Skip to main content

Advanced Anti-Exploit

Advanced Anti-Exploit is a proactive technology that detects exploits in real-time. Based on machine learning, it protects against a series of known and unknown exploits, including memory file-less attacks.

Note

This module is available for:

  • Windows for workstations

  • Windows for servers

  • Linux

To check the compatible operating systems, refer to Endpoint Protection.

For Linux systems, Advanced Anti-Exploit is a preventative security control intended to identify and block Zero-Day and Advanced Persistent Threat activities and related processes in real-time (On-Execution). The module is capable to perform Kernel Integrity checks as well as monitor user-space implementation relying on eBPF and KProbes.

Note

Availability and functioning of this feature may differ depending on the license included in your current plan.

To enable protection against exploits, in the policy settings under Antimalware > Advanced Anti-Exploit, select the Advanced Anti-Exploit check box.

gz_cl_op_pt_advanced_anti_exploit_policy_en.png

Advanced Anti-Exploit is set to run with the recommended settings. You can adjust protection differently if needed.

To restore the initial settings, click the Reset to Default link at the right side of the section heading.

GravityZone has the anti-exploit settings organized in three sections:

  • System-wide detections

    The anti-exploit techniques in this section monitor the system processes that are targets of exploits.

    For more information about the available techniques and how to configure their settings, refer to Configure System-Wide Mitigation.

  • Predefined applications

    The Advanced Anti-Exploit module is preconfigured with a list of the common applications such as Microsoft Office, Adobe Reader, or Flash Player, which are the most exposed to exploitations.

    For more information about the available techniques and how to configure their settings, refer to Configure Application-Specific Techniques.

  • Additional applications

    In this section, you can add and configure protection for as many other applications as you want.

    For more information about the available techniques and how to configure their settings, refer to Configure Application-Specific Techniques.

You can expand or collapse each section by clicking its heading. This way, you will quickly reach the settings you want to configure.

Configure system-wide mitigation

Under this section, you have the following options:

Technique

Description

Operating system

Privilege escalation

Prevents processes from gaining unauthorized privileges and access to resources.

Default action: Kill process

Windows

Process Introspection

Performs an in-depth analysis of the process state when a child process is created, examining potential indicators of compromise. The analysis offers an overview of detected parent processes and the child processes they have spawned.

Default action: Kill process

Windows

LSASS process protection

Protects the LSASS process from leaking secrets such as password hashes and security settings. The feature monitors when system applications require read access to the memory of the LSASS process and takes action if configured accordingly.

Default action: Block only

The recommended action is Block only. This action blocks an application's capability to access LSASS memory, and not the application itself like in a classic scenario. Specifically, Advanced Anti-Exploit denies the application access request to read from LSASS memory. Application incompatibilities are uncommon.

Using the Block and report action enables you to deny applications access to LSASS memory and to be notified about these attempts. This configuration is useful if you want to view and further analyze the detection events, but it may generate a high volume of notifications.

The Report only action notifies you about applications' attempts to access the LSASS memory. This configuration may generate a high volume of notifications, including for any process asking for more permissions than needed, and should be used with caution, as the LSASS memory is not actively protected.

You can view the blocked events in the security agent local console under the Antiexploit category. You can add LSASS-related exclusions in the Configuration Profiles section of Control Center. The excluded processes will not be able to access LSASS but will no longer trigger detections.

Windows

Credentials monitoring

Inspects process behavior to detect unexpected credential changes for a thread.

Default action: Report only

Linux

Ptrace monitoring

Monitors the use of debugging mechanisms to detect attempts of using ptrace to control a privileged process. It can detect container escape types of exploits.

Default action: Report only

Linux

Namespace monitoring

Inspects process behavior to detect unexpected changes in the namespace of a thread.

Default action: Report only

Linux

Corruption monitoring

Monitors syscall activity to detect memory corruption attempts via crafted syscalls.

Default action: Report only

Linux

SUID monitoring

Reports all attempts to set a SUID flag to a file.

Default action: Report only

Linux

These anti-exploit techniques are enabled by default. To disable any of them, clear their check box.

Optionally, you can change the action taken automatically upon detection. Choose an action available in the associated menu:

  • Kill process: ends immediately the exploited process.

