3 Replies Latest reply on Sep 11, 2014 10:28 AM by SafeBoot

    adding items to BOP exclusion, are there any risk?

    gforce4678

      Hello All

       

      We are experiencing issues with 32 bit Windows 7 and apps crashing through Buffer Overflow Protection

       

      My main question is if we add an exclusion, what other security risks could be posed by excluding them via BOP

       

      many thanks

       

      mark

        • 1. Re: adding items to BOP exclusion, are there any risk?
          exbrit

          Moved provisionally to VSE for better attention.

          Peter

          Moderator

          • 2. Re: adding items to BOP exclusion, are there any risk?
            rmetzger

            gforce4678 wrote:

             

            We are experiencing issues with 32 bit Windows 7 and apps crashing through Buffer Overflow Protection

             

            My main question is if we add an exclusion, what other security risks could be posed by excluding them via BOP

            Hi Mark,

             

            I don't believe anyone can categorically state "what other security risks could be posed by excluding them via BOP."

             

            KB81308 (Buffer Overflow violations after installing VirusScan Enterprise 8.8 Patch 4) wrote:

             


            IMPORTANT: These detections should be considered legitimate. Prior releases of VSE did not detect these violations because the feature monitored only certain API calls for a limited list of processes. With Patch 4, the scope has broadened, and now all APIs of the same limited list of processes are monitored. Therefore, detections of buffer overrun violations may now be more prevalent, especially if you use older or unpatched software.

             

            Solution

             

              McAfee has verified that these detections are legitimate code that is not marked appropriately, attempting to execute from memory. The action to take for these applications is:

            • Upgrade the software to a more recent release (recommended)
            • Apply any available patches to your existing software

            Not all DLLs of legitimate software applications will be able to fully comply with DEP. In such cases, please refer to the workarounds below.

             

            If you are not in a position to upgrade the affected software, refer to the workarounds below until an upgrade is possible. Refer to Related Information below to understand the risk of using a workaround.

             

            Applications incompatible with DEP that are detected by BOP include:

            • Microsoft Office 2003 and Office XP (version 11 and older versions, due to MSO.DLL)
            • Microsoft Office 2007 (version 12, due to EuroTool.xlam)
            • Explorer.exe (due to SEPCM.DLL from SizeExplorer Pro or JESTERSS.DLL from FlashJester)
            • IExplore.exe (due to corpol.dll)

             

            NOTE: This list is not comprehensive, but will be updated as additional applications are identified.

            Since the list is not comprehensive, you may find that you need to open up more exclusions, depending on the applications giving trouble.

            KB81308 (Buffer Overflow violations after installing VirusScan Enterprise 8.8 Patch 4) wrote:

             

            Buffer Overflow protection in VirusScan Enterprise is a 0-day protection feature to block execution of code from buffer overflow attacks.

             

            • The BOP feature is only applicable to 32-bit systems. For a list of Processes Protected by BOP, see KB58007.
            • BOP is only applicable to select processes (including Microsoft Office applications).
            • You can minimize the risk of disabling Buffer Overflow Protection by ensuring that all protected processes are at current patch levels.

             

            Exclusions should be rare and only used when other measures, such as Upgrading or Updating software fails. I recommend Upgrading or Updating all software rather than opening up your systems to potential 0-day exposures.

             

            Since this protection is helping protect against 0-day attacks, knowing up front the exposure is unknown. I don't believe anyone can categorically state "what other security risks could be posed by excluding them via BOP."

             

            From my experience, after updating to Patch 4, I found I was able to upgrade or update MS Office which successfully cleared the BOP problems.

             

            Hopefully this is helpful.

            Ron Metzger

            • 3. Re: adding items to BOP exclusion, are there any risk?

              Simply, a Buffer Overflow is exactly what malware will leverage to gain privilege on your system, so allowing processes to run which have such coding flaws also allows zero day attacks to leverage them.