Anti-Exploit provides on-execution protection against exploit attempts targeting known and unknown vulnerabilities in commonly used applications, such as web browsers, Microsoft Office or Adobe Reader, as well as against specific, kernel-mode post-exploitation attempts.
Compatibility
The Advanced Anti-Exploit feature is available for:
Windows for workstations
Windows for servers
macOS
Note: For Linux systems, Advanced Anti-Exploit is preventative security control intended to identify and block Zero-Day and Advanced Persistent Threat activities and related processes in real-time (On-Execution). The module is capable of performing Kernel Integrity checks as well as monitoring user-space implementation relying on eBPF and KProbes.
Anti-Exploit is only available if you have deployed the Defense.com Endpoint Protection agent. The setup and configuration of the Anti-Exploit feature is managed via your Defense.com representative.
Configuration options
There are three settings available to configure:
System-wide detections
The anti-exploit techniques in this section monitor the system processes that are targets of exploits.
Predefined applications
The Advanced Anti-Exploit module is preconfigured with a list of the common applications such as Microsoft Office, Adobe Reader, or Flash Player, which are the most exposed to exploitations.
Additional applications
In this section, you can add and configure protection for as many other applications as you want.
System-wide mitigation
The following options are available for system-wide mitigation:
Technique | Description | Operating system |
Privilege escalation | Prevents processes from gaining unauthorised privileges and access to resources.
Default action: Kill process | Windows |
LSASS process protection | Protects the LSASS process from leaking secrets such as password hashes and security settings. Default action: Block only
The recommended action is Block only. Enabling reporting could result in a large number of notifications, including for any process asking for more permissions than needed. | Windows |
Credentials monitoring | Inspects process behavior to detect unexpected credential changes for a thread.
Default action: Report only | Linux |
Ptrace monitoring | Monitors the use of debugging mechanisms to detect attempts of using
Default action: Report only | Linux |
Namespace monitoring | Inspects process behavior to detect unexpected changes in the namespace of a thread.
Default action: Report only | Linux |
Corruption monitoring | Monitors syscall activity to detect memory corruption attempts via crafted syscalls.
Default action: Report only | Linux |
SUID monitoring | Reports all attempts to set a SUID flag to a file.
Default action: Report only | Linux |
These anti-exploit techniques are enabled by default. The following options are also available:
Kill process: ends immediately the exploited process.
Block only: prevents the malicious process from accessing unauthorized resources without reporting the event.
Report only: report the event without taking any mitigation action.
Block and report: prevents the malicious process from accessing unauthorized resources and reports the event.
Application-specific techniques
The following anti-exploit techniques are available for predefined or additional applications:
Technique | Description |
ROP Emulation | Detects attempts to make executable the memory pages for data, using the Return-Oriented Programming (ROP) technique.
Default action: Kill process |
ROP Stack Pivot | Detects attempts to hijack the code flow using the ROP technique, by validating stack location.
Default action: Kill process |
ROP Illegal Call | Detects attempts to hijack the code flow using the RO Ptechnique, by validating callers of sensitive system functions.
Default action: Kill process |
ROP Stack Misaligned | Detects attempts to corrupt the stack using the ROP technique, by validating the stack address alignment.
Default action: Kill process |
ROP Return to Stack | Detects attempts to execute code directly on stack using the ROP technique, by validating return address range.
Default action: Kill process |
ROP Make Stack Executable | Detects attempts to corrupt the stack using the ROP technique, by validating the stack page protection.
Default action: Kill process |
Flash Generic | Detects Flash Player exploitation attempts.
Default action: Kill process |
Flash Payload | Detects attempts to execute malicious code into Flash Player, by scanning Flash objects in memory.
Default action: Kill process |
VBScript Generic | Detects VBScript exploitation attempts.
Default action: Kill process |
Shellcode Execution | Detects attempts to create new processes or download files, using shellcode.
Default action: Kill process |
Shellcode LoadLibrary | Detects attempts to execute code via network paths, using shellcode.
Default action: Kill process |
Anti-Detour | Detects attempts to bypass security checks for creating new processes.
Default action: Kill process |
Shellcode EAF (ExportAddress Filtering) | Detects attempts of malicious code to access sensitive system functions from DLL exports.
Default action: Kill process |
Shellcode Thread | Detects attempts to inject malicious code, by validating newly-created threads.
Default action: Kill process |
Anti-Meterpreter | Detects attempts to create a reverse shell, by scanning executable memory pages.
Default action: Kill process |
Obsolete Process Creation | Detects attempts to create new processes using obsolete techniques.
Default action: Kill process |
Child Process Creation | Blocks creation of any child process.
Default action: Kill process |
Enforce Windows DEP | Enforces Data Execution Prevention (DEP) to block code execution from data pages.
Default: Disabled |
Enforce Module Relocation (ASLR) | Prevents code from being loaded in predictable locations, by relocating memory modules.
Default: Enabled |
Emerging Exploits | Protects against any new emerging threats or exploits. Rapid updates are used for this category before more comprehensive changes can be made.
Default: Enabled |
It is possible to monitor additional applications, and define automated detection and response actions. Please contact your Defense.com representative to configure your Anti-Exploit functionality to meet the needs of your business.