Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This document lists the Mitigation Options and their purpose in the Settings screen when you create a New Enhanced Mitigation Action.

 

Data Execute Prevention (DEP) - Prevents attackers from using application code outside the areas of memory that are not explicitly marked as executable. DEP is a critical part of the broader set of exploit mitigation technologies developed by Microsoft such as ASLRSeHOPSafeSEH, and /GS. These mitigation technologies complement one another; for example, DEP’s weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used together are very difficult to bypass.

Structured Exception Handler Overwrite Protection (SEHOP) - Prevents an attacker from being able to make use of the Structured Exception Handler (SEH) overwrite exploitation technique.

Null Page Protection (NullPage) - Pre-allocates the null page to prevent exploits from using it for malicious purpose.

Heap Spray Protection (HeapSpray) - Pre-allocates areas of memory that are commonly used by attackers to allocate malicious code.

Export Address Table Filtering (EAF) - Regulates access to the Export Address Table (EAT) based on the calling code.

Export Address Table Filtering Plus (EAF+) - Blocks read attempts to export and import table addresses originating from modules commonly used to probe memory during the exploitation of memory corruption vulnerabilities.

Mandatory Address Space Layout Randomization (MandatoryASLR) - Randomizes the location where modules are loaded in memory, limiting the ability of an attacker to point to predetermined memory addresses.

Bottom-Up Address Space Layout Randomization (BottomUpASLR) - Improves the Mandatory ASLR mitigation by randomizing the base address of bottom-up allocations.

Load Library Protection (LoadLib) - Stops the loading of modules located in UNC paths, which is a common technique in Return Oriented Programming (ROP) attacks.

ROP Caller Check (Caller) - Stops the execution of critical functions if they are reached via a 'RET' instruction, which is a common technique in Return Oriented Programming (ROP) attacks.

ROP Simulate Exec Flow (SimExecFlow) - Reproduces the execution flow after the return address, trying to detect Return Oriented Programming (ROP) attacks.

Stack Pivot (StackPivot) - Checks if the stack pointer is changed to pint to attacker-controlled memory areas, which is a common technique in Return Oriented Programming (ROP) attacks.

Attack Surface Reduction (ASR) - Prevents defined modules from being loaded in the address space of the protected process.

 

  • No labels