When launching certain applications, such as web browsers or Adobe software, the application does not open. Instead it is blocked due by Symantec Endpoint Protection, and a "Memory Exploit Mitigation: Heap Spray" detection is logged. This occurs on systems with Columbiasoft Document Locator and related plugins installed.
Symantec Security Response has reviewed this behavior and determined that the detection occurs due to activity related to the "CSSInjLoad Module" which is included with Columbiasoft's software, and is related to how this component is accessing memory.
Impacted Endpoint Protection family products include:
Symantec Endpoint (SEP) 14
Symantec Endpoint Protection Small Business Edition (SEP SBE .cloud)
Symantec Endpoint Protection Cloud (SEP Cloud)
Note that depending on the specific version installed, the technology responsible for might be referred to as Memory Exploit Mitigation (MEM), Proactive Expoit Protection (PEP), or Generic Exploit Mitigation (GEM).
At this time, Symantec plans on making no changes to our Heap Spray detection, as this would negatively impact our ability to block legitimate risks.
Based on information that was provided by Columbiasoft, the CSSInjLoad Module is no longer necessary for their software to function correctly. The following workaround was provided to disable the module:
For further details regarding this module, and to verify the above workaround is valid for your version of the software, Symantec recommends contacting Columbiasoft Support.
Additional infromation on Memory Exploit Mitigation and how to approach suspected False Positives in that technology can be found in Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy