What Is Data Execution Prevention (DEP)?

[harlan4096]

Data Execution Prevention (DEP) is a Microsoft security technology (for Windows operating systems) that prevents malicious code from being executed from system memory locations. By using a set of hardware and software technologies DEP is performing additional checks in memory to help protect against exploits.

Malware may be executing malicious code from memory locations that ought to only be utilized by Windows or other accepted programs. If DEP detects an application on your computer that is improperly utilizing memory, it will terminate the program and notify you.

How Data Execution Prevention Works

DEP isn’t like a firewall or antivirus program and therefore doesn’t help prevent harmful programs from being installed on your computer. What Data Execution Prevention does is to carefully monitor your programs to see if they’re using the system memory safely, by marking specific memory locations as “non-executable”, and monitoring programs that are attempting to run malicious code from a protected location.

Let’s say that an application attempts to run malicious code from a protected page. in this case, the application will receive an exception having the status code STATUS_ACCESS_VIOLATION, this can be happening because your DEP application is configured to start at the system boot in line with the no-execute page protection policy setting within the boot configuration data and counting on the policy setting, a particular application can change the DEP setting for this process.

DEP is enforced by hardware and by software:

Hardware-enforced DEP

Marks all memory locations during a process as non-executable unless the placement explicitly contains executable code, therefore helping prevent specific attacks by intercepting them and raising an exception.

Relying on processor hardware to mark memory with an attribute indicating that code shouldn’t be executed from that memory, it functions by changing a bit within the page table entry to create a mark on the particular memory page.

The actual hardware implementation of Data Execution Prevention and marking of the virtual memory page varies by processor architecture, but processors that support hardware-enforced DEP are capable of raising an exception when code is executed from a page marked with the suitable attribute set.

Software-enforced DEP

Windows has added an extra set of data execution prevention security checks, also called software-enforced DEP, designed to mitigate exploits of exception handling mechanisms in Windows. Software-enforced DEP can run on any processor capable of running Windows XP SP2 and above.

Should You Disable Data Execution Prevention?It isn’t recommended to have DEP turned off, as this automatically monitors essential Windows programs and services.

You can increase your protection by having DEP monitor all programs, therefore you ought to keep in mind that disabling Data Execution Prevention or adding exclusions may allow malicious scripts to execute and cause severe damage to Windows which can leave your PC permanently unstable and/or unusable state.

If you switch off Data Execution Prevention for a particular program, it would become prone to attack. A successful attack could then spread to other programs on your computer, to your contacts, and will damage your files. If you believe that a program doesn’t run correctly when DEP is turned on, check for a DEP-compatible version or update from the software publisher before you modify any Data Execution Prevention settings.

How To Configure Data Execution PreventionDEP is enabled by default for essential Windows operating system programs and services.

You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
...

Continue Reading