  • Block only: prevents the malicious process from accessing unauthorized resources without GravityZone reporting the event.

  • Report only: GravityZone reports the event without taking any mitigation action. You can view the event details in the Advanced Anti-Exploit notification, and in Blocked Applications and Security Audit reports.

  • Block and report: prevents the malicious process from accessing unauthorized resources and GravityZone reports the event. You can view the event details in the Advanced Anti-Exploit notification, and in Blocked Applications and Security Audit reports.

Configure application-specific techniques

Whether predefined or additional applications, they all share the same set of anti-exploit techniques. You can find them described herein:

Technique

Description

ROP Emulation

Detects attempts to make executable the memory pages for data, using the Return-Oriented Programming (ROP) technique.

Default action: Kill process

ROP Stack Pivot

Detects attempts to hijack the code flow using the ROP technique, by validating stack location.

Default action: Kill process

ROP Illegal Call

Detects attempts to hijack the code flow using the RO Ptechnique, by validating callers of sensitive system functions.

Default action: Kill process

ROP Stack Misaligned

Detects attempts to corrupt the stack using the ROP technique, by validating the stack address alignment.

Default action: Kill process

ROP Return to Stack

Detects attempts to execute code directly on stack using the ROP technique, by validating return address range.

Default action: Kill process

ROP Make Stack Executable

Detects attempts to corrupt the stack using the ROP technique, by validating the stack page protection.

Default action: Kill process

Flash Generic

Detects Flash Player exploitation attempts.

Default action: Kill process

Flash Payload

Detects attempts to execute malicious code into Flash Player, by scanning Flash objects in memory.

Default action: Kill process

VBScript Generic

Detects VBScript exploitation attempts.

Default action: Kill process

Shellcode Execution

Detects attempts to create new processes or download files, using shellcode.

Default action: Kill process

Shellcode LoadLibrary

Detects attempts to execute code via network paths, using shellcode.

Default action: Kill process

Anti-Detour

Detects attempts to bypass security checks for creating new processes.

Default action: Kill process

Shellcode EAF (ExportAddress Filtering)

Detects attempts of malicious code to access sensitive system functions from DLL exports.

Default action: Kill process

Shellcode Thread

Detects attempts to inject malicious code, by validating newly-created threads.

Default action: Kill process

Anti-Meterpreter

Detects attempts to create a reverse shell, by scanning executable memory pages.

Default action: Kill process

Obsolete Process Creation

Detects attempts to create new processes using obsolete techniques.

Default action: Kill process

Child Process Creation

Blocks creation of any child process.

Default action: Kill process

Enforce Windows DEP

Enforces Data Execution Prevention (DEP) to block code execution from data pages.

Default: Disabled

Enforce Module Relocation (ASLR)

Prevents code from being loaded in predictable locations, by relocating memory modules.

Default: Enabled

Emerging Exploits

Protects against any new emerging threats or exploits. Rapid updates are used for this category before more comprehensive changes can be made.

Default: Enabled

To monitor other applications except for the predefined ones, click the Add Application button available at the top and at the bottom of the page.

To configure the anti-exploit settings for an application:

  1. For existing applications, click the application name. For new applications, click the Add button.

    A new page displays all techniques and their settings for the selected application.

    Important

    Use caution when adding new applications to be monitored. Bitdefender cannot guarantee compatibility with any application. Thus, it is recommended to test the feature first on a few non-critical endpoints, and then deploy it in the network.

  2. If adding a new application, enter its name and its processes names in the dedicated fields. Use the semicolon (;) to separate process names.

  3. If you need to quickly check the description of a technique, click the arrow next to its name.

  4. Select or clear the check boxes of the exploitation techniques, as needed.

    Use the All option if you want to mark all techniques at once.

  5. If needed, change the automatic action upon detection. Choose an action available in the associated menu:

    • Kill process: ends immediately the exploited process.

    • Report only: GravityZone reports the event without taking any mitigation action. You can view the event details in the Advanced Anti-Exploit notification and in reports.

    By default, all techniques for predefined applications are set to mitigate the issue, while additional applications are set to just report the event.

    To quickly change the action taken for all techniques at once, select the action from the menu associated with All option.

Click the Back button at the upper side of the page to return to the Anti-Exploit general settings.