Brief look at Data Execution Protection (XP)
Results 1 to 3 of 3

Thread: Brief look at Data Execution Protection (XP)

  1. #1
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation Brief look at Data Execution Protection (XP)

    [Relates to Microsoft operating system]

    If you've downloaded and installed Windows XP Service Pack 2 (SP2) you are using Data Execution Protection (DEP) by default.
    During installation of Windows XP SP2, the OptIn policy level is enabled by default unless a different policy level is specified in an unattended installation and by default, DEP is only turned on for essential Windows operating system programs and services.

    What is DEP?
    Data execution prevention (DEP) helps prevent damage from viruses and from other security threats that attack by executing malicious code from memory locations that only Windows and other programs should use. This kind of security threat causes damage by taking over one or more memory locations that are in use by a program. Then it spreads, and it harms other programs, files, and even your e-mail contacts.

    Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable." If a program tries to run code from a protected location, DEP closes the program and notifies you. This action occurs even if the code is not malicious.

    Where are simplified DEP options?
    Designed for end users.
    You can find DEP options by right clicking, "My Computer, Properties, Advanced, Settings, Data Execution Prevention."
    If either one of the two options shown are checkmarked, DEP is installed and running.
    Of course there are conditions under which DEP is not installed and no options are available.

    What other DEP options are available?
    Designed for IT Professionals or ISVs.
    System-wide DEP configurations can be modified/controlled using a few methods.
    The Boot.ini file can be modified directly with scripting mechanisms (Group policy), manual configuration or with the Bootcfg.exe tool which is included as part of Windows XP SP2.
    Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP;
    1) OptIn
    2) OptOut
    3) AlwaysOn
    4) AlwaysOff

    Configuration for DEP is controlled through Boot.ini switches, /noexecute=policy_level where policy_level is defined as OptIn, OptOut, AlwaysOn, or AlwaysOff.
    A sample configuration in boot.ini is:
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Pro" /fastdetect /NoExecute=OptOut

    Option Explanations:

    OptIn
    (default configuration)
    On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in,”
    With this option, only Windows system binaries are covered by DEP by default.

    OptOut
    DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using System in Control Panel.
    IT Pros and Independent Software Vendors (ISVs) can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes (“shims”) for DEP do take effect.

    AlwaysOn
    This provides full DEP coverage for the entire system. All processes always run with DEP applied. The exceptions list for exempting specific applications from DEP protection is not available. System Compatibility Fixes (“shims”) for DEP do not take effect. Applications which have been opted-out using the Application Compatibility Toolkit run with DEP applied.

    AlwaysOff
    This does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor will run in Physical Address Extension mode (PAE) with 32-bit versions of Windows unless the /NOPAE option is also present in the boot entry.


    Further DEP technical information and advanced configuration can be found at:
    http://www.microsoft.com/technet/pro.../sp2mempr.mspx
    and
    http://msdn.microsoft.com/library/de...prevention.asp
    ZT3000
    Beta tester of "0"s and "1"s"

  2. #2
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662

    Bother.

    You must spread your AntiPoints around before giving it to ZT3000 again.
    Bother it all. Good tutorial, I didn't know about this before.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  3. #3
    Senior Member
    Join Date
    Feb 2005
    Posts
    150
    I never new that DEP existed nor even running on my Win XP SP2 machine. Thanks for the info.
    This is what the the Microsoft Support Center/Help says on how it works:
    "Understanding Data Execution PreventionData Execution Prevention (DEP) helps prevent damage from viruses and other security threats that attack by running (executing) malicious code from memory locations that only Windows and other programs should use. This type of threat causes damage by taking over one or more memory locations in use by a program. Then it spreads and harms other programs, files, and even your e-mail contacts.

    Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable". If a program tries to run code—malicious or not—from a protected location, DEP closes the program and notifies you.

    DEP can take advantage of software and hardware support. To use DEP, your computer must be running Microsoft Windows XP Service Pack 2 (SP2) or later, or Windows Server 2003 Service Pack 1 or later. DEP software alone helps protect against certain types of malicious code attacks but to take full advantage of the protection that DEP can offer, your processor must support "execution protection". This is a hardware-based technology designed to mark memory locations as non-executable. If your processor does not support hardware-based DEP, it's a good idea to upgrade to a processor that offers execution protection features" (Microsoft Help and Support Center).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •