About the buffer overflow protection in LANDESK Endpoint Security

Version 12

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Buffer overflow protection

     

    Buffer overflow is a programming error (a bug) that causes its program to crash or, worse, execute unintended chunks of code. Over the past years, buffer overflows were often exploited by attackers to make vulnerable programs (i.e. Internet servers, mailers, browsers etc) execute malicious pieces of code.  EPS now contains a buffer overflow protection (BOP) which intercepts code execution in memory areas where code isn’t meant to be executed.  This feature will only work on 32-bit systems.

     

    Help File reference here

     

    Windows DEP (Data Error Protection) offers buffer overflow protection.   However, it's protection only applies to Windows system processes by default.  LANDESK EPS Buffer Overflow protection is compatible with Windows DEP, and some functionality overlaps.

     

    Some advantages to LANDESK EPS Buffer Overflow Protection:

      • Manageability & reporting through LDMS console.
      • Protection of all processes (not just Windows system processes)
      • Integration with EPS learn mode

     

    Buffer overflow protection can be turned off globally, or per application.   This may be necessary for programs that have known buffer overflow issues that don't imply security risks. 

     

    1. In the windows console navigate to: Tools > Configuration > Agent Settings > 'Public agent settings' > 'Security'
    2. Open up the Application control settings that you want to have this option on
    3. Under the 'General Settings' tab in the protection box 'enable application behavior protection'
    4. Now select the option to Enable 'Use Buffer overflow protection' option.
    5. Save.

    UseBufferOverflow.jpg

     

     

    How to make a per-application exception to Buffer Overflow Protection

     

    Sometimes it may be necessary to turn on Buffer Overflow Protection globally, but make an exception for specific applications.   This may be necessary when some programs have known buffer overflows that are not considered a security threat.

     

    1. In the windows console navigate to: Tools > Configuration > Agent Settings > 'Public agent settings' (or 'My Agent Settings') > 'Security' -> 'Application File Lists'
    2. Open up the Application file list that contains the application you wish to edit
    3. Double click on the file you wish to change to bring up the permission options
    4. And Select the 'Bypass buffer overflow protection' option

    BypassBuffer.jpg

     

    Note: There are times that a conflict between Buffer Overflow Protection can cause a blue screen error.   If you are experiencing a Blue Screen error, attempt to isolate if this is a global issue or a per-application issue by turning off Buffer Overflow Protection and attempting to launch the application.

     

    If turning off Buffer Overflow Protection for the specific application does not work, turn it off Globally in the EPS setting.

     

    If you are getting a Blue Screen Error even if Buffer Overflow Protection is turned off globally, please collect a Kernel Memory Dump and submit it to LANDESK Support as part of a support ticket.

     

    To collect a Kernel Memory Dump

     

    1. Right-click "My computer" and choose "Properties"

    2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"

    3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel memory dump".

    4. Make note of the path that the MEMORY.DMP file will be saved to.

    5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

    6. Name the .ZIP file <LANDESK Case #>-MemoryDump.zip and inform the support technician of the exact filename.