Managing Memory Exploit Mitigation (MEM) policies

You can manage Memory Exploit Mitigation policies in both the hybrid-managed
Symantec Endpoint Protection
14.2 or cloud only managed
Endpoint Security
.
What is Memory Exploit Mitigation?
Memory Exploit Mitigation stops attacks on commonly used software applications that the vendor has not patched on Windows computers. Memory Exploit Mitigation uses various mitigation techniques to detect the exploit attempt. Each technique then either blocks the exploit, or terminates the application the exploit threatens. For example, when user on a device runs an application such as Internet Explorer, an exploit might instead launch a different application that contains malicious code. Memory Exploit Mitigation techniques can stop such a launch.
To stop an exploit, Memory Exploit Mitigation injects a DLL into a protected application. After Memory Exploit Mitigation detects the exploit attempt, it either blocks the exploit, or terminates the application the exploit threatens.
Symantec Endpoint Security
displays a notification to the user on the client computer about the detection, and logs the event in the client's Security log.
For example, the device user might see the following notification:
Symantec Endpoint Protection: Attack: Structured Exception Handler Overwrite detected. Symantec Endpoint Protection will terminate
<application name>
application
Memory Exploit Mitigation continues to block the exploit or terminate the application until the client computer runs the software version where the vulnerability is fixed.
Mitigation techniques
Memory Exploit Mitigation uses multiple types of mitigation techniques to handle exploits, depending on which technique is most appropriate for the type of application. For example, both the StackPvt and RopHeap techniques block the exploits that can attack Internet Explorer.
Memory Exploit Mitigation requirements
Memory Exploit Mitigation is only available if you have installed Intrusion Prevention. Memory Exploit Mitigation has its own set of separate signatures that are downloaded along with the intrusion prevention definitions. However, you can enable or disable intrusion prevention and Memory Exploit Mitigation independently.
In addition, you must run LiveUpdate at least once for the list of applications to appear in the MEM policy. By default, protection is enabled for all applications that appear in the policy.
See the
Symantec Endpoint Protection Manager
help for more information.
Tuning Memory Exploit Mitigation settings
The policy includes several ways to tune how the mitigation techniques that are used to detect exploits.
  • Change globally how a technique is applied to all applications.
  • Choose how a particular technique is applied to a particular application.
  • Turn protection on or off for a particular application.
The MEM policy includes a list of common applications it protects by default.
You can also manually add an application to protect. See:
You might want to tune the policy settings if you discover false positive detections. You can run the protection in audit mode and view the logs to see if you get false positive detections.
To enable notifications in
Endpoint Security
for Memory Exploit Mitigation, enable notifications in the Intrusion Prevention policy. See:
More information