March 10th, 2005, 04:57 AM
Brief look at Data Execution Protection (XP)
[Relates to Microsoft operating system]
If you've downloaded and installed Windows XP Service Pack 2 (SP2) you are using Data Execution Protection (DEP) by default.
During installation of Windows XP SP2, the OptIn policy level is enabled by default unless a different policy level is specified in an unattended installation and by default, DEP is only turned on for essential Windows operating system programs and services.
What is DEP?
Data execution prevention (DEP) helps prevent damage from viruses and from other security threats that attack by executing malicious code from memory locations that only Windows and other programs should use. This kind of security threat causes damage by taking over one or more memory locations that are in use by a program. Then it spreads, and it harms other programs, files, and even your e-mail contacts.
Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable." If a program tries to run code from a protected location, DEP closes the program and notifies you. This action occurs even if the code is not malicious.
Where are simplified DEP options?
Designed for end users.
You can find DEP options by right clicking, "My Computer, Properties, Advanced, Settings, Data Execution Prevention."
If either one of the two options shown are checkmarked, DEP is installed and running.
Of course there are conditions under which DEP is not installed and no options are available.
What other DEP options are available?
Designed for IT Professionals or ISVs.
System-wide DEP configurations can be modified/controlled using a few methods.
The Boot.ini file can be modified directly with scripting mechanisms (Group policy), manual configuration or with the Bootcfg.exe tool which is included as part of Windows XP SP2.
Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP;
Configuration for DEP is controlled through Boot.ini switches, /noexecute=policy_level where policy_level is defined as OptIn, OptOut, AlwaysOn, or AlwaysOff.
A sample configuration in boot.ini is:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Pro" /fastdetect /NoExecute=OptOut
On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in,”
With this option, only Windows system binaries are covered by DEP by default.
DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using System in Control Panel.
IT Pros and Independent Software Vendors (ISVs) can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes (“shims”) for DEP do take effect.
This provides full DEP coverage for the entire system. All processes always run with DEP applied. The exceptions list for exempting specific applications from DEP protection is not available. System Compatibility Fixes (“shims”) for DEP do not take effect. Applications which have been opted-out using the Application Compatibility Toolkit run with DEP applied.
This does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor will run in Physical Address Extension mode (PAE) with 32-bit versions of Windows unless the /NOPAE option is also present in the boot entry.
Further DEP technical information and advanced configuration can be found at:
Beta tester of "0"s and "1"s"
March 10th, 2005, 05:17 AM
Bother it all. Good tutorial, I didn't know about this before.
You must spread your AntiPoints around before giving it to ZT3000 again.
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
March 10th, 2005, 10:51 PM
I never new that DEP existed nor even running on my Win XP SP2 machine. Thanks for the info.
This is what the the Microsoft Support Center/Help says on how it works:
"Understanding Data Execution PreventionData Execution Prevention (DEP) helps prevent damage from viruses and other security threats that attack by running (executing) malicious code from memory locations that only Windows and other programs should use. This type of threat causes damage by taking over one or more memory locations in use by a program. Then it spreads and harms other programs, files, and even your e-mail contacts.
Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable". If a program tries to run code—malicious or not—from a protected location, DEP closes the program and notifies you.
DEP can take advantage of software and hardware support. To use DEP, your computer must be running Microsoft Windows XP Service Pack 2 (SP2) or later, or Windows Server 2003 Service Pack 1 or later. DEP software alone helps protect against certain types of malicious code attacks but to take full advantage of the protection that DEP can offer, your processor must support "execution protection". This is a hardware-based technology designed to mark memory locations as non-executable. If your processor does not support hardware-based DEP, it's a good idea to upgrade to a processor that offers execution protection features" (Microsoft Help and Support Center).