AppGuard vs EMET (Memory Protection)

Discussion in 'other anti-malware software' started by TomAZ, Jul 19, 2013.

Thread Status:
Not open for further replies.
  1. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,003
    Location:
    USA
    Are AppGuard and EMET about equal when it comes to memory protection?
     
  2. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    There was a test where AppGuard outclassed EMET, which only is logical.

    EMET is free though. :)

    This thread will probably be closed as it's A vs B.
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,916
    I would say that EMET is a good addition to any security app but it cannot substitute any app. So to OP you would better chose to use AG with/or without EMET but not EMET only.
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Are they incompatible?

    Hardly...
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    It's quite different, EMET uses techniques like DEP and ASLR and others limit exploitation of code in memory from a process, for example by setting certain limitations to prevent making code executable or randomizing the place where the code is 'residing'. AppGuard's Memory Guard prevents Guarded processes from writing to the memory of other processes and can also prevent it from reading memory of other processes.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    I assume AppGuard also prevents other processes (EMET) from injecting DLLs also? Or is there another reason why both can't be used?
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Ok so AppGuard is more like a standard HIPS, and can´t be compared to EMET at all.

    I´ve been reading about this app, if I´m correct it´s basically a sandbox HIPS.

    It´s interesting but the spartan GUI is a turn off for me. :cautious:
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049

    Actually it is neither a standard HIPS or sandbox hips. It is more a policy type program like Defense wall.

    A HIPS will alert you to a new exe trying to run. Appguard doesn't do this.

    Pete
     
  9. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Appguard, like Peter said, is policy based with some "anti-execute-like" features but not really an anti-execute program either. EMET from what I understand was designed to be an anti-exploit type program to compliment other security apps that lacked such protection. The way they protect memory is quite different. EMET makes many of the ways attackers use to exploit your machine unusable, really only putting Windows native obstacles in the way. AG isolates processes and prevents them from "hijacking" or tampering with one another. In my opinion AG's way is more forward looking and simple; unless of course AG itself has an exploit then you would want emet to protect AG too. :doubt:
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    @ Peter2150

    That´s what I call sandbox HIPS. So no pop ups, but just restricting apps.

    @ 1000db


    I think you will always need EMET, at least if you´re really paranoid.
     
  11. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    I think that AppGuard approach is better: it doesn't block only exe attacks or similar, but sandboxs and isolates completely the applications that can be exploited in very much ways and from many different kinds of malwares, first the browsers... anyway, I couldn't live alone classical HIPSs :)
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    When I use Process Explorer or Hacker I see Emet.dll in the Guarded browser process so I think it works correctly together. In the AG log I can also see Logitech Setpoint being blocked from reading and writing to the browser's process, so I'm not sure what Emet does different to make it work. You can add processes to the Memory Guard exception btw(read, write or both) but I haven't added Emet to exceptions, there are no blocked entries about it in the log and like I said Emet.dll is listed in the DLL list of the browser process.
     
  13. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    So, is EMET good to use to protect AppGuard from exploits? Anyone have any idea? In other regards, I think AppGuard and EMET overlapses each other quite much but AppGuard being the stronger defender.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    No they don´t overlapse, they are completely different tools. EMET is not really a HIPS, you should read this:

    http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/
     
Loading...
Thread Status:
Not open for further replies.