ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Memory Exploit Mitigation causes multiple applications to stop

book

Article ID: 172430

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Scenario-1:

MEM (Memory Exploit Mitigation) causes Microsoft Office applications to crash and stop working with Macros enabled.

Scenario-2:

Adobe application cannot be accessible with MEM enabled.

Error appearing for Microsoft application:


Faulting application name: EXCEL.EXE, version: 12.0.4518.1014, time stamp: 0x45428263
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x03459318
Faulting process id: 0x1c78
Faulting application start time: 0x01d403c1dfa303de
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
Faulting module path: unknown
Report Id: 1fd7ec0b-6fb5-11e8-80f8-000c29194b27
Faulting package full name:

This session lasted 4 seconds with 0 seconds of active time.  This session ended with a crash.

 

Error appearing for Adobe application:

Blocked Attack: DLL Injection of Network-Sourced DLL attack against C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe Blocked Attack: DLL Injection of Network-Sourced DLL attack against C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin\ccSvcHst.exe Blocked Attack: DLL Injection of Network-Sourced DLL attack against C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.

Cause

Data Execution Prevention (DEP) is enabled, an attempt by software to execute non-executable code will cause it to crash.

To know what is DEP, refer to the Microsoft article

Environment

SEP (Symantec Endpoint Protection) 14.x

Resolution

Follow below steps to resolve the issue:

  1. In the SEPM console, click Policies > Memory Exploit Mitigation > Memory Exploit Mitigation policy.
  2. Create a copy of the policy.
  3. On the Mitigation Techniques tab, next to Choose a mitigation technique, select (ForceDep).
  4. Under the Protected column, select the terminated application (E.g., Microsoft Excel file with macros enabled or Adobe Acrobat) and then change Default (Yes) to (No).
  5. Open the application file which contains macros, it will open properly.