14 KiB
title, keywords, description, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, ms.date
| title | keywords | description | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.localizationpriority | author | ms.author | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Compare the features in Exploit protection with EMET | emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert | Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET. | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | andreabichsel | v-anbic | 04/30/2018 |
Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
Applies to:
- Windows 10, version 1709 and later
- Enhanced Mitigation Experience Toolkit version 5.5 (latest version)
Audience
- Enterprise security administrators
Important
If you are currently using EMET you should be aware that EMET will reach end of life on July 31, 2018. You should consider replacing EMET with Exploit protection in Windows 10.
You can convert an existing EMET configuration file into Exploit protection to make the migration easier and keep your existing settings.
This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and its replacement in Windows 10: Windows Defender Exploit Guard.
In Windows 10, version 1709 (also known as the Fall Creators Update) we released Windows Defender Exploit Guard, which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits.
Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
EMET is a stand-alone product that is available on earlier versions of Windows and provides some mitigation against older, known exploit techniques.
After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it.
For more information about the individual features and mitigations available in Windows Defender Exploit Guard, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
- Windows Defender Exploit Guard
- Protect devices from exploits with Windows Defender Exploit Guard
- Configure and audit Exploit protection mitigations
Feature comparison
The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
| Windows Defender Exploit Guard | EMET | |
|---|---|---|
| Windows versions | [!includeCheck mark yes] All versions of Windows 10 starting with version 1709 |
[!includeCheck mark yes] Windows 8.1; Windows 8; Windows 7 Cannot be installed on Windows 10, version 1709 and later |
| Installation requirements | Windows Defender Security Center in Windows 10 (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. |
Available only as an additional download and must be installed onto a management device |
| User interface | Modern interface integrated with the Windows Defender Security Center | Older, complex interface that requires considerable ramp-up training |
| Supportability | [!includeCheck mark yes] Dedicated submission-based support channel[1] Part of the Windows 10 support lifecycle |
[!includeCheck mark no] Ends after July 31, 2018 |
| Updates | [!includeCheck mark yes] Ongoing updates and development of new features, released twice yearly as part of the Windows 10 semi-annual update channel |
[!includeCheck mark no] No planned updates or development |
| Exploit protection | [!includeCheck mark yes] All EMET mitigations plus new, specific mitigations (see table) Can convert and import existing EMET configurations |
[!includeCheck mark yes] Limited set of mitigations |
| Attack surface reduction[2] | [!includeCheck mark yes] Helps block known infection vectors Can configure individual rules |
[!includeCheck mark yes] Limited ruleset configuration only for modules (no processes) |
| Network protection[2] | [!includeCheck mark yes] Helps block malicious network connections |
[!includeCheck mark no] Not available |
| Controlled folder access[2] | [!includeCheck mark yes] Helps protect important folders Configurable for apps and folders |
[!includeCheck mark no] Not available |
| Configuration with GUI (user interface) | [!includeCheck mark yes] Use Windows Defender Security Center app to customize and manage configurations |
[!includeCheck mark yes] Requires installation and use of EMET tool |
| Configuration with Group Policy | [!includeCheck mark yes] Use Group Policy to deploy and manage configurations |
[!includeCheck mark yes] Available |
| Configuration with shell tools | [!includeCheck mark yes] Use PowerShell to customize and manage configurations |
[!includeCheck mark yes] Requires use of EMET tool (EMET_CONF) |
| System Center Configuration Manager | [!includeCheck mark yes] Use Configuration Manager to customize, deploy, and manage configurations |
[!includeCheck mark no] Not available |
| Microsoft Intune | [!includeCheck mark yes] Use Intune to customize, deploy, and manage configurations |
[!includeCheck mark no] Not available |
| Reporting | [!includeCheck mark yes] With Windows event logs and full audit mode reporting Full integration with Windows Defender Advanced Threat Protection |
[!includeCheck mark yes] Limited Windows event log monitoring |
| Audit mode | [!includeCheck mark yes] Full audit mode with Windows event reporting |
[!includeCheck mark no] Limited to EAF, EAF+, and anti-ROP mitigations |
(1) Requires an enterprise subscription with Azure Active Directory or a Software Assurance ID.
(2) Additional requirements may apply (such as use of Windows Defender Antivirus). See Windows Defender Exploit Guard requirements for more details. Customizable mitigation options that are configured with Exploit protection do not require Windows Defender Antivirus.
Mitigation comparison
The mitigations available in EMET are included in Windows Defender Exploit Guard, under the Exploit protection feature.
The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
| Mitigation | Available in Windows Defender Exploit Guard | Available in EMET |
|---|---|---|
| Arbitrary code guard (ACG) | [!includeCheck mark yes] | [!includeCheck mark yes] As "Memory Protection Check" |
| Block remote images | [!includeCheck mark yes] | [!includeCheck mark yes] As "Load Library Check" |
| Block untrusted fonts | [!includeCheck mark yes] | [!includeCheck mark yes] |
| Data Execution Prevention (DEP) | [!includeCheck mark yes] | [!includeCheck mark yes] |
| Export address filtering (EAF) | [!includeCheck mark yes] | [!includeCheck mark yes] |
| Force randomization for images (Mandatory ASLR) | [!includeCheck mark yes] | [!includeCheck mark yes] |
| NullPage Security Mitigation | [!includeCheck mark yes] Included natively in Windows 10 See Mitigate threats by using Windows 10 security features for more information |
[!includeCheck mark yes] |
| Randomize memory allocations (Bottom-Up ASLR) | [!includeCheck mark yes] | [!includeCheck mark yes] |
| Simulate execution (SimExec) | [!includeCheck mark yes] | [!includeCheck mark yes] |
| Validate API invocation (CallerCheck) | [!includeCheck mark yes] | [!includeCheck mark yes] |
| Validate exception chains (SEHOP) | [!includeCheck mark yes] | [!includeCheck mark yes] |
| Validate stack integrity (StackPivot) | [!includeCheck mark yes] | [!includeCheck mark yes] |
| Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!includeCheck mark yes] |
| Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See Mitigate threats by using Windows 10 security features for more information |
[!includeCheck mark yes] |
| Block low integrity images | [!includeCheck mark yes] | [!includeCheck mark no] |
| Code integrity guard | [!includeCheck mark yes] | [!includeCheck mark no] |
| Disable extension points | [!includeCheck mark yes] | [!includeCheck mark no] |
| Disable Win32k system calls | [!includeCheck mark yes] | [!includeCheck mark no] |
| Do not allow child processes | [!includeCheck mark yes] | [!includeCheck mark no] |
| Import address filtering (IAF) | [!includeCheck mark yes] | [!includeCheck mark no] |
| Validate handle usage | [!includeCheck mark yes] | [!includeCheck mark no] |
| Validate heap integrity | [!includeCheck mark yes] | [!includeCheck mark no] |
| Validate image dependency integrity | [!includeCheck mark yes] | [!includeCheck mark no] |
Note
The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs existing EMET technology.