Configure CASP
Configure NX Configure VASR
Configure forced DLL relocation
Memory-protection techniques
Memory‑protection techniques prevent malicious code execution and unauthorized attempts to gain control of a system through buffer overflow.
This table describes the memory‑protection techniques with the supported operating systems, default states, and events.
5
Technique Description CASP ‑ Critical Address Space
Protection (mp‑casp) Renders code that is running from the non‑code area. Code that is running from the non‑code area is an abnormal event that usually happens due to a buffer overflow being exploited.
CASP is different from the Data Execution Prevention (DEP) feature available on the 64‑bit Windows platforms.
The DEP feature prevents the code in a non‑code area from executing (usually with the help of hardware). CASP allows such code to
execute but disallows such code from making any meaningful API calls such as CreateProcess(), DeleteFile(), and others. Any
meaningful exploit code will try to invoke at least one of these APIs and because CASP blocks them, the exploit fails to do any damage.
CASP technique is identified as mp‑casp in the features list. Use the sadmin features command to view identifiers of the supported features.
You can bypass or restore CASP on executables. Also, you can list or flush the executables that are bypassed by CASP. For more
information, see the Configure CASP section.
Supported operating
systems 32‑bit — Windows 2003, Windows 2008, Windows XP, Windows XPE, WEPOS, Pos Ready 2009, WES 2009, Windows Vista, Windows 7, and Windows 7 Embedded Default state Enabled
Event generated PROCESS HIJACKED
NX ‑ No execute (mp‑nx) Uses the DEP feature to protect processes against exploits that try to execute code from writable memory area (stack/heap). In addition to native DEP, NX provides granular bypass capability and raises
violation events.
Windows DEP is a memory‑protection technique that prevents code from being run from a non‑executable memory region. In most cases, code running from the non‑executable memory region is an abnormal event. This scenario mostly occurs when a buffer overflow happens and the malicious exploit is attempting to execute code from these non‑executable memory regions. DEP is available on 64‑bit Windows platforms.
NX technique is identified as mp‑nx in the features list. Use the sadmin features command to view identifiers of the supported features.
You can bypass or restore NX on executables. NX is only applicable for WoW64 (or 32‑bit) processes. Also, you can list or flush the executables that are bypassed by NX. For more information, see the Configure NX section.
Supported operating
systems 64‑bit — Windows XP, Windows 2003, Windows 2008, Windows 2008 R2, Windows Vista, Windows 7, and Windows 7 Embedded
This feature is not available on the IA64 architecture.
Default status Enabled
Event generated NX_VIOLATION_DETECTED
Technique Description VASR ‑ Virtual Address Space
Randomization [mp‑vasr (subfeatures:
mp‑vasr‑rebasing, mp‑vasr‑relocation, mp‑vasr‑randomization)]
Although VASR is similar to the Address Space Layout Randomization (ASLR) technique available on the Windows platform, VASR is more than just ASLR. Windows ASLR randomizes the addresses where modules are loaded to help prevent an attacker from leveraging data from predictable locations. The problem with ASLR is that all modules have to use a compile‑time flag to opt into this technique.
VASR is available on obsolete Windows operating systems that do not support ASLR. The aim of this technique is that the malicious code that expects useful functions or data to be at fixed addresses does not find the functions or data. VASR stops ROP‑based attacks by adopting the following approach:
1 Stack or heap randomization — Randomize the location of stack or heap in each process (mp‑vasr‑rebasing, mp‑vasr‑randomization).
2 Code relocation — Randomize the location of code in memory (mp‑vasr‑relocation).
If an exploit tries to work with fixed addresses, the associated process might crash. If an application crashes while the
mp‑vasr‑relocation feature is enabled, disable this feature and run the application again. Disabling this feature can enable the application to run again, if it has crashed. No event is generated.
VASR technique is identified as mp‑vasr in the features list. Use the sadmin features command to view identifiers of the supported features.
You can bypass or restore VASR on the executables and DLLs. Also, you can list or flush the executables and DLLs that are protected by VASR (only for mp‑vasr‑rebasing). For more information, see the Configure VASR section.
Supported operating
systems • 32‑bit — Windows XP and Windows 2003
• 64‑bit — Windows XP and Windows 2003 Default state Disabled
Event generated No event is generated Forced DLL Relocation
(mp‑vasr‑forced‑relocation) Forces relocation of those Dynamic Link Libraries (DLLs) that have opted out of Windows' native ASLR feature. Certain malware rely on these DLLs that are always getting loaded at the same and known addresses. By relocating such DLLs, these attacks are prevented.
Forced DLL Relocation technique is identified as
mp‑vasr‑forced‑relocation in the features list. Use the sadmin features command to view all identifiers of the supported features.
You can bypass or restore Forced DLL Relocation on executables. List or flush the executables that are bypassed by Forced DLL Relocation.
Also, you can bypass a DLL module that is loaded for the specified process. For more information, see the Configure Forced DLL relocation section.
Supported operating
systems Available on the Windows Vista (32‑ and 64‑bit), Windows 7 (32‑ and 64‑bit), Windows 2008 (both 32‑ and 64‑bit), and Windows 2008 R2 (64 bit) operating system.
Default state Enabled
Event generated VASR_VIOLATION_DETECTED
Configuring memory-protection techniques
Memory-protection techniques
5
Occasionally, some applications (as part of their day‑to‑day processing) might run code in an atypical way and hence can be prevented from running by the memory‑protection techniques.
Contact McAfee support for information on other deprecated memory‑protection techniques such as Mangling and Decoying.