Skip to main content
IT Unconference

Microsoft EMET

Proposed by Jeremy Tavan

Where will the conversation continue?
35-40
Notes

Jeremy Tavan opened the discussion with an overview of the EMET tool including CRC's invilvement in testing, deployment and promotion of the toolkit. 
The problem with anti-virus software is that it’s reactive. The only thing that you catch with an antivirus is something that has already been discovered. EMET helps to monitor system processes and loads a very lightweight bit of code that monitors and terminates a process that starts behaving badly. CRC was asked to find a way to implement EMET within the GSB. A large amount of time was spent on testing functionality across a multitude of browsers, operating systems, and applications. EMET 5 is the latest version of the tool as of this session. If your organization uses an antivirus other than sophos, you may experience issues. Be sure to test thoroughly. 
 
EMET & Logging - Not a great solution so far. It logs to the system log at the moment. You could set up SPLUNK to report back any events from EMET. 
 
How did you manage the bitlocker suspension and enabling? Jeremy borrowed some code and scripted an action to suspend bitlocker and schedule a task on next reboot to un-suspend.
 
ISO will suggest, promote and provide assistance in deploying it but it will be up to departments if they want to pursue it. 
 
Q: Re:Ongoing maintenance. How much testing would a department have to do?
A: ISO may provide an EMET template to help support organizations roll out the application but presently all application/compatibility testing has been done by CRC. 
 
Q:How will software updates affect the user experience? Will a browser update cause repeated crashing
A: Possibly. Ideally in there would be a feedback loop between ISO and Stanford support orgs that uses  feedback from service owners to update a default configuration
 
Q:How many computers are you running this on now?
A:GSB has about 300-500 users using it. 
 
Q:Do you have plans to roll this out to all CRC customers
A:We plan on offering it out. Business affairs is planning on doing it. It’s running on our servers and GSB servers. 
 
Q:What sort of testing did you use. Did you recreate situations when EMET would block a threat.
A: CRC used non-automated compatibility testing and did not test security responses within the apps.
 
Q:How did you deploy the groups? Is this an all or nothing thing?
A:CRC deployed first to 5, then 10, 15, 20, 50, 100 users over a period of time. Varun says that he would not recommend mass deployments all at once. 
 
Q:Is there a kill switch available in the event that a new antivirus system like McAfee is rolled out and EMET doesn’t know how to behave?
A:Yes! there’s a brief one liner you can push through configuration management tools like big fix that can remove the EMET configuration files, effectively disabling the app.