Buffer Overflow False Positive Cause and Remediation in Critical System Protection

book

Article ID: 156030

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

False positive buffer overflow alerts are occurring on an application when using the Targeted Prevention Policy on a Symantec Critical System Protection (SCSP) agent.  If prevention is enabled in the policy, then the application is unable to function properly.  

Cause

If the application/process creates code on-the-fly as part of its normal behavior, and executes the code it created outside of its own process, then SCSP sees this as a buffer overflow.

Resolution

If the application is trusted, add it to the exclusion list to the Targeted Prevention Policy:

Global Policy Options > Enable Buffer Overflow Protection > Disable Buffer Overflow Detection for these programs > List of Programs that will have buffer overflow detection turned off.

If the Targeted Prevention Policy is not being used, you will need to disable Buffer Overflow Detection for the process set that the service/application is assigned to.  As an alternative, you can create a custom process set that the application will be assigned to, and then disable Buffer Overflow Detection for that new process set.