About the buffer overflow protection in Ivanti Endpoint Security

Version 13

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    Buffer overflow protection


    Buffer overflow is a programming error (a bug) that causes its program to crash or, worse, execute unintended chunks of code. Over the past years, buffer overflows were often exploited by attackers to make vulnerable programs (i.e. Internet servers, mailers, browsers etc) execute malicious pieces of code.  EPS now contains a buffer overflow protection (BOP) which intercepts code execution in memory areas where code isn’t meant to be executed.  This feature will only work on 32-bit systems.


    Help File reference here


    Windows DEP (Data Error Protection) offers buffer overflow protection.   However, it's protection only applies to Windows system processes by default.  Ivanti EPS Buffer Overflow protection is compatible with Windows DEP, and some functionality overlaps.


    Some advantages to Ivanti  EPS Buffer Overflow Protection:

      • Manageability & reporting through LDMS console.
      • Protection of all processes (not just Windows system processes)
      • Integration with EPS learn mode


    Buffer overflow protection can be turned off globally, or per application.   This may be necessary for programs that have known buffer overflow issues that don't imply security risks. 


    1. In the windows console navigate to: Tools > Configuration > Agent Settings > 'Public agent settings' > 'Security'
    2. Open up the Application control settings that you want to have this option on
    3. Under the 'General Settings' tab in the protection box 'enable application behavior protection'
    4. Now select the option to Enable 'Use Buffer overflow protection' option.
    5. Save.




    How to make a per-application exception to Buffer Overflow Protection


    Sometimes it may be necessary to turn on Buffer Overflow Protection globally, but make an exception for specific applications.   This may be necessary when some programs have known buffer overflows that are not considered a security threat.


    1. In the windows console navigate to: Tools > Configuration > Agent Settings > 'Public agent settings' (or 'My Agent Settings') > 'Security' -> 'Application File Lists'
    2. Open up the Application file list that contains the application you wish to edit
    3. Double click on the file you wish to change to bring up the permission options
    4. And Select the 'Bypass buffer overflow protection' option



    Note: There are times that a conflict between Buffer Overflow Protection can cause a blue screen error.   If you are experiencing a Blue Screen error, attempt to isolate if this is a global issue or a per-application issue by turning off Buffer Overflow Protection and attempting to launch the application.


    If turning off Buffer Overflow Protection for the specific application does not work, turn it off Globally in the EPS setting.


    If you are getting a Blue Screen Error even if Buffer Overflow Protection is turned off globally, please collect a Kernel Memory Dump and submit it to Ivanti Support as part of a support ticket.


    To collect a Kernel Memory Dump


    1. Right-click "My computer" and choose "Properties"

    2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"

    3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel memory dump".

    4. Make note of the path that the MEMORY.DMP file will be saved to.

    5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

    6. Name the .ZIP file <LANDESK Case #>-MemoryDump.zip and inform the support technician of the exact filename.