Memory Protection Skip Navigation

Memory Protection

Memory protection provide different options for handling memory exploits, including process injections and escalations. You can also add executable files to an exclusion list, allowing these files to run when this policy is applied.
Option
Description
Alert
The agent will record the violation and report the incident to the console.
Ignore
The agent will not take any action against identified memory violations.
Block
If an application attempts to call a memory violation process, the agent will block the process call. The application that made the call is allowed to continue to run.
Terminate
If an application attempts to call a memory violation process, the agent will block the process call and will also terminate the application that made the call.
Exclude Executable Files
Exclude executable files from Memory Protection by specifying the relative path of the file. On Windows, you can also specify the absolute file path. This will allow the specified files to run or be installed on any device within that policy. After applying the exclusion, all instances of that process must be terminated to stop the driver from injecting into it.
This will exclude any "run.exe" executables inside of a folder named app so use shortened relative path exclusions with caution.
  • Windows Example —
    \Application\Subfolder\application.exe
  • Windows Example —
    C:\Application\Subfolder\application.exe
  • Linux Example —
    /opt/application/executable
  • Linux Example —
    exclusion for Dynamic Library Files:
    /executable.dylib
  • macOS Example —
    exclusion without spaces:
    /Applications/SampleApplication.app/Contents/MacOS/executable
  • macOS Example —
    exclusion with spaces:
    /Applications/Sample Application.app/Contents/MacOS/executable
  • macOS Example —
    exclusion for Dynamic Library Files:
    /executable.dylib
For information about using wildcards for exclusions, see Use wildcards in memory protection exclusions.
If you save an exclusion without adding at least one violation type to ignore, the exclusion is applied to both memory protection and script control events. Adding at least one violation type to ignore means the exclusion is applied to memory protection only.
Ignore Specific Violation Types
When you add an exclusion, select this checkbox to ignore a file violation based on any or all of the following:
  • Violation categories (for example, Exploitation, Process Injection, Escalation)
  • Individual violations types under each category (for example, Stack Pivot, Remote Allocation of Memory, Zero Allocate, and so on)
When adding exclusions to a Memory Protection device policy, if you want the policy to apply to memory protection violations only and not script control violations, specify at least one violation type that you want to ignore. If you do not select any violation types to ignore, a warning message appears and the exclusion will apply to both Memory Protection and Script Control policies.
For existing Memory Protection policies:
  • If the “Ignore Specific Violation Types” exclusion setting is already checked but the Script Control policy is not enabled, no action is required.
  • If the “Ignore Specific Violation Types” exclusion setting is unchecked and you want to ensure the policy is applied to memory protection violations only (and not script control), you must check it and specify at least one the violation type that you want to ignore.
If you edit an existing policy and add an exclusion, the “Ignore specific violation types” checkbox is not displayed until you modify the violation type (for example, move it from block to terminate or alert).
For each file that has specific violation types that are ignored, you can view detailed information, edit, or delete the settings.