Memory protection violation types

The stack for a thread has been replaced with a different stack. Generally, the system only allocates a single stack for a thread. An attacker might use a different stack to control execution in a way that is not blocked by Data Execution Prevention (DEP).

The memory protection of a thread’s stack has been modified to enable execution permission. Stack memory should not be executable, so this can mean that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt that would otherwise be blocked by Data Execution Prevention (DEP).

Code that resides in a process’s memory has been modified using a technique that might indicate an attempt to bypass Data Execution Prevention (DEP).

A process is trying to read valid magnetic stripe track data from another process. Typically, this violation is associated with point of sale systems (POS).

A generic shellcode and payload detection associated with exploitation has been detected.

This memory protection violation type supports DLL exclusions.

A system call made to an application or operating system has been detected.

An attempt to silently inject malicious code into other processes has been detected. This violation type cannot be blocked.

An attempt to overwrite a system DLL has been detected.

This memory protection violation type supports DLL exclusions.

Malicious code that has a reference to a Component Object Model (COM) object has been detected.

A process that is injecting arbitrary code into the target process using an asynchronous procedure call (APC) or start remote thread to call

LoadLibrary

, or similar function has been detected.

If this policy is set to alert, you can expect to see alerts for both valid and malicious injections that take place for applications on

Windows

devices. The alert reports the application that received the injection but you must determine the executable source that caused the alert. For information about gathering the necessary data that might help you determine whether an injection was valid or malicious, visit support.blackberry.com to read KB 92422.

If this policy is set to block or terminate the application, it prevents reported applications from running on the device even if they are valid. This can cause a disruption to a user's day-to-day activities.

A macro that contains dangerous implementations has been detected.

This setting protects devices running agent version 2.1.1580 and later against malicious macros. The exclusions that are specified in the memory protection policy are supported on agent version 3.0 and later.

To protect devices running agent version 2.1.1578 and earlier against malicious macros, enable and configure the script control policy and its exclusions.

A process has allocated memory in another process. Most allocations only occur within the same process. This might indicate an attempt to inject code or data into another process to reinforce a malicious presence on a system.

A process has introduced code or data into another process. This might indicate an attempt to begin executing code in another process and thereby reinforce a malicious presence.

A process has modified memory in another process. This might indicate an attempt to store code or data in previously allocated memory (see

OutOfProcessAllocation

) but it is possible that an attacker is trying to overwrite existing memory to divert execution for a malicious purpose.

A process has modified memory in another process to contain an executable image. Generally this indicates that an attacker is attempting to execute code without first writing that code to disk.

A process has modified executable memory in another process. Under normal conditions, executable memory is not modified, especially by another process. This usually indicates an attempt to divert execution in another process.

A process has removed a

Windows

executable from the memory of another process. This might indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution.

A process has created a new thread in another process. A process’s threads are usually only created by that same process. This method is generally used by an attacker to activate a malicious presence that has been injected into another process.

macOS

*

A process has diverted the execution of another process’s thread. Generally, an attacker uses this method to activate a malicious presence that has been injected into another process.

An environment variable has been set that will cause a shared library to be injected into a launched process. Attackers can modify the list of applications such as

Safari

or replace applications with bash scripts that allow their modules to be loaded automatically when an application starts.

macOS

*

A new malicious process was started from a file that has not yet been written to the file system. The file write transaction is usually rolled back after the process starts (so that the malicious file is never committed to disk), and any attempt to scan the file on disk will only see the unmodified, benign file.

An environment variable that might have malicious code attached to it has been detected.

Memory belonging to the

Windows

Local Security Authority process has been accessed in a manner that indicates an attempt to obtain user passwords.

A null page has been allocated. The memory region is typically reserved, but in certain circumstances it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel.

macOS

*

A violating process has modified memory access permissions within another process. This is usually done to inject code into another process and make memory executable by modifying memory access permissions.

A violating process has created a child process and has modified memory access permissions in that child process.

An access token has been modified to allow a user to bypass security access controls.

A process has been set to run with a low integrity level.