This document lists the Mitigation Options and their purpose in the Settings screen when you create a New Enhanced Mitigation Action.
Data Execute Prevention (DEP) - Prevents attackers from using application code outside the areas of memory that are not explicitly marked as executable. DEP is a critical part of the broader set of exploit mitigation technologies developed by Microsoft such as ASLR, SeHOP, SafeSEH, and /GS. These mitigation technologies complement one another; for example, DEP’s weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used together are very difficult to bypass.
Structured Exception Handler Overwrite Protection (SEHOP) - Prevents an attacker from being able to make use of the Structured Exception Handler (SEH) overwrite exploitation technique.
Null Page Protection (NullPage) - Pre-allocates the null page to prevent exploits from using it for malicious purpose.
Heap Spray Protection (HeapSpray) - Pre-allocates areas of memory that are commonly used by attackers to allocate malicious code.
Export Address Table Filtering (EAF) - Regulates access to the Export Address Table (EAT) based on the calling code.
Export Address Table Filtering Plus (EAF+) - Blocks read attempts to export and import table addresses originating from modules commonly used to probe memory during the exploitation of memory corruption vulnerabilities.
Mandatory Address Space Layout Randomization (MandatoryASLR) - Randomizes the location where modules are loaded in memory, limiting the ability of an attacker to point to predetermined memory addresses.
Bottom-Up Address Space Layout Randomization (BottomUpASLR) - Improves the Mandatory ASLR mitigation by randomizing the base address of bottom-up allocations.
Load Library Protection (LoadLib) - Stops the loading of modules located in UNC paths, which is a common technique in Return Oriented Programming (ROP) attacks.
ROP Caller Check (Caller) - Stops the execution of critical functions if they are reached via a 'RET' instruction, which is a common technique in Return Oriented Programming (ROP) attacks.
ROP Simulate Exec Flow (SimExecFlow) - Reproduces the execution flow after the return address, trying to detect Return Oriented Programming (ROP) attacks.
Stack Pivot (StackPivot) - Checks if the stack pointer is changed to pint to attacker-controlled memory areas, which is a common technique in Return Oriented Programming (ROP) attacks.
Attack Surface Reduction (ASR) - Prevents defined modules from being loaded in the address space of the protected process.