Windows Exploit Protection Modules (EPMs)
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Windows Exploit Protection Modules (EPMs)
To combat attackers from leveraging software vulnerabilities
on Windows endpoints, Traps employs the following exploit protection
modules (EPMs):
Name | Type | Description |
|---|---|---|
Brute Force Protection | Application Protection | Prevents attackers from hijacking the process
control flow by monitoring memory layout enumeration attempts. |
CPL Protection | Application Protection | Protects against vulnerabilities related
to the display routine for Windows Control Panel shortcut images,
which can be used as a malware infection vector. |
DEP | Application Protection | Data execution prevention (DEP). Prevents
areas of memory designated as containing data from running as executable code. |
DLL Security | Application Protection | Prevents access to crucial DLL metadata
from untrusted code locations. |
DLL-Hijacking Protection | Application Protection | Prevents DLL-hijacking attacks where the
attacker attempts to load DLLs from unsecured locations to gain
control of a process. |
Exception Heap Spray Check | Application Protection | Detects instances of heap sprays upon occurrence
of suspicious process crashes (indicative of exploitation attempts). |
Exploit Kit Fingerprinting Protection | Application Protection | Protects against the fingerprinting technique
used by browser exploit kits to identify information—such as the
OS or applications which run on an endpoint—which attackers can
use to leverage an attack or evade protection capabilities. |
Font Protection | Application Protection | Prevents improper font handling, a common
target of exploits. |
Hot Patch Protection | Application Protection | Prevents the use of system functions to
bypass DEP and address space layout randomization (ASLR). |
JIT Mitigation | Application Protection | Prevents an attacker from bypassing the
operating system's memory mitigations using just-in-time (JIT) compilation engines.
In ninja-mode, you can also configure advanced hooks and whitelists
for this module. |
Kernel APC Protection | Kernel Protection | Prevents attacks which change the execution
order of a process by redirecting an asynchronous procedure call (APC)
to point to the attacker’s malicious shellcode. |
Kernel Privilege Escalation Protection | Kernel Protection | Prevents an attacker from using the privilege
information of another process with greater privileges to run a
process with system permissions. |
Library Preallocation | Application Protection | Enforces relocation of specific modules
that exploitation attempts commonly utilize. |
Memory Limit Heap Spray Check | Application Protection | Detects instances of heap sprays using the
Palo Alto Networks proprietary algorithm, which is triggered by
a sudden increase in memory consumption (indicative of ongoing exploitation). |
Null Dereference Protection | Application Protection | Prevents malicious code from mapping to
address zero in the memory space, making null dereference vulnerabilities unexploitable. |
ROP Mitigation | Application Protection | Protects against the use of return oriented
programming (ROP) by protecting APIs used in ROP chains. |
SEH Protection | Application Protection | Prevents hijacking of the Structured Exception
Handler (SEH), a commonly exploited control structure called Linked
List, which contains a sequence of function records. |
Shellcode Preallocation | Application Protection | Reserves and protects certain areas of memory
commonly used to house payloads using heap spray techniques. |
Shellcode Protection | Application Protection | Reserves and protects certain areas of memory
commonly used to house payloads using heap spray techniques. |
ShellLink Protection | Application Protection | Prevents shell-link logical vulnerabilities. |
SysExit | Application Protection | Protects against the use of return oriented
programming (ROP) by protecting APIs used in ROP chains. |
UASLR | Application Protection | Improves or altogether implements ASLR (module
location randomization) with greater entropy, robustness, and strict enforcement. |