Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000124724

Dell Endpoint Security Suite Enterprise Memory Protection Category Definitions

Summary: This article provides definitions for Memory Protection categories.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Instructions

Note:

Affected Products:

  • Dell Endpoint Security Suite Enterprise

Affected Operating Systems:

  • Windows
  • Mac
Note: To go to category messages: Endpoints -> Advanced Threats -> Exploit Attempts (Threats Activities)

SLN306461_en_US__2ddpkm1130b
Figure 1: (English Only) Endpoint Detail Advanced Threats

Stack Pivot - The stack for a thread has been replaced with a different stack. Generally, the computer allocates a single stack for a thread. An attacker would use a different stack to control execution in a way that Data Execution Prevention (DEP) does not block.

Stack Protect - The memory protection of a thread's stack has been modified to enable execution permission. Stack memory should not be executable, so usually this means that an attacker is preparing to run malicious code that is stored in stack memory as part of an exploit, an attempt which Data Execution Prevention (DEP) would otherwise block.

Overwrite Code - Code residing in a process's memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP).

RAM Scraping - A process is trying to read valid magnetic stripe track data from another process. Typically related to point-of-sale computers (POS).

Malicious Payload - A generic shellcode and payload detection that is associated with exploitation has been detected.

Remote Allocation of Memory - A process has allocated memory in another process. Most allocations occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a computer.

Remote Mapping of Memory - A process has introduced code or data into another process. This may indicate an attempt to begin running code in another process and reinforces a malicious presence.

Remote Write to Memory - A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation), but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose.

Remote Write PE to Memory - A process has modified memory in another process to contain an executable image. Generally, this indicates that an attacker is attempting to run code without first writing that code to disk.

Remote Overwrite Code - A process has modified executable memory in another process. Under normal conditions executable memory is not modified, especially by another process. This usually indicates an attempt to divert execution in another process.

Remote Unmap of Memory - A process has removed a Windows executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for diverting execution.

Remote Thread Creation - A process has created a thread in another process. A process's threads are only created by that same process. Attackers use this to activate a malicious presence that has been injected into another process.

Remote APC Scheduled - A process has diverted the execution of another process's thread. This is used by an attacker to activate a malicious presence that has been injected into another process.

DYLD Injection - An environment variable has been set that causes a shared library to be injected into a launched process. Attacks can modify the plist of applications like Safari or replace applications with bash scripts that cause their modules to be loaded automatically when an application starts.

LSASS Read - Memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users' passwords.

Zero Allocate - A null page has been allocated. The memory region is typically reserved, but in certain circumstances it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel.

Violation Type by Operating System

The following table references which Violation Type relates to which operating system.

Type Operating System
Stack Pivot Windows, OS X
Stack Protect Windows, OS X
Overwrite Code Windows
RAM Scraping Windows
Malicious Payload Windows
Remote Allocation of Memory Windows, OS X
Remote Mapping of Memory Windows, OS X
Remote Write to Memory Windows, OS X
Remote Write PE to Memory Windows
Remote Overwrite Code Windows
Remote Unmap of Memory Windows
Remote Threat Creation Windows, OS X
Remote APC Scheduled Windows
DYLD Injection OS X
LSAAS Read Windows
Zero Allocate Windows, OS X

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Additional Information

 

Videos

 

Article Properties

Affected Product

Dell Endpoint Security Suite Enterprise

Last Published Date

07 May 2024

Version

8

Article Type

How To

Back to Top