Heap Spray attacks detected by Endpoint Protection with Columbiasoft software installed.

book

Article ID: 171957

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When launching certain applications, such as web browsers or Adobe software, the application does not open. Instead it is blocked due by Symantec Endpoint Protection, and a "Memory Exploit Mitigation: Heap Spray" detection is logged. This occurs on systems with Columbiasoft Document Locator and related plugins installed.

Cause

Symantec Security Response has reviewed this behavior and determined that the detection occurs due to activity related to the "CSSInjLoad Module" which is included with Columbiasoft's software, and is related to how this component is accessing memory.

Environment

Impacted Endpoint Protection family products include:

Symantec Endpoint (SEP) 14

Symantec Endpoint Protection Small Business Edition (SEP SBE .cloud)

Symantec Endpoint Protection Cloud (SEP Cloud)

Note that depending on the specific version installed, the technology responsible for might be referred to as Memory Exploit Mitigation (MEM), Proactive Expoit Protection (PEP), or Generic Exploit Mitigation (GEM).

 

 

Resolution

At this time, Symantec plans on making no changes to our Heap Spray detection, as this would negatively impact our ability to block legitimate risks.

Based on information that was provided by Columbiasoft, the CSSInjLoad Module is no longer necessary for their software to function correctly. The following workaround was provided to disable the module:

Windows 7:

  1.     From the Start Menu, select All Programs and then Startup.
  2.     Locate and “Document Locator Common Dialog.” Right click on this item and delete it.
  3.     Reboot the PC.

Windows 10:

  1. From Windows Task Manager,  go the the Startup Tab.
  2. Locate the entry for “CSSInjLoad Module.”
  3. Right click on this item and select disable.
  4. Reboot the PC.

For further details regarding this module, and to verify the above workaround is valid for your version of the software, Symantec recommends contacting Columbiasoft Support.

Additional infromation on Memory Exploit Mitigation and how to approach suspected False Positives in that technology can be found in Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy