Device policy: Memory Protection settings
Memory protection settings specify how the agent handles memory exploits, including process injections and escalations. Add exclusions for executable or macro files that you want to allow to run.
Setting | Description |
|---|---|
Memory protection | When enabled, the CylancePROTECT Desktop agent detects various types of process calls that may be a threat and handles each type according to the options that you configure.The violation type tables below provide more information about each violation type. For each violation type, you can configure the agent to respond with one of the following actions:
|
Exclude executable or macro files: Add Exclusion | You can specify the relative path of the files that you want the CylancePROTECT Desktop agent to ignore when trying to detect memory protection threats. When you add a file to the exclusion list, you allow the file to be installed and run on devices that are assigned the policy.When you add an exclusion, you specify the relative path of the file and the violation types that you want to ignore. On Windows devices, you can also specify the absolute file path. Use shortened relative paths with caution because they may exclude other executables that have the same relative path.After applying the exclusion, all instances of that process must be terminated to stop the driver from injecting into it. If you save an exclusion without adding at least one violation type to ignore, the exclusion is applied to both memory protection and script control events. Adding at least one violation type to ignore means the exclusion is applied to memory protection only. Windows examples:
Linux examples:
macOS examples:
See the details below for using wildcards for executable or macro exclusions. |
Add Exclusion: Treat as DLL exclusion | Enable this setting when you want to add an exclusion for a third-party DLL. For example, if you are running third-party security products in addition to CylancePROTECT Desktop for Windows, you can add an exclusion for the appropriate .dll files so that CylancePROTECT ignores specific violations for those products.This feature supports the Malicious payload and System DLL overwrite violation types only. These violation types are supported for Windows devices only.Note the following when you specify a DLL exclusion:
|
Add Exclusion: Ignore specific violation types | Enable this setting when you add a memory protection exclusion to select the violation categories and specific violation types that you want the CylancePROTECT Desktop agent to ignore.When adding exclusions, if you want the policy to apply to memory protection violations only and not script control violations, specify at least one violation type that you want to ignore. If you do not select any violation types to ignore, a warning message appears and the exclusion will apply to both memory protection and script control policies. |
Using wildcards for executable or macro exclusions
Note the following considerations for using special characters and wildcards (*) in memory protection exclusions:
- Memory protection exclusions can include the following special characters: ^ & ' @ { } [ ] , $ = ! - # ( ) % . + ~ _ *
- OnWindowsdevices, any letter value followed by a colon (for example, C:) is supported.
- Escaping an asterisk (*) is not supported. For example, you cannot use it to exclude a file that contains an asterisk in its file name.
- When adding DLL exclusions, wildcards are not allowed.
- A * wildcard matches zero or more characters, except for the platform-specific file path separators. The file path separators are '\' onWindowsdevices, and '/' onLinuxandmacOS.
- A ** wildcard matches zero or more directories in an absolute path to exclude drives, directories, and child directories. For example,C:\MyApp\''\**\''.
- Always use ** with file path separators, such as \**\ or /**/
- The pattern **\ is valid if it is at the beginning of pattern forWindowsdevices only. It matches all directories inside all drives.
- You can use \**\ or /**/ multiple times in a path without limitation.
- Avoid using ** immediately after a drive letter or at the beginning of an exclusion. For example, C:\**\program.exe onWindowsor /**/program.dmg onmacOS, as this would exclude anything in any directory and child directories on the drive.
- For examples demonstrating the use of wildcards in memory protection exclusions, see Windows examples of wildcards used in memory protection exclusions and macOS examples of wildcards used in memory protection exclusions.
- Three asterisks (***) are not valid for exclusions because it would hide typos. For example, in the pattern "C:\***.exe", users might have wanted to type "C:\**\*.exe" but missed one "\". If "***" were treated as a single "*" it could result in different behavior than intended.
