What Is Data Execution Prevention (DEP)?
This post is also available in: Danish
Data Execution Prevention (DEP) is a Microsoft security technology (for Windows operating systems) that prevents malicious code from being executed from system memory locations. By using a set of hardware and software technologies DEP is performing additional checks in memory to help protect against exploits.
Malware may be executing malicious code from memory locations that ought to only be utilized by Windows or other accepted programs. If DEP detects an application on your computer that is improperly utilizing memory, it will terminate the program and notify you.
How Data Execution Prevention Works
DEP isn’t like a firewall or antivirus program and therefore doesn’t help prevent harmful programs from being installed on your computer. What Data Execution Prevention does is to carefully monitor your programs to see if they’re using the system memory safely, by marking specific memory locations as “non-executable”, and monitoring programs that are attempting to run malicious code from a protected location.
Let’s say that an application attempts to run malicious code from a protected page. in this case, the application will receive an exception having the status code STATUS_ACCESS_VIOLATION, this can be happening because your DEP application is configured to start at the system boot in line with the no-execute page protection policy setting within the boot configuration data and counting on the policy setting, a particular application can change the DEP setting for this process.
DEP is enforced by hardware and by software:
Marks all memory locations during a process as non-executable unless the placement explicitly contains executable code, therefore helping prevent specific attacks by intercepting them and raising an exception.
Relying on processor hardware to mark memory with an attribute indicating that code shouldn’t be executed from that memory, it functions by changing a bit within the page table entry to create a mark on the particular memory page.
The actual hardware implementation of Data Execution Prevention and marking of the virtual memory page varies by processor architecture, but processors that support hardware-enforced DEP are capable of raising an exception when code is executed from a page marked with the suitable attribute set.
Windows has added an extra set of data execution prevention security checks, also called software-enforced DEP, designed to mitigate exploits of exception handling mechanisms in Windows. Software-enforced DEP can run on any processor capable of running Windows XP SP2 and above.
Should You Disable Data Execution Prevention?
It isn’t recommended to have DEP turned off, as this automatically monitors essential Windows programs and services.
You can increase your protection by having DEP monitor all programs, therefore you ought to keep in mind that disabling Data Execution Prevention or adding exclusions may allow malicious scripts to execute and cause severe damage to Windows which can leave your PC permanently unstable and/or unusable state.
If you switch off Data Execution Prevention for a particular program, it would become prone to attack. A successful attack could then spread to other programs on your computer, to your contacts, and will damage your files. If you believe that a program doesn’t run correctly when DEP is turned on, check for a DEP-compatible version or update from the software publisher before you modify any Data Execution Prevention settings.
How To Configure Data Execution Prevention
DEP is enabled by default for essential Windows operating system programs and services.
You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
1. Open the Control Panel.
2. Click System and Security > System > Advanced System Settings.
3. Once you are on the Advanced tab click Settings.
4. Click the tab called Data Execution Prevention.
5. Select Turn on DEP for essential Windows programs and services only.
6. Click OK. Make sure to restart your system in order to enable the change.
How to check from CMD if DEP is enabled
1. Open CMD ().
2. Type the following command, then press ENTER:
wmic OS Get DataExecutionPrevention_Available
If the output is “TRUE,” hardware-enforced DEP is available.
HEIMDAL™ ENDPOINT PREVENTION
- DETECTION AND CONTROL
Data execution prevention is one of the foremost basic protections a Windows-based system can have, and unless necessary, it must always remain active. If you’re using programs that are developed to be used on a 64-bit OS, most are created with DEP in mind and will be fine. However, if you’re required to use legacy code, you’ll need to create an exception for that specific program.
In any case, Data Execution Prevention should be treated with caution — keeping it as default unless there’s a valid reason to alter it. While DEP is vital, it’s just one aspect of infosec when discussing about Windows 10.