Memory protection provide different options for handling memory exploits, including process injections and escalations. You can also add executable files to an exclusion list, allowing these files to run when this policy is applied.
The agent will record the violation and report the incident to the console.
The agent will not take any action against identified memory violations.
If an application attempts to call a memory violation process, the agent will block the process call. The application that made the call is allowed to continue to run.
If an application attempts to call a memory violation process, the agent will block the process call and will also terminate the application that made the call.
Exclude Executable Files
Exclude executable files from Memory Protection by specifying the relative path of the file. On Windows, you can also specify the absolute file path. This will allow the specified files to run or be installed on any device within that policy. After applying the exclusion, all instances of that process must be terminated to stop the driver from injecting into it.
This will exclude any "run.exe" executables inside of a folder named app so use shortened relative path exclusions with caution.
For information about using wildcards for exclusions, see Use wildcards in memory protection exclusions.
If you save an exclusion without adding at least one violation type to ignore, the exclusion is applied to both memory protection and script control events. Adding at least one violation type to ignore means the exclusion is applied to memory protection only.
Ignore Specific Violation Types
When you add an exclusion, select this checkbox to ignore a file violation based on any or all of the following:
When adding exclusions to a Memory Protection device policy, if you want the policy to apply to memory protection violations only and not script control violations, specify at least one violation type that you want to ignore. If you do not select any violation types to ignore, a warning message appears and the exclusion will apply to both Memory Protection and Script Control policies.
For existing Memory Protection policies:
If you edit an existing policy and add an exclusion, the “Ignore specific violation types” checkbox is not displayed until you modify the violation type (for example, move it from block to terminate or alert).
For each file that has specific violation types that are ignored, you can view detailed information, edit, or delete the settings.