Data Loss Prevention Endpoint Agent application crash

book

Article ID: 170881

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Symantec Data Loss Prevention (DLP)
Windows Enhanced Mitigation Experience Toolkit (EMET)

EMET and the DLP agent running on the same system causes various applications like Excel to crash when the application is opened.

DLP Endpoint Agent causes applications to crash when Windows Enhanced Mitigation Experience Toolkit (EMET) is installed.

Cause

DLP application hooking and EMET mitigations work at a similarly low level within applications

Environment

EMET 5.2
DLP 14.6 MP2

Resolution

As Microsoft has noted in their guidelines article and elsewhere, because DLP application hooking and EMET mitigations work at a similarly low level within applications, compatibility issues may arise. Application hooking is an essential part of our Endpoint Application Monitoring features. Symantec DLP Engineering has found that the following EMET Return Oriented Programming (ROP) mitigations. "Caller Check" and "Simulate Execution Flow", are the mitigations that need to be disabled on affected applications to resolve the compatibility issues being observed between EMET and DLP.

EMET and application compatibility considerations:

  • Are there any risks in using EMET?
    • The security mitigation technologies that EMET uses have an application compatibility risk. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem that affects a specific mitigation, individually enable and disable that specific mitigation. For more information, refer to the EMET user guide.
    • Quoted from: The Enhanced Mitigation Experience Toolkit

https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit

  • Generic guidelines
    • EMET mitigations work at a very low level in the operating system. Some kinds of software that perform similar low level operations might have compatibility issues when they are configured to be protected by using EMET. The following is a list of the kinds of software that should not be protected by using EMET:
    • Software that use anti-debugging, obfuscation, or hooking technologies
    • Quoted from: EMET mitigations guidelines

https://support.microsoft.com/en-us/help/2909257/emet-mitigations-guidelines

  • ROP mitigations
    • Caller checks: EMET ensures that when a critical function is reached, it is reached by a CALL instruction rather than a RET instruction. This is a very useful mitigation and breaks many ROP gadgets. This mitigation may be incompatible with some applications. This mitigation is available for 32-bit   processes.
    • Simulate execution flow: This feature tries to detect ROP gadgets following a call to a critical function. Like the "Caller checks", this feature may not be compatible with some applications. This mitigation is available for 32-bit   processes.
    • Quoted from: EMET 5.52 User Guide, pg 12