Data Execution Prevention (DEP) on WinXP SP2

Discussion in 'other security issues & news' started by Alec, Jan 28, 2005.

Thread Status:
Not open for further replies.
  1. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I came back from lunch to my WinXP Pro SP2 laptop computer and just found the attached DialogBox message on my screen. It states that DEP had to stop Windows Explorer. Naturally, I'm a little nervous since DEP should likely only catch maliciously behaved code. I like to think that I run a relatively tight system, with the likes of NOD32, ZA 5.5, TrojanHunter, Ewido, SpybotS&D, AdAware, SpywareBlaster, etc. and behind a true SPI, hardware firewall (Juniper NetScreen 5GT).

    I will definitely try to perform a full scan with a few more utilities, but I'm curious if anyone else had seen one of these DEP dialogs. Is it definitely a sign of malware, or could some obscure prorgamming error have led to the condition? Right after dismissing the DEP dialog box, the Windows Error Reporting service kicked in and asked to report the condition to Microsoft.
     

    Attached Files:

  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Did you click on 'What Should I Do?'
     
  3. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

    The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling

    Jimbob
     
  4. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Credit should be given when quoting.
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The report that it sent or wanted to send to M$ will confirm whether it's a programming problem or a malware attempting to write to wrong location

    In my experience so far, software DEP is nearly always bad programming and many people have to turn off DEP to allow many slightly older programs especially those that use system drivers to function correctly or even work at all

    On my computer I have had to turn off DEP otherwise system restore doesn't work and anti virus/anti spyware programs clash as they sometimes nned to access the protected memory locations

    It's a good idea but until you have a CPU chip capable of using it and all programs are written wit it in mind, it causes more problems than it solves
     
  6. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    The reason that I posted the dialogbox and commentary was because I sort of wanted to know how common such an error message was in others' experience; and to get some rough, speculative idea of what the probability of malware vs. programming error was (ie, is it indicative of malware 99% of the time, or perhaps just 50% of the time).

    @NOD32 User: Yes, I clicked on the "What Should I Do?" link, which invoked the Help and Support module. The page that appeared was somewhat useful, but basically reiterated what I already knew.

    @Jimbo1989: Thanks for the input, although I did already know the definitional information regarding DEP. I was more curious to receive ancedotal experience regarding DEP. You know... things like... Has anyone else seen this dialogbox? Did they trace it to malware or to a programming error? Did it occur very frequently? For me, this was the first time that I had seen the message, and I have had SP2 pretty much since day 1 of its public release back, what, in late August or early September?

    @dvk01: Thanks for the information, that is the type of experience-based stuff I guess I was looking for.

    BTW, I should have stated, this particular laptop has the "Centrino" Intel Pentium-M, which I don't think supports hardware DEP... so I believe it is just software based DEP. My understanding is that, by default, Microsoft only enables software DEP for other Microsoft developed executables. Software DEP is off, by default, for 3rd party executables according to what I have read. If you note, in my case it was Windows Explorer itself that supposedly violated the software DEP enforcement mechanisms.

    I just thought this very odd, and highly suspicious... but I haven't isolated any malware yet. I'm currently inclined to believe it was some odd programming error, or perhaps the result of some 3rd party app with shell integration technology? However, I still haven't ruled out malware 100%, by any means.
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I know it is only supposed to be M$ executables that are affected by DEP, but I find that for some reason almost ANY driver based application is affected. I can't use System restore on my computer with DEP enabled and have to totally turn it off

    Other people have had problems with several graphics programs and frequently are unable to install cameras and scanners etc that worked pre sp2 and disabling DEP cures those problems

    I have never seen the DEP warning before just have assumed that DEP was blocking those appliocations because turning it off allows them to work

    Just my experience though
     
  8. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Ok, Derek, I'll bite -- how the heck do you shut it off? I can only find the "main" options area where the choice is strictly between system files only or all files.

    I don't have hardware support (Celeron 2.2, about a year and a half old), and from the sound of it the software protection is a pita, so I don't see any point in keeping it if I've got other kinds of protection.

    Thanks and best,
    Mike
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Like all M$ instructions it doesn't make sense but

    Right click on my computer and select properties/advanced/performance/settings and then the Data Execution Protection tab

    select the second option turn ON DEP for all programs except, then leave the box blank and press apply ( that actually Turns OFF DEP) then it will tell you to reboot

    or edit the boot.ini file as shown here http://support.microsoft.com/kb/875352 but my way is slightly easier
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Despite what the M$ page says using the optout policy and leaving the settings blank does seem to exclude eveything from the DEP

    Unless I've got it wrong and I'm adding every .exe file bu doing that to DEP and that is solving the problems
     
  11. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Thanks Derek. :) As you say, it doesn't make sense -- "on except for" plus blank would logically seem to mean on for everything, at least to this poor layman. But I'll give it a try.

    Guess it's just one more case where my communication/cognition problems from brain injury aren't half as bad as the ones over at MS. :p :cool:
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    All I know for certain that when I have ON + blank set everything works on my computer

    when I have the first option for system files only, then system restore and various others don't work

    So I am asuming that the second turns it off, but I really don't know
     
  13. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
Loading...
Thread Status:
Not open for further replies.