An exploit is a sequence of commands that take advantage
of a bug or vulnerability in a software application or process.
Attackers use these exploits as a means to access and use a system
to their advantage. To gain control of a system, the attacker must
take advantage of a chain of vulnerabilities in the system. Blocking
any attempt to exploit a vulnerability in the chain will block the
exploitation attempt entirely.
In a typical attack scenario, an attacker attempts to gain control
of a system by first corrupting or bypassing memory allocation or
handlers. Using memory-corruption techniques, such as buffer overflows
and heap corruption, a hacker can trigger a bug in software or exploit
a vulnerability in a process. The attacker must then manipulate
a program to run code provided or specified by the attacker while
evading detection. If the attacker gains access to the operating
system, the attacker can then upload malware, such as Trojan horses
(programs that contain malicious executable files), or otherwise use
the system to their advantage. Traps prevents such exploit attempts
by employing roadblocks or traps at each stage of an exploitation
To combat these types of attacks, Traps employs Exploit
Protection. When a user opens a non-executable file, such
as a PDF or Word document, and the process that opened the file
is protected, the Traps agent seamlessly injects code into the software.
This occurs at the earliest possible stage before any files belonging
to the process are loaded into memory. The Traps agent then activates
one or more Exploit Protection Modules inside the protected process.
The EPM targets a specific exploitation technique and is designed
to prevent attacks on program vulnerabilities based on memory corruption
or logic flaws.
Examples of attacks that the EPMs can prevent include dynamic-link
library (DLL) hijacking (replacing a legitimate DLL with a malicious
one of the same name), hijacking program control flow, and inserting
malicious code as an exception handler.
In addition to automatically protecting processes from such attacks,
Traps reports any prevention events to the Endpoint Security Manager,
and performs additional actions according to the settings of the
security policy rules. Common actions that Traps performs include
collecting forensic data and notifying the user about the event.
Traps does not perform any additional scanning or monitoring actions.
The default endpoint security policy protects the most vulnerable
and most commonly used applications, but you can also add other
third-party and proprietary applications to the list of protected
processes. For more information, see Add
a New Protected Process.