), Exploit Guard comes with a rich set of intrusion rules and policies to protect organizations from advanced threats, including zero-day exploits," Microsoft explained.

When added to the Windows 10 Fall Creators Update, EMET in Windows Defender Exploit Guard will bring the following benefits:

  • Better control over code running on machines
  • Tools to mitigate exploits at runtime
  • Intrusion protection via "Attack Surface Reduction (ASR) smart rules"
  • Blocking of Office macros that attempt to download Web content
  • Blocking of Web sites known to house malicious code via the "Windows Defender SmartScreen knowledge base"

It's not clear what will happen to the standalone EMET tool. Likely, it will fall out of support next year, as planned by Microsoft. Users of older Windows versions likely won't have access to its potential protections at that time.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.