Memory Protection violation types Skip Navigation

Memory Protection violation types

Exploitation violation types

Violation type
Description
Supported OS
Stack Pivot
The stack for a thread has been replaced with a different stack. Generally, the system only allocates a single stack for a thread. An attacker might use a different stack to control execution in a way that is not blocked by Data Execution Prevention (DEP).
Windows
macOS
*
Linux
Stack Protect
The memory protection of a thread’s stack has been modified to enable execution permission. Stack memory should not be executable, so this can mean that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt which would otherwise be blocked by Data Execution Prevention (DEP).
Windows
macOS
*
Linux
Overwrite Code
Code that resides in a process’s memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP).
Windows
RAM Scraping
A process is trying to read valid magnetic stripe track data from another process. Typically, this violation is associated with point of sale systems (POS).
Windows
Malicious Payload
A generic shellcode and payload detection associated with exploitation has been detected.
Windows
Violation types available with agent 1580 or later
System Call Monitoring
A system call made to an application or operating system has been detected.
Windows
Direct System Calls
An attempt to silently inject malicious code into other processes has been detected. This violation type cannot be blocked
Windows
System DLL Overwrite
An attempt to overwrite a system DLL has been detected.
Windows
Dangerous COM Object
Malicious code that has a reference to a Component Object Model (COM) object has been detected.
Windows
Injection via APC
A process that is injecting arbitrary code into the target process using an asynchronous procedure call (APC) or start remote thread to call
LoadLibrary
, or similar function has been detected.
If this policy is set to Alert, you can expect to see alerts for both valid and malicious injections that take place for applications on Windows devices. The alert reports the application that received the injection but you must determine the executable source that caused the alert. For information about gathering the necessary data that may help you determine whether an injection was valid or malicious, visit support.blackberry.com to read KB 92422.
If this policy is set to Block or Terminate, it prevents any applications that are reported from running on the device even if they are valid. This can cause a disruption to a user's day-to-day activities. Support for exclusions will be added in an upcoming release of
CylancePROTECT Desktop
agent 3.1.
Windows
Violation types available with agent 3.0.1000 or later
Dangerous VBA macros
A macro that contains dangerous implementations has been detected.
To protect devices running agent version 1580 and later against malicious macros, enable and configure the Memory Protection policy. The policy supports exclusions on agent version 3.0 and later.
To protect devices running agent version 1578 and earlier against malicious macros, enable and configure the Script Control policy and its exclusions.
Windows
* Supported on
macOS
Catalina and earlier only.

Process injection violation types

Violation type
Description
Supported OS
Remote Allocation of Memory
A process has allocated memory in another process. Most allocations only occur within the same process. This may indicate an attempt to inject code or data into another process to reinforce a malicious presence on a system.
macOS
Remote Mapping of Memory
A process has introduced code and/or data into another process. This may indicate an attempt to begin executing code in another process and thereby reinforce a malicious presence.
Windows
macOS
Remote Write To Memory
A process has modified memory in another process. This may indicate an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation) but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose.
Windows
macOS
Remote Write PE To Memory
A process has modified memory in another process to contain an executable image. Generally this indicates that an attacker is attempting to execute code without first writing that code to disk.
Windows
Remote Overwrite Code
A process has modified executable memory in another process. Under normal conditions executable memory will not be modified, especially by another process. This usually indicates an attempt to divert execution in another process.
Windows
Remote Unmap of Memory
A process has removed a Windows executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution.
Windows
macOS
Remote Thread Creation
A process has created a new thread in another process. A process’s threads are usually only created by that same process. This is generally used by an attacker to activate a malicious presence that has been injected into another process.
Windows
macOS
*
Remote APC Scheduled
A process has diverted the execution of another process’s thread. This is generally used by an attacker to activate a malicious presence that has been injected into another process.
Windows
DYLD Injection
An environment variable has been set that will cause a shared library to be injected into a launched process. Attacks can modify the list of applications like Safari or replace applications with bash scripts, that cause their modules to be loaded automatically when an application starts.
macOS
*
Linux
Violation types available with agent 1580 or later
Doppelganger
A new, malicious process was started from a file that has not yet been written to the file system. The file write transaction is usually rolled back after the process starts (so that the malicious file is never committed to disk), and any attempt to scan the file on disk will only see the unmodified benign file.
Windows
Dangerous Environmental Variable
An environment variable that may have malicious code attached to it has been detected.
Windows
* Supported on
macOS
Catalina and earlier only.

Escalation violation types

Violation type
Description
Supported OS
LSASS Read
Memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users’ passwords.
Windows
Zero Allocate
A null page has been allocated. The memory region is typically reserved, but in certain circumstances it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel.
Windows
macOS
*
Violation types available with agent 1580 or later
Memory Permission Changes in Other Processes
A violating process has modified memory access permissions within another process. This is usually done to inject code into another process and make memory executable by modifying memory access permissions.
Windows
Memory Permission Changes Child Processes
A violating process has created a child process and has modified memory access permissions in that child process.
Windows
Stolen System Token
An access token has been modified to allow a user to bypass security access controls.
Windows
Low Integrity Process Start
A process has been set to run with a low integrity level.
Windows
* Supported on
macOS
Catalina and earlier only.