Exploit Protection Overview
An exploit is a sequence of commands that take advantage of a bug or vulnerability in a software application or process. Attackers use these exploits as a means to access and use a system to their advantage. To gain control of a system, the attacker must take advantage of a chain of vulnerabilities in the system. Blocking any attempt to exploit a vulnerability in the chain will block the exploitation attempt entirely.
In a typical attack scenario, an attacker attempts to gain control of a system by first corrupting or bypassing memory allocation or handlers. Using memory-corruption techniques, such as buffer overflows and heap corruption, a hacker can trigger a bug in software or exploit a vulnerability in a process. The attacker must then manipulate a program to run code provided or specified by the attacker while evading detection. If the attacker gains access to the operating system, the attacker can then upload malware, such as Trojan horses (programs that contain malicious executable files), or otherwise use the system to their advantage. Traps prevents such exploit attempts by employing roadblocks or traps at each stage of an exploitation attempt.
To combat these types of attacks, Traps employs Exploit Protection . When a user opens a non-executable file, such as a PDF or Word document, and the process that opened the file is protected, the Traps agent seamlessly injects code into the software. This occurs at the earliest possible stage before any files belonging to the process are loaded into memory. The Traps agent then activates one or more Exploit Protection Modules (see Windows Exploit Protection Modules (EPMs) and Mac Exploit Protection Modules (EPMs) ) inside the protected process. The EPM targets a specific exploitation technique and is designed to prevent attacks on program vulnerabilities based on memory corruption or logic flaws.
Examples of attacks that the EPMs can prevent include dynamic-link library (DLL) hijacking (replacing a legitimate DLL with a malicious one of the same name), hijacking program control flow, and inserting malicious code as an exception handler.
In addition to automatically protecting processes from such attacks, Traps reports any prevention events to the Endpoint Security Manager, and performs additional actions according to the settings of the security policy rules. Common actions that Traps performs include collecting forensic data and notifying the user about the event. Traps does not perform any additional scanning or monitoring actions.
The default endpoint security policy protects the most vulnerable and most commonly used applications, but you can also add other third-party and proprietary applications to the list of protected processes. For more information, see Add a New Protected Process .