Exploit Protection guards against vulnerability exploits for applications installed on your endpoints. The default settings balance between endpoint performance and protection, but you have the option to customize Exploit Protection by using its Advanced Settings.
IMPORTANT: While this article serves as an Advanced Settings reference, we recommend you do not change these settings unless instructed to by a Malwarebytes Support technician.
To review or edit Exploit Protection Advanced Settings, go to Policies > Select a policy > Windows > Settings > Real-Time Protection > Advanced Settings.
Application Hardening settings help applications act more resilient against vulnerability exploits.
- DEP Enforcement: Activates permanent Data Execution Prevention in applications that do not do this by default.
- Anti-HeapSpraying Enforcement: Reserves portions of memory to prevent abuse by Heap-Spraying attack techniques.
- Dynamic Anti-HeapSpraying Enforcement: Analyzes the memory heap of a protected process to look for malicious shellcode.
- Bottom-Up ASLR Enforcement: Adds randomization to the memory heap when the process starts.
- Disable Internet Explorer VB Scripting: Prevents the Visual Basic scripting engine from loading, as it is often abused by exploits. Only applies to Internet Explorer based browsers.
- Detection of Anti-Exploit fingerprinting attempts: Detects attempts by popular exploit kits to identify the endpoint and determine if it is vulnerable.
Advanced Memory Protection
Advanced Memory Protection prevents exploit shellcode from executing its payload code in memory.
- Malicious Return Address Detection: Also called “Caller” mitigation. This detects if code is executed outside of any loaded module.
- DEP Bypass Protection: Detects attempts to turn off Data Execution Prevention.
- Memory Patch Hijack Protection: Detects and prevents malicious attempts to use WriteProcessMemory to bypass Data Execution Prevention.
- Stack Pivoting Protection: Detects and prevents exploit code from using a fake memory stack.
- ROP Gadget detection: Detects and prevents Return Oriented Programming gadgets when a Windows API is called. Provisions are made for individualized protection of "CALL" and "RET" instructions.
Application Behavior Protection
Application Behavior Protection settings prevent the exploit payload from executing and infecting the system. This represents the last line of defense if an exploit is able to bypass previous protection layers. This layer also detects and blocks exploits that do not rely on memory corruption, such as Java sandbox escapes or application design abuse exploits.
- Malicious LoadLibrary Protection: Prevents delivery of a payload library from a UNC network path.
- Protection for Internet Explorer VB Scripting: Detects and prevents exploits related to the application design vulnerability known as CVE-2014-6332. For more information on this exploit, see https://nvd.nist.gov/vuln/detail/CVE-2014-6332.
- If you need to use VBScript for an internal application, see Endpoint Protection's Anti-Exploit protection is blocking Visual Basic 6.
- Protection for MessageBox Payload: Prevents exploits from delivering a messagebox as its payload. This option is off by default; these types of payloads are harmless and usually used only in proof of concepts.
- Protection for Office WMI abuse: Protects against Microsoft Office macro exploits that use Windows Management Instrumentation (WMI).
- Protection for Office VBA7 abuse: Protects against Microsoft Office macro exploits that use Visual Basic for Applications.
Java Protection protects against exploits commonly used in Java programs.
- Prevent Web-Based Java Command Line: Protects against web-based Java programs that issue system commands.
- Java Malicious Inbound Shell Protection: Guards against remote shell exploits whose payloads use inbound sockets.
- Java Malicious Outbound Shell Protection: Guards against remote shell exploits whose payloads use outbound sockets.
- Java Metasploit/Meterpreter Generic Protection: Detects and prevents attempts to use the Metasploit Java/Meterpreter payload.
- Java Metasploit/Meterpreter Command Execution Protection: Detects and blocks commands in an established Java/Meterpreter session.
- Allow Insecure Java Operations in Internal IP Ranges: Allows insecure internal corporate network tools and applications while still protecting from external Java threats.