Auditing protection for terminated applications
To test for false positives, you change the Memory Exploit Mitigation behavior so that it audits a detection but lets the application run. However, Memory Exploit Mitigation does not protect the application.
You can also globally monitor protection to see how all techniques perform.
- To audit protection for a terminated application
- Go toPoliciesand select a MEM policy.
- On theDetailstab, underGeneral Settings, next to the technique that terminated the application, such asStackPvt, select theApplication Coveragevalue.The list of applications that the technique protects appears.
- Next to the terminated application, changeProtectionfromDefault (On)toLog.Change the action toOffafter you verified that the detection is a true false positive. BothLogandOffallow the possible exploit, but also let the application run.Some applications have multiple mitigation techniques that block the exploit, so follow this step for each technique individually.Legacy 14 MPx clients do not support the per-technique configuration.
- If you are not sure which application the technique terminated, changeGlobal ProtectiontoLog. This option overrides the action for all applications that the technique protects. You might want to do this action if you have a mix of 14.1 or later clients and legacy 14 MPx clients.Some techniques ignore any global override that specifies log only (audit mode): ForceDEP, ForceASLR, EnhASLR, and NullProt. These techniques continue to use their current actions.
- To test the application regardless of technique, underProtection for Symantec Recommended Application Coverage, next to the application, under theProtectioncolumn, uncheckEnabled.For legacy 14 MPx clients, you can only use this option.
- To monitor the protection that all techniques provide
- EnableRun in monitor mode.This action overrides settings for individual techniques. Use this option if you are not sure which technique causes a conflict with an application.Some techniques ignore any global override that specifies log only (audit mode): ForceDEP, ForceASLR, EnhASLR, and NullProt. These techniques continue to use their current actions.