Buffer Overflow False Positive Cause and Remediation in Critical System Protection


Article ID: 156030


Updated On:


Critical System Protection


False positive buffer overflow alerts are occurring on an application when using the Targeted Prevention Policy on a Symantec Critical System Protection (SCSP) agent.  If prevention is enabled in the policy, then the application is unable to function properly.  


If the application/process creates code on-the-fly as part of its normal behavior, and executes the code it created outside of its own process, then SCSP sees this as a buffer overflow.


If the application is trusted, add it to the exclusion list to the Targeted Prevention Policy:

Global Policy Options > Enable Buffer Overflow Protection > Disable Buffer Overflow Detection for these programs > List of Programs that will have buffer overflow detection turned off.

If the Targeted Prevention Policy is not being used, you will need to disable Buffer Overflow Detection for the process set that the service/application is assigned to.  As an alternative, you can create a custom process set that the application will be assigned to, and then disable Buffer Overflow Detection for that new process set.