If EMET is installed on a host that is running a Carbon Black EDR sensor, information about that host’s EMET configuration is provided to the Carbon Black EDR server.

This information is displayed in the Computer Vitals panel on the Sensor Details page for each sensor. See “Managing Sensors” in the Carbon Black EDR User Guide.

The computer vitals panel displaying the emet vitals and details

Hosts without EMET installed do not include the fields for EMET status on their Sensor Details page. If EMET data is not available, that field is blank.

The following table shows the EMET-related fields that are included on the Computer Vitals panel.

Table 1. EMET Information on the Sensor Details page

Field

Description

EMET Version

The EMET toolkit version number.

EMET Exploit Action

The EMET configuration for what to do when an exploit attempt occurs:

  • Audit -- Do not kill the process, when applicable, but log the exploitation attempt.

  • Block -- Terminate the program when an exploitation attempt is detected (“Stop” in the EMET interface)

EMET Telemetry Path

If Local Telemetry mode is enabled on EMET, this field shows the path where Early Warning information is sent on the local machine. See the Microsoft EMET documentation for the Registry path for this setting.

EMET Report Settings

Identifies which Reporting checkboxes are checked in the EMET interface, which controls where mitigation events are reported on the local host. Options are one or more of:

  • Windows Event Log

  • Tray Icon

  • Early Warning

In addition, for any active option, there will also be an indication of whether the choice is Locally or GPO configured.

Note:

If Windows Event Log is not active, Carbon Black EDR does not receive EMET events.

EMET Dump Flags

If present, identifies the type of MiniDump file created if the LocalTelemetryPath key is set.

EMET Process Count

The number of active processes that have EMET mitigations configured on the host.