If EMET is installed on a host that is running a Carbon Black EDR sensor, information about that host’s EMET configuration is provided to the Carbon Black EDR server.
This information is displayed in the Computer Vitals panel on the Sensor Details page for each sensor. See “Managing Sensors” in the Carbon Black EDR User Guide.
Hosts without EMET installed do not include the fields for EMET status on their Sensor Details page. If EMET data is not available, that field is blank.
The following table shows the EMET-related fields that are included on the Computer Vitals panel.
Field |
Description |
---|---|
EMET Version |
The EMET toolkit version number. |
EMET Exploit Action |
The EMET configuration for what to do when an exploit attempt occurs:
|
EMET Telemetry Path |
If Local Telemetry mode is enabled on EMET, this field shows the path where Early Warning information is sent on the local machine. See the Microsoft EMET documentation for the Registry path for this setting. |
EMET Report Settings |
Identifies which Reporting checkboxes are checked in the EMET interface, which controls where mitigation events are reported on the local host. Options are one or more of:
In addition, for any active option, there will also be an indication of whether the choice is Locally or GPO configured.
Note:
If Windows Event Log is not active, Carbon Black EDR does not receive EMET events. |
EMET Dump Flags |
If present, identifies the type of MiniDump file created if the LocalTelemetryPath key is set. |
EMET Process Count |
The number of active processes that have EMET mitigations configured on the host. |