The customer has observed the Thread Injection check option within SCSP policy and wishes to know the purpose of the option.
Also wishes to know what performance impact it will have enabled the option for an active policy.
Nil
Enable Thread Injection option within policy
Enable thread injection detection
Thread injection is a technique that is used to insert and run executable code within the address space of another process. Debuggers that attach to running processes for debugging purposes often use thread injection. This policy option addresses hostile programs that might misuse thread injection to perform a malicious task under the disguise of a benign process.
When enabled, the thread injection detection option does the following:
Detects and reports the creation of remote threads by one process into unrelated processes.
Takes preventive action to limit system damage caused by the injected thread while executing the injected code.
Confines the injecting process so that it does not continue injecting threads in remote processes in the thread injection status.
Thread injection detection is enabled by default. The option is located throughout the policy.
Applies To
SCSP 5.2 and higher