Memory-protection techniques

Memory-protection techniques prevent or thwart malware execution and unauthorized attempts to gain control of a system through buffer overflow. Application Control offers multiple memory-protection techniques to prevent zero-day attacks and protect integrity of the running process executables and DLLs.

These techniques provide protection that complements what is offered by Windows security features or buffer overflow protection products that are signature-based. These techniques are available on all supported Windows operating systems. At a high level, the memory-protection techniques prevent two kinds of exploits.

  • Buffer overflow followed by direct code execution.
  • Buffer overflow followed by indirect code execution using Return-Oriented Programming (ROP).

For a detailed and updated list of the exploits prevented by the memory-protection techniques, subscribe to McAfee Threat Intelligence Services (MTIS) security advisories.

This table describes the memory-protection techniques with supported operating systems, default states, and events.
Technique Description
CASP — Critical Address Space Protection (mp-casp)

CASP is a memory-protection technique that renders useless any shellcode running from the non-code area. This shellcode is an abnormal event that usually happens because of a buffer overflow.

CASP allows code to execute from non-code area but disallows the code from invoking any meaningful API calls, such as CreateProcess() and DeleteFile(). Any meaningful exploit code wants to invoke at least one of these APIs and because CASP blocks them, the exploit fails to do any damage.

Note: When you use CASP, it protects all processes running on your Windows system except for those processes that are already protected by Window's protection feature.

CASP technique is identified as mp-casp in the features list. Use the sadmin features command to view identifiers of the supported features.

You can bypass or enforce CASP on executables. Also, you can list or flush the executables that are bypassed by CASP.

Supported operating systems

32-bit and 64-bit — Windows Server 2008, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, and Windows 10 IoT Enterprise

Default state Enabled
Event generated PROCESS_HIJACK_ATTEMPTED
NX — No Execute (mp-nx) The NX feature uses the Windows Data Execution Prevention (DEP) feature to protect processes against exploits that try to execute code from writable memory area (stack/heap). MP-NX also provides granular bypass capability and raises violation events that can be viewed on the Windows Event Viewer console.

Windows DEP prevents code from being run from a non-executable memory region. This abnormal event mostly occurs due to a buffer overflow. The malicious exploit attempts to execute code from these non-executable memory regions.

NX technique is identified as mp-nx in the features list. Use the sadmin features command to view identifiers of the supported features.

NX is applicable for 64-bit and 32-bit processes. Also, you can list or flush the executables that are bypassed by NX.

Supported operating systems

64-bit — Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, Windows 10 IoT Enterprise, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.

This feature is not available on the IA64 architecture.

Default status Enabled
Event generated NX_VIOLATION_DETECTED
Forced DLL Relocation (mp-vasr-forced-relocation)

This feature forces relocation of those dynamic-link libraries (DLLs) that have opted out of the Windows native ASLR feature. Some malware relies on these DLLs always being loaded at the same and known addresses. By relocating such DLLs, these attacks are prevented.

Forced DLL Relocation technique is identified as mp-vasr-forced-relocation in the features list. Use the sadmin features command to view all identifiers of the supported features.

You can bypass or enforce Forced DLL Relocation on executables, list or flush the executables that are bypassed by Forced DLL Relocation, and bypass a DLL module that is loaded for the specified process.

Supported operating systems 32-bit and 64-bit — Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, Windows 10 IoT Enterprise, Windows Server 2012, and Windows Server 2012 R2
Default state Enabled
Event generated VASR_VIOLATION_DETECTED

Occasionally, some applications (as part of their day-to-day processing) might run code in an atypical way and be prevented from running by the memory-protection techniques.