Memory Exploit Mitigation causes multiple applications to stop
search cancel

Memory Exploit Mitigation causes multiple applications to stop

book

Article ID: 172430

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Scenario-1:

MEM (Memory Exploit Mitigation) causes Microsoft Office applications to crash and stop working with Macros enabled.

Scenario-2:

Adobe application cannot be accessible with MEM enabled.

Error appearing for Microsoft application:


Faulting application name: EXCEL.EXE, version: 12.0.4518.1014, time stamp: 0x45428263
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x03459318
Faulting process id: 0x1c78
Faulting application start time: 0x01d403c1dfa303de
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
Faulting module path: unknown
Report Id: 1fd7ec0b-6fb5-11e8-80f8-000c29194b27
Faulting package full name:

This session lasted 4 seconds with 0 seconds of active time.  This session ended with a crash.

 

Error appearing for Adobe application:

Blocked Attack: DLL Injection of Network-Sourced DLL attack against C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe Blocked Attack: DLL Injection of Network-Sourced DLL attack against C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin\ccSvcHst.exe Blocked Attack: DLL Injection of Network-Sourced DLL attack against C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.

Environment

SEP (Symantec Endpoint Protection) 14.x

Cause

Data Execution Prevention (DEP) is enabled, an attempt by software to execute non-executable code will cause it to crash.

To know what is DEP, refer to the Microsoft article

Resolution

This is fixed in CIDS 17

Below steps can be performed on lower CIDS build to resolve the issue:

  1. In the SEPM console, click Policies > Memory Exploit Mitigation > Memory Exploit Mitigation policy.
  2. Create a copy of the policy.
  3. On the Mitigation Techniques tab, next to Choose a mitigation technique, select (ForceDep).
  4. Under the Protected column, select the terminated application (E.g., Microsoft Excel file with macros enabled or Adobe Acrobat) and then change Default (Yes) to (No).
  5. Open the application file that contains macros, it will open properly.

 

Powered by Wolken Software