Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard

Картинки по запросу Windows Defender Exploit Guard


If you are currently using EMET, you should be aware that EMET reached end of life on July 31, 2018. You should consider replacing EMET with exploit protection in Windows Defender ATP.

You can convert an existing EMET configuration file into Exploit protection to make the migration easier and keep your existing settings.

This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP.

Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.

EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.

Картинки по запросу EMET

After July 31, 2018, it will not be supported.

For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:

Feature comparison

The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.

Windows Defender Exploit Guard EMET
Windows versions All versions of Windows 10 starting with version 1709 Windows 8.1; Windows 8; Windows 7
Cannot be installed on Windows 10, version 1709 and later
Installation requirements Windows Security in Windows 10
(no additional installation required)
Windows Defender Exploit Guard is built into Windows — it doesn’t require a separate tool or package for management, configuration, or deployment.
Available only as an additional download and must be installed onto a management device
User interface Modern interface integrated with the Windows Security app Older, complex interface that requires considerable ramp-up training
Supportability Dedicated submission-based support channel[1]
Part of the Windows 10 support lifecycle
Ends after July 31, 2018
Updates Ongoing updates and development of new features, released twice yearly as part of the Windows 10 semi-annual update channel No planned updates or development
Exploit protection All EMET mitigations plus new, specific mitigations (see table)
Can convert and import existing EMET configurations
Limited set of mitigations
Attack surface reduction[2] Helps block known infection vectors
Can configure individual rules
Limited ruleset configuration only for modules (no processes)
Network protection[2] Helps block malicious network connections Not available
Controlled folder access[2] Helps protect important folders
Configurable for apps and folders
Not available
Configuration with GUI (user interface) Use Windows Security app to customize and manage configurations Requires installation and use of EMET tool
Configuration with Group Policy Use Group Policy to deploy and manage configurations Available
Configuration with shell tools Use PowerShell to customize and manage configurations Requires use of EMET tool (EMET_CONF)
System Center Configuration Manager Use Configuration Manager to customize, deploy, and manage configurations Not available
Microsoft Intune Use Intune to customize, deploy, and manage configurations Not available
Reporting With Windows event logs and full audit mode reporting
Full integration with Windows Defender Advanced Threat Protection
Limited Windows event log monitoring
Audit mode Full audit mode with Windows event reporting Limited to EAF, EAF+, and anti-ROP mitigations

(1) Requires an enterprise subscription with Azure Active Directory or a Software Assurance ID.

(2) Additional requirements may apply (such as use of Windows Defender Antivirus). See Windows Defender Exploit Guard requirements for more details. Customizable mitigation options that are configured with Exploit protection do not require Windows Defender Antivirus.

Mitigation comparison

The mitigations available in EMET are included in Windows Defender Exploit Guard, under the exploit protection feature.

The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.

Mitigation Available in Windows Defender Exploit Guard Available in EMET
Arbitrary code guard (ACG) As «Memory Protection Check»
Block remote images As «Load Library Check»
Block untrusted fonts
Data Execution Prevention (DEP)
Export address filtering (EAF)
Force randomization for images (Mandatory ASLR)
NullPage Security Mitigation Included natively in Windows 10
See Mitigate threats by using Windows 10 security features for more information
Randomize memory allocations (Bottom-Up ASLR)
Simulate execution (SimExec)
Validate API invocation (CallerCheck)
Validate exception chains (SEHOP)
Validate stack integrity (StackPivot)
Certificate trust (configurable certificate pinning) Windows 10 provides enterprise certificate pinning
Heap spray allocation Ineffective against newer browser-based exploits; newer mitigations provide better protection
See Mitigate threats by using Windows 10 security features for more information
Block low integrity images
Code integrity guard
Disable extension points
Disable Win32k system calls
Do not allow child processes
Import address filtering (IAF)
Validate handle usage
Validate heap integrity
Validate image dependency integrity


The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.

See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs existing EMET technology.

РубрикиБез рубрики

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *