search cancel

"Attack: Return Oriented Programming API Invocation" blocks applications from running

book

Article ID: 229102

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

"Attack: Return Oriented Programming API Invocation" blocks applications from running by the "Memory Exploit Mitigation" component.

Environment

Release : 14.3 RU3

Component :

Resolution

This is working as designed. Stopping ROPcall procedures ensures that system critical APIs are called from the call instructions and not from the existing RET instructions or jump instructions. Vulnerabilities using this method have been found in Microsoft and other products.

This protection is lost if you disable Ropcall blocking. But this is one of many layers of protection. The malicious code would need to get past Symantec's malware and AV definitions, download protection, active scanning, reputation and heuristic checks to be able to make use of the Ropcall vulnerability.

The best approach is to work with the developer of the app to not use ropcall functions, but instead use direct API calls, but if that is not feasible, disable Ropcall protection for IE.

Attachments