Skip to main content
All CollectionsEndpoint Protection
Feature overview: Anti-Exploit
Feature overview: Anti-Exploit

An overview of the Advanced Anti-Exploit functionality included with the Defense.com Endpoint Protection agent.

Daniel Sampson avatar
Written by Daniel Sampson
Updated over a week ago

Anti-Exploit provides on-execution protection against exploit attempts targeting known and unknown vulnerabilities in commonly used applications, such as web browsers, Microsoft Office or Adobe Reader, as well as against specific, kernel-mode post-exploitation attempts.


Compatibility

The Advanced Anti-Exploit feature is available for:

  • Windows for workstations

  • Windows for servers

  • macOS

Note: For Linux systems, Advanced Anti-Exploit is preventative security control intended to identify and block Zero-Day and Advanced Persistent Threat activities and related processes in real-time (On-Execution). The module is capable of performing Kernel Integrity checks as well as monitoring user-space implementation relying on eBPF and KProbes.

Anti-Exploit is only available if you have deployed the Defense.com Endpoint Protection agent. The setup and configuration of the Anti-Exploit feature is managed via your Defense.com representative.


Configuration options

There are three settings available to configure:

  • System-wide detections

    The anti-exploit techniques in this section monitor the system processes that are targets of exploits.

  • Predefined applications

    The Advanced Anti-Exploit module is preconfigured with a list of the common applications such as Microsoft Office, Adobe Reader, or Flash Player, which are the most exposed to exploitations.

  • Additional applications

    In this section, you can add and configure protection for as many other applications as you want.


System-wide mitigation

The following options are available for system-wide mitigation:

Technique

Description

Operating system

Privilege escalation

Prevents processes from gaining unauthorised privileges and access to resources.

Default action: Kill process

Windows

LSASS process protection

Protects the LSASS process from leaking secrets such as password hashes and security settings.

Default action: Block only

The recommended action is Block only. Enabling reporting could result in a large number of notifications, including for any process asking for more permissions than needed.

Windows

Credentials monitoring

Inspects process behavior to detect unexpected credential changes for a thread.

Default action: Report only

Linux

Ptrace monitoring

Monitors the use of debugging mechanisms to detect attempts of using ptrace to control a privileged process. It can detect container escape types of exploits.

Default action: Report only

Linux

Namespace monitoring

Inspects process behavior to detect unexpected changes in the namespace of a thread.

Default action: Report only

Linux

Corruption monitoring

Monitors syscall activity to detect memory corruption attempts via crafted syscalls.

Default action: Report only

Linux

SUID monitoring

Reports all attempts to set a SUID flag to a file.

Default action: Report only

Linux

These anti-exploit techniques are enabled by default. The following options are also available:

  • Kill process: ends immediately the exploited process.

  • Block only: prevents the malicious process from accessing unauthorized resources without reporting the event.

  • Report only: report the event without taking any mitigation action.

  • Block and report: prevents the malicious process from accessing unauthorized resources and reports the event.


Application-specific techniques

The following anti-exploit techniques are available for predefined or additional applications:

Technique

Description

ROP Emulation

Detects attempts to make executable the memory pages for data, using the Return-Oriented Programming (ROP) technique.

Default action: Kill process

ROP Stack Pivot

Detects attempts to hijack the code flow using the ROP technique, by validating stack location.

Default action: Kill process

ROP Illegal Call

Detects attempts to hijack the code flow using the RO Ptechnique, by validating callers of sensitive system functions.

Default action: Kill process

ROP Stack Misaligned

Detects attempts to corrupt the stack using the ROP technique, by validating the stack address alignment.

Default action: Kill process

ROP Return to Stack

Detects attempts to execute code directly on stack using the ROP technique, by validating return address range.

Default action: Kill process

ROP Make Stack Executable

Detects attempts to corrupt the stack using the ROP technique, by validating the stack page protection.

Default action: Kill process

Flash Generic

Detects Flash Player exploitation attempts.

Default action: Kill process

Flash Payload

Detects attempts to execute malicious code into Flash Player, by scanning Flash objects in memory.

Default action: Kill process

VBScript Generic

Detects VBScript exploitation attempts.

Default action: Kill process

Shellcode Execution

Detects attempts to create new processes or download files, using shellcode.

Default action: Kill process

Shellcode LoadLibrary

Detects attempts to execute code via network paths, using shellcode.

Default action: Kill process

Anti-Detour

Detects attempts to bypass security checks for creating new processes.

Default action: Kill process

Shellcode EAF (ExportAddress Filtering)

Detects attempts of malicious code to access sensitive system functions from DLL exports.

Default action: Kill process

Shellcode Thread

Detects attempts to inject malicious code, by validating newly-created threads.

Default action: Kill process

Anti-Meterpreter

Detects attempts to create a reverse shell, by scanning executable memory pages.

Default action: Kill process

Obsolete Process Creation

Detects attempts to create new processes using obsolete techniques.

Default action: Kill process

Child Process Creation

Blocks creation of any child process.

Default action: Kill process

Enforce Windows DEP

Enforces Data Execution Prevention (DEP) to block code execution from data pages.

Default: Disabled

Enforce Module Relocation (ASLR)

Prevents code from being loaded in predictable locations, by relocating memory modules.

Default: Enabled

Emerging Exploits

Protects against any new emerging threats or exploits. Rapid updates are used for this category before more comprehensive changes can be made.

Default: Enabled


It is possible to monitor additional applications, and define automated detection and response actions. Please contact your Defense.com representative to configure your Anti-Exploit functionality to meet the needs of your business.

Did this answer your question?