mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00

Files

Iaan D'Souza-Wiltshire a685cfa876 fix layout issues

2017-12-07 14:24:01 -08:00

18 KiB

Raw Blame History

title, keywords, description, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author, ms.date

title	keywords	description	search.product	ms.pagetype	ms.prod	ms.mktglfcycl	ms.sitesec	ms.pagetype	localizationpriority	author	ms.author	ms.date
Compare the features in Exploit protection with EMET	emet, enhanced mitigation experience toolkit, configuration, exploit	Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.	eADQiWindows 10XVcnh	security	w10	manage	library	security	medium	iaanw	iawilt	08/25/2017

Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard

Applies to:

Windows 10, version 1709
Enhanced Mitigation Experience Toolkit version 5.5 (latest version)

Audience

Enterprise security administrators

Important

If you are currently using EMET you should be aware that EMET will reach end of life on July 31, 2018. You should consider replacing EMET with Exploit protection in Windows 10.

You can convert an existing EMET configuration file into Exploit protection to make the migration easier and keep your existing settings.

The Enhanced Mitigation Experience Toolkit (EMET) is a stand-alone product that is available on earlier versions of Windows and provides a number of system- and app-based mitigations against known exploit techniques.

After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it.

In Windows 10, version 1709 (also known as the Fall Creators Update), we released Windows Defender Exploit Guard, which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits.

Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.

Feature comparison

The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.

	Windows Defender Exploit Guard	EMET
Windows versions	[!includeCheck mark yes] All versions of Windows 10 starting with version 1709	[!includeCheck mark yes] Windows 8.1; Windows 8; Windows 7 Cannot be installed on Windows 10, version 1709 and later
Installation requirements	Windows Defender Security Center in Windows 10 (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment.	Available only as an additional download and must be installed onto a management device
User interface	Modern interface integrated with the Windows Defender Security Center	Older, complex interface that requires considerable ramp-up training
Supportability	[!includeCheck mark yes] Throughout the Windows 10 support lifecycle	[!includeCheck mark no] Ends after July 31, 2018
Updates	[!includeCheck mark yes] Ongoing updates and development of new features, released twice yearly as part of the Windows 10 semi-annual update channel	[!includeCheck mark no] No planned updates or development
Exploit protection	[!includeCheck mark yes] All EMET mitigations plus new, specific mitigations (see table)	[!includeCheck mark yes] Limited set of mitigations
Attack surface reduction	[!includeCheck mark yes] Configuration of individual rules	[!includeCheck mark yes] Limited ruleset configuration only for modules (no processes)
Network protection	[!includeCheck mark yes] Available	[!includeCheck mark no] Not available
Controlled folder access	[!includeCheck mark yes] Available and configurable for apps and folders	[!includeCheck mark no] Not available
Configuration with Group Policy	[!includeCheck mark yes] Available	[!includeCheck mark yes] Available
Configuration with GUI (user interface)	[!includeCheck mark yes] Windows-based configuration	[!includeCheck mark yes] Requires installation and use of EMET tool
Configuration with shell tools	[!includeCheck mark yes] PowerShell	[!includeCheck mark yes] Requires use of EMET tool (EMET_CONF)
System Center Configuration Manager	[!includeCheck mark yes] Available	[!includeCheck mark no] Not available
Microsoft Intune	[!includeCheck mark yes] Available	[!includeCheck mark no] Not available
Reporting	[!includeCheck mark yes] With Windows event logs and full audit mode reporting Full integration with Windows Defender Advanced Threat Protection	[!includeCheck mark yes] Limited Windows event log monitoring
Audit mode	[!includeCheck mark yes] Available	[!includeCheck mark no] Limited to EAF, EAF+, and anti-ROP mitigations

Mitigation comparison

The mitigations available in EMET are included in Windows Defender Exploit Guard, under the Exploit protection feature.

The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.

Mitigation	Available in Windows Defender Exploit Guard	Available in EMET
Arbitrary<A0>code<A0>guard<A0>(ACG)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]<br<62>/>As<41>"Memory<72>Protection<6F>Check"
Block<A0>remote<A0>images	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes] As<A0>"Load<61>Library<72>Check"
Block<A0>untrusted<A0>fonts	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Data<A0>Execution<A0>Prevention<A0>(DEP)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Export<A0>address<A0>filtering<A0>(EAF)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Force<A0>randomization<A0>for<A0>images<A0>(Mandatory<72>ASLR)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
NullPage<A0>Security<A0>Mitigation	[!includeCheck<A0>mark<A0>yes]<br<62>/>Included<65>natively<6C>in<69>Windows<77>10	[!includeCheck<A0>mark<A0>yes]
Randomize<A0>memory<A0>allocations<A0>(Bottom-Up<55>ASLR)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Simulate<A0>execution<A0>(SimExec)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>API<A0>invocation<A0>(CallerCheck)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>exception<A0>chains<A0>(SEHOP)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>stack<A0>integrity<A0>(StackPivot)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Certificate<A0>trust<A0>(configurable<6C>certificate<74>pinning)	No<A0>longer<A0>supported<A0>by<A0>the<A0>industry<A0>as<A0>newer<A0>mitigations<A0>provide<A0>better<A0>protection<A0>with<A0>fewer<A0>errors	[!includeCheck<A0>mark<A0>yes]
Heap<A0>spray<A0>allocation	Ineffective<A0>against<A0>modern<A0>browser<A0>exploits,<2C>newer<65>mitigations<6E>provide<64>better<65>protection	[!includeCheck<A0>mark<A0>yes]
Block<A0>low<A0>integrity<A0>images	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Code<A0>integrity<A0>guard	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Disable<A0>extension<A0>points	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Disable<A0>Win32k<A0>system<A0>calls	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Do<A0>not<A0>allow<A0>child<A0>processes	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Import<A0>address<A0>filtering<A0>(IAF)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>handle<A0>usage	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>heap<A0>integrity	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>image<A0>dependency<A0>integrity	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]