Exploitation violation types
Violation type | Supported OS | Description |
|---|---|---|
Stack pivot | Windows Linux | Detects if the stack for a thread has been replaced with a different stack. Generally, the system only allocates a single stack for a thread. An attacker might use a different stack to control execution in a way that is not blocked by Data Execution Prevention (DEP). |
Stack protect | Windows Linux | Detects if the memory protection of a thread’s stack has been modified to enable execution permission. Stack memory should not be executable, so this can mean that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt that would otherwise be blocked by Data Execution Prevention (DEP). |
Overwrite code | Windows | Detects if the code that resides in a process’s memory has been modified in a way that may indicate an attempt to bypass Data Execution Prevention (DEP). |
RAM scraping | Windows | Detects if a process is trying to read valid magnetic stripe track data from another process. Typically, this violation is associated with point of sale (POS) systems. |
Malicious payload | Windows | Detects shellcode and payloads that are associated with exploitation. This violation type supports DLL exclusions. |
System call monitoring | Windows | Detects system calls made to an application or operating system. |
Direct system calls | Windows | Detects attempts to silently inject malicious code into other processes. This violation type cannot be blocked. |
System DLL overwrite | Windows | Detects attempts to overwrite a system DLL. This violation type supports DLL exclusions. |
Dangerous COM object | Windows | Detects malicious code that has a reference to a Component Object Model (COM) object. |
Injection via APC | Windows | Detects if a process is injecting arbitrary code into a target process using an asynchronous procedure call (APC), or starting a remote thread to call LoadLibrary, or a similar function. If the action is set to alert, you can expect to see alerts for both valid and malicious injections. The alert reports the application that received the injection, but you must determine the executable source that caused the alert. For more information, see KB 92422. If the action is set to block or terminate, it prevents reported apps from running on the device even if they are valid. |
Dangerous VBA macro | Windows | Detects macros that contain dangerous implementations. Protects devices running agent version 2.1.1580 and later. Any memory protection exclusions are supported on agent version 3.0 and later. |
Process injection violation types
Violation type | Supported OS | Description |
|---|---|---|
Remote allocation of memory | Windows macOS | Detects if a process allocates memory in another process. Most allocations occur only within the same process. This might indicate an attempt to inject code or data into another process to reinforce a malicious presence on a system. |
Remote mapping of memory | macOS | Detects if a process introduces code or data into another process. This might indicate an attempt to execute code in another process and reinforce a malicious presence. |
Remote write to memory | Windows macOS | Detects if a process has modified memory in another process. This might indicate an attempt to store code or data in previously allocated memory, but it is possible that an attacker is trying to overwrite existing memory to divert execution for a malicious purpose. |
Remote write PE to memory | Windows | Detects if a process has modified memory in another process to contain an executable image. This can indicate that an attacker is attempting to execute code without first writing that code to disk. |
Remote overwrite of code | Windows | Detects if a process has modified executable memory in another process. Under normal conditions, executable memory is not modified, especially by another process. This can indicate an attempt to divert execution in another process. |
Remote unmap of memory | Windows macOS | Detects if a process has removed an executable from the memory of another process. This might indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution. |
Remote thread creation | Windows | Detects if a process has created a new thread in another process. A process’s threads are usually only created by that same process. This method can be used by an attacker to activate a malicious presence that has been injected into another process. |
Remote APC scheduled | Windows | Detects if a process has diverted the execution of another process’s thread. An attacker can use this method to activate a malicious presence that has been injected into another process. |
DYLD injection | Linux | Detects if an environment variable has been set that will cause a shared library to be injected into a launched process. Attackers can modify the list of applications or replace applications with bash scripts that allow their modules to be loaded automatically when an application starts. |
Doppelganger | Windows | Detects if a new malicious process was started from a file that has not yet been written to the file system. The file write transaction is usually rolled back after the process starts (so that the malicious file is never committed to disk), and any attempt to scan the file on disk will only see the unmodified, benign file. |
Dangerous environment variable | Windows | Detects an environment variable that might have malicious code attached to it. |
Escalation violation types
Violation type | Supported OS | Description |
|---|---|---|
LSASS read | Windows | Detects if memory belonging to the Windows Local Security Authority process has been accessed in a way that indicates an attempt to obtain user passwords. |
Zero allocate | Windows | Detects if a null page has been allocated. The memory region is typically reserved, but in certain circumstances it can be allocated. Attackers can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel. |
Memory permission changes in other processes | Windows | Detects if a violating process has modified memory access permissions within another process. This is usually done to inject code into another process and make memory executable by modifying access permissions. |
Memory permission changes in child processes | Windows | Detects if a violating process has created a child process and has modified memory access permissions in that child process. |
Stolen system token | Windows | Detects if an access token has been modified to allow a user to bypass security access controls. |
Low integrity process start | Windows | Detects if a process has been set to run with a low integrity level. |