Endpoint Protection

Hi Team

With SEP 14 RU 1 a group of computers is showing the following event: "Detected Attack: Data Execution Protection - Execution of Non-Executable Memory, SEP will terminate ... and the applications are iexplorer or  java.

Based on the description provided by Symantec at Security Response Attack Signatures I have the following doubts in terms of event response.

1. The event is reoccurring frequently but the logs just shows the application name so how the IT Security Team could identify the root cause and try to avoid future events like that?

2. How could be identified a false positive?

 

Best Regards

Looks like it's from the Memory Exploit Mitigation component...is there any further detail showing in the Security log?

Hi Brian

 

"is there any further detail showing in the Security log?" ... That's exactly my point, there is not defail about it.

A colleague opened a case yesterday and the answer was: 1. Keep monitoring the systems , 2. Monitor the web pages that were active on the Internet browsers during the time of the " Data Execution Protection - Execution of Non-Executable Memory"

So there's nothing specific to understand the next step for this detection.

 

Good point. My testing of MEM gives me nothing actionable:

I guess I'd ask for the case to be escalated so someone in back line or dev can weigh in. I suspect additional info has to be logged *somewhere* but I cannot find anything.

We've been seeing a large uptick in these alerts.  It appears to have started after the February Microsoft Updates.  It is only occurring with IE11 browsers.  They all appear to be false positives.  We see no pattern in internet activity, nothing in the SEPM or Windows event logs.  it might help us get people to top using IE11!

------------------------------
ORAU
------------------------------

Original Message:
Sent: 02-23-2018 03:23 PM
From: Brian Pohlman
Subject: Attack: Data Execution Protection - Execution of Non-Executable Memory

Good point. My testing of MEM gives me nothing actionable:

I guess I'd ask for the case to be escalated so someone in back line or dev can weigh in. I suspect additional info has to be logged *somewhere* but I cannot find anything.

Has anyone been able to find a resolution to this?

 

My enterprise recently moved up to SEP 14 and as of one week ago I'm seeing the same error messages for iexplorer.exe on a number of devices (Windows 8, 8.1 & 10) on both intranet & internet sites.  On the devices that have the issue, I can recreate it at will, but the security logs all show exactly the same as has already been reported.  On the devices that do not show the alert, nothing I do will cause the alert.

 

If anyone in Symantec technical support would like any information or has any suggestions on trouble shooting/testing to help get to the resolution, I'm more than happy to help out.

I can re-create it, the problem is the logs show no info other than what app was 'attacked' leaving really no ability to retrace or investigate further.

Even MP2 shows the same behavior so I still having the same question.

facing the same issue my I.E version 8 is blocking with error Attack: Data Execution Protection since yesterday. our all the core application are running by I.E plz find out any work around..

We're seeing a very similar issue, except with the Heap Spray attack. Symantec killing office applications (word, powerpoint, outlook, lync, excel), as well as IE, Adobe Acrobat and Reader, and Symantec itself (ccsvchost.exe). Like many others, working with support has been a struggle - all we've been told is that it seems to be a false positive and that we shouldn't be seeing this at this scale (approaching 50 systems with the issue) and that they want to try a reinstall of Symantec.  A mix of SEP 14.0.3897.1101 and 14.0.3929.1200 systems experiencing the issue, both Windows 7 and 10, some with May OS and Software patches, some updated to June. No rhyme or reason to it thus far, other than that it started within a single business unit last week, and then hit another single unit this week. 

 

We've disabled the particular signature for now as a workaround. There is risk that comes with doing so - if this isn't actually a false positive as we've been told and from additional attacks with the same signature - but we had to get people back to work. What we did as a workaround was create a new Memory Exploit Mitigation Policy under Policies with the relevant signature disabled, created new groups for impacted systems under the Clients tab and disabled inheritance, and then assigned the new Memory Exploit Mitigation policy to it.

Hi Donald,

Thanks for the post and for sharing details of your workaround.  The "Reporting false positives to Security Response" section of the following document has recently been updated- do continue to work with Tech Support and Security Response on the suspected FP so they can get to the root of the issue.  There are a number of items to be collected and submitted and the investigation can take some time.  (In other cases, teh solution is as simple as "upgrade away from that old version of the application").  It is definitely worthwhile.  MEM is a good line of defense against the techniques that certain advanced malware need in order to function.  

Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy
http://www.symantec.com/docs/HOWTO127057

 

I am experiencing this exact issue.

 

We started experiencing it last week with IPS/ME signature June 8th R1, it was corrected by IPS signature June 8th R62. Our systems updated this moring to June 12th R2 and the issue resurfaced.

 

My tickets on this are:

14635966 and 14682531.

 

Here is a link to my thread incase I get an answer you dont see in here:

https://www.symantec.com/connect/forums/memory-exploit-mitigation-heap-stacks-blocking-officeacrobat

Just a ping to see if there is any update on this-?

Also adding an extra note: be sure that only one security suite or product is installed and running at any one time!  If multiple products (for example, SEP and MalwareBytes) are both attempting to interact with files at the same time they can conflict and lead to MEM events.