Auditing protection for terminated applications

To test for false positives, you change the Memory Exploit Mitigation behavior so that it audits a detection but lets the application run. However, Memory Exploit Mitigation does not protect the application.
You can also globally monitor protection to see how all techniques perform.
  1. To audit protection for a terminated application
  2. Go to
    Policies
    and select a MEM policy.
  3. On the
    Details
    tab, under
    General Settings
    , next to the technique that terminated the application, such as
    StackPvt
    , select the
    Application Coverage
    value.
    The list of applications that the technique protects appears.
  4. Next to the terminated application, change
    Protection
    from
    Default (On)
    to
    Log
    .
    Change the action to
    Off
    after you verified that the detection is a true false positive. Both
    Log
    and
    Off
    allow the possible exploit, but also let the application run.
    Some applications have multiple mitigation techniques that block the exploit, so follow this step for each technique individually.
    Legacy 14 MPx clients do not support the per-technique configuration.
  5. If you are not sure which application the technique terminated, change
    Global Protection
    to
    Log
    . This option overrides the action for all applications that the technique protects. You might want to do this action if you have a mix of 14.1 or later clients and legacy 14 MPx clients.
    Some techniques ignore any global override that specifies log only (audit mode): ForceDEP, ForceASLR, EnhASLR, and NullProt. These techniques continue to use their current actions.
  6. To test the application regardless of technique, under
    Protection for Symantec Recommended Application Coverage
    , next to the application, under the
    Protection
    column, uncheck
    Enabled
    .
    For legacy 14 MPx clients, you can only use this option.
  7. To monitor the protection that all techniques provide
  8. Enable
    Run in monitor mode
    .
    This action overrides settings for individual techniques. Use this option if you are not sure which technique causes a conflict with an application.
    Some techniques ignore any global override that specifies log only (audit mode): ForceDEP, ForceASLR, EnhASLR, and NullProt. These techniques continue to use their current actions.