CylancePROTECT Desktop memory protection
CylancePROTECT Desktop
memory protectionSelecting this option will log any memory exploit attempts that might be considered an attack from any of the Tenant’s devices to the syslog server. For full descriptions of each violation type, see memory protection violation types in the
Cylance Endpoint Security
Setup content. Field | Value | Description |
---|---|---|
Action | Allowed | The event is allowed because of a policy. |
Blocked | The event is blocked because of a policy. | |
None | The event is allowed because no policy has been defined for this violation. | |
Terminated | The process has been terminated. | |
Device ID | [varies] | The unique ID for the device. |
Device Name | [varies] | The name of the device. |
Event Type | ExploitAttempt | A memory protection event is known as an exploit attempt. |
Event Name | Allowed | The file was allowed to run, either because it was added to an exclusion or the action was set to None (Ignore). |
Blocked | The exploit attempt was blocked. However, if a process was started before the exploit was blocked (for example, the process was started before memory protection was enabled), the process will continue to run. | |
None | This is an alert only. No actions were taken on the exploit attempt. | |
Terminated | The exploit attempt was blocked, and any processes were terminated. | |
IP Address | [varies] | The IP address or IP addresses for the device. |
Process ID | [varies] | The process ID for the event. |
Process Name | [varies] | The fully qualified path of the process. |
User Name | [varies] | The name of the user currently logged in to the device. |
Violation Type | DyldInjection | The memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users’ passwords. |
LsassRead | The memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users’ passwords. | |
MaliciousPayload | A generic shellcode and payload detection associated with exploitation has been detected. | |
OutOfProcessAllocation | Remote Allocation of Memory: A process has allocated memory in another process. Most allocations will only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system. | |
OutOfProcessApc | Remote APC Scheduled. | |
OutOfProcessCreateThread | Remote Thread Creation: A process has created a new thread in another process. A process’s threads are usually only created by that same process. This is generally used by an attacker to activate a malicious presence that has been injected into another process. | |
OutOfProcessMap | Remote Mapping of Memory: A process has allocated memory in another process. Most allocations will only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system. | |
OutOfProcessOverwriteCode | Remote Overwrite Code: A process has modified executable memory in another process. Under normal conditions executable memory will not be modified, especially by another process. This usually indicates an attempt to divert execution in another process. | |
OutOfProcessUnmapMemory | Remote Unmap of Memory: A process has removed a Windows executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution. | |
OutOfProcessWrite | Remote Write to Memory: A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation) but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose. | |
OutOfProcessWritePe | Remote Write PE to Memory: A process has modified memory in another process to contain an executable image. Generally this indicates that an attacker is attempting to execute code without first writing that code to disk. | |
OverwriteCode | The code residing in a process’s memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP). | |
RamScraping | A process is trying to read valid magnetic stripe track data from another process. This is typically related to point of sale systems (POS). | |
StackPivot | A generic shellcode and payload detection associated with exploitation has been detected. | |
StackProtect | The memory protection of a thread’s stack has been modified to enable execution permission. Stack memory should not be executable, so this usually means that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt which would otherwise be blocked by Data Execution Prevention (DEP). | |
ZeroAllocate | A null page has been allocated. The memory region is typically reserved, but in certain circumstances it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel. | |
Zone Names | [varies] | The zones associated with the device. |
Example message for memory protection events
BlackBerry Protect Desktop: Event Type: ExploitAttempt, Event Name: blocked, Device Name: WIN-7entSh64, IP Address: (192.168.119.128), Action: Blocked, Process ID: 3804, Process Name: C:\AttackTest64.exe, User Name: admin, Violation Type: LSASS Read, Zone Names: (Script Test,Server Test), Device ID: e378dacb-9324-453a-b8c6-5a8406952195