Note

The Advanced ROP mitigations that are available in EMET refer to additional configuration options for other mitigations, such as "Memory protection checks" and "Load library checks". These mitigations have been included in Windows Defender Exploit Guard with enhancements that natively increase the protection beyond those options in EMET.

Table A-Z mitigations

Mitigation	Available in Windows Defender Exploit Guard	Available in EMET
Arbitrary<A0>code<A0>guard<A0>(ACG)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]<br<62>/>As<41>"Memory<72>Protection<6F>Check"
Block<A0>low<A0>integrity<A0>images	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Block<A0>remote<A0>images	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes] As<A0>"Load<61>Library<72>Check"
Block<A0>untrusted<A0>fonts	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Certificate<A0>trust<A0>(configurable<6C>certificate<74>pinning)	No<A0>longer<A0>supported<A0>by<A0>the<A0>industry<A0>as<A0>newer<A0>mitigations<A0>provide<A0>better<A0>protection<A0>with<A0>fewer<A0>errors	[!includeCheck<A0>mark<A0>yes]
Code<A0>integrity<A0>guard	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Data<A0>Execution<A0>Prevention<A0>(DEP)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Disable<A0>extension<A0>points	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Disable<A0>Win32k<A0>system<A0>calls	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Do<A0>not<A0>allow<A0>child<A0>processes	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Export<A0>address<A0>filtering<A0>(EAF)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Force<A0>randomization<A0>for<A0>images<A0>(Mandatory<72>ASLR)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Heap<A0>spray<A0>allocation	Ineffective<A0>against<A0>modern<A0>browser<A0>exploits,<2C>newer<65>mitigations<6E>provide<64>better<65>protection	[!includeCheck<A0>mark<A0>yes]
Import<A0>address<A0>filtering<A0>(IAF)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
NullPage<A0>Security<A0>Mitigation	[!includeCheck<A0>mark<A0>yes]<br<62>/>Included<65>natively<6C>in<69>Windows<77>10	[!includeCheck<A0>mark<A0>yes]
Randomize<A0>memory<A0>allocations<A0>(Bottom-Up<55>ASLR)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Simulate<A0>execution<A0>(SimExec)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>API<A0>invocation<A0>(CallerCheck)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>exception<A0>chains<A0>(SEHOP)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>handle<A0>usage	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>heap<A0>integrity	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>image<A0>dependency<A0>integrity	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>stack<A0>integrity<A0>(StackPivot)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]

Table WDEG yes > EMET no > Emet > yes

Mitigation	Available in Windows Defender Exploit Guard	Available in EMET
Block<A0>low<A0>integrity<A0>images	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Code<A0>integrity<A0>guard	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Disable<A0>extension<A0>points	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Disable<A0>Win32k<A0>system<A0>calls	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Do<A0>not<A0>allow<A0>child<A0>processes	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Import<A0>address<A0>filtering<A0>(IAF)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>handle<A0>usage	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>heap<A0>integrity	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Validate<A0>image<A0>dependency<A0>integrity	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>no]
Heap<A0>spray<A0>allocation	Ineffective<A0>against<A0>modern<A0>browser<A0>exploits,<2C>newer<65>mitigations<6E>provide<64>better<65>protection	[!includeCheck<A0>mark<A0>yes]
Certificate<A0>trust<A0>(configurable<6C>certificate<74>pinning)	No<A0>longer<A0>supported<A0>by<A0>the<A0>industry<A0>as<A0>newer<A0>mitigations<A0>provide<A0>better<A0>protection<A0>with<A0>fewer<A0>errors	[!includeCheck<A0>mark<A0>yes]
NullPage<A0>Security<A0>Mitigation	[!includeCheck<A0>mark<A0>yes]<br<62>/>Included<65>natively<6C>in<69>Windows<77>10	[!includeCheck<A0>mark<A0>yes]
Block<A0>untrusted<A0>fonts	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Data<A0>Execution<A0>Prevention<A0>(DEP)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Export<A0>address<A0>filtering<A0>(EAF)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Force<A0>randomization<A0>for<A0>images<A0>(Mandatory<72>ASLR)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Randomize<A0>memory<A0>allocations<A0>(Bottom-Up<55>ASLR)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Simulate<A0>execution<A0>(SimExec)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>API<A0>invocation<A0>(CallerCheck)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>exception<A0>chains<A0>(SEHOP)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Validate<A0>stack<A0>integrity<A0>(StackPivot)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]
Arbitrary<A0>code<A0>guard<A0>(ACG)	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes]<br<62>/>As<41>"Memory<72>Protection<6F>Check"
Block<A0>remote<A0>images	[!includeCheck<A0>mark<A0>yes]	[!includeCheck<A0>mark<A0>yes] As<A0>"Load<61>Library<72>Check"

18 KiB Raw Blame History Unescape Escape