Notification from DEP?

[Ray]

Is data execution protection supposed to notify me when it stops a

program from running? The only "notice" I get is that nothing happens

when I click a program's shortcut. Now that I've learned the signs (or

lack thereof) of DEP in action I know when to tell it to allow a

certain program, but it seems like it should let me know about the

problem.

--

Ray

(remove the Xs to reply)

 

[MowGreen [MVP]]

Why is Windows closing my program?

http://windowshelp.microsoft.com/Windows/e...ae63cf1033.mspx

<span style="color:blue">

> Windows might close a program and then notify you if it determines that the program is either a

> security risk or incompatible with this version of Windows.

> When Windows closes a program because of a security risk, it is because some programs might use

> your computer's random access memory (RAM) in a way that could be exploited by a virus and harm

> your computer. Data Execution Prevention (DEP), a security feature of Windows, tracks how

> programs use memory. If DEP finds memory being used incorrectly, DEP will close the program and

> let you know. If you trust the program, you can add it to an exceptions list so that DEP won't

> close it, but you should first check with the manufacturer of the program to see if there is an

> updated, DEP-compatible version available.</span>

<snip>

Have the programs been added to the DEP exception list ? According to

the above one should be

notified if one hasn't added them to the exception list.

MowGreen [MVP 2003-2008]

===============

-343- FDNY

Never Forgotten

===============

Ray wrote:

<span style="color:blue">

> Is data execution protection supposed to notify me when it stops a

> program from running? The only "notice" I get is that nothing happens

> when I click a program's shortcut. Now that I've learned the signs (or

> lack thereof) of DEP in action I know when to tell it to allow a

> certain program, but it seems like it should let me know about the

> problem.

> </span>

 

[JohnDavid]

For what it's worth, I've experienced inconsistent responses from DEP.

Sometimes a msg box states that DEP has prevented a program from running, yet

other times it happens as you described -- the exe doesn't run and nothing

displays to alert me to that fact. I've also learned to add them to the

exception list. The obvious danger with the latter is that we are

cicrcumventing the protection that DEP is supposed to be providing.

"Ray" wrote:

<span style="color:blue">

> Is data execution protection supposed to notify me when it stops a

> program from running? The only "notice" I get is that nothing happens

> when I click a program's shortcut. Now that I've learned the signs (or

> lack thereof) of DEP in action I know when to tell it to allow a

> certain program, but it seems like it should let me know about the

> problem.

>

> --

> Ray

> (remove the Xs to reply)

> </span>

 

[DevilsPGD]

In message <2EF9F2FB-EA19-4514-A301-EEE62BB85F27@microsoft.com>

JohnDavid <JohnDavid@discussions.microsoft.com> wrote:

<span style="color:blue">

>For what it's worth, I've experienced inconsistent responses from DEP.

>Sometimes a msg box states that DEP has prevented a program from running, yet

>other times it happens as you described -- the exe doesn't run and nothing

>displays to alert me to that fact. I've also learned to add them to the

>exception list. The obvious danger with the latter is that we are

>cicrcumventing the protection that DEP is supposed to be providing.</span>

The other interesting thing about DEP is that the exception list isn't

fully effective, one of the software components I support fails to run

under DEP. In the majority of cases, adding the executable to the DEP

exclusion list does the trick, but in a non-trivial number of cases, the

software still crashes randomly, without notice. Setting DEP to

AlwaysOff in boot.ini resolves the issue.

The problem only occurs on hardware which supports NX, the pure-software

DEP appears to exclude properly in all cases.

 

[JohnDavid]

Yes, I've also experienced the (sometimes) ineffectiveness of the exclusion

list. I've wondered (but not researched) how DEP is trying to perform its

function: does it simply exclude the entered EXE; does it try to relate the

entered EXE to other components of the application; is the exclude feature

failing or is DEP invoked for a related EXE in the app or even for code

executed out of a DLL run by some other process.

Since my encounters with DEP are only in the home environment, my approach

has been that if I can't get the app past DEP after a few tweaks (of what to

exclude), then I just don't run the app -- luckily, no software I've paid

for so far.

"DevilsPGD" wrote:

<span style="color:blue">

> In message <2EF9F2FB-EA19-4514-A301-EEE62BB85F27@microsoft.com>

> JohnDavid <JohnDavid@discussions.microsoft.com> wrote:

> <span style="color:green">

> >For what it's worth, I've experienced inconsistent responses from DEP.

> >Sometimes a msg box states that DEP has prevented a program from running, yet

> >other times it happens as you described -- the exe doesn't run and nothing

> >displays to alert me to that fact. I've also learned to add them to the

> >exception list. The obvious danger with the latter is that we are

> >cicrcumventing the protection that DEP is supposed to be providing.</span>

>

> The other interesting thing about DEP is that the exception list isn't

> fully effective, one of the software components I support fails to run

> under DEP. In the majority of cases, adding the executable to the DEP

> exclusion list does the trick, but in a non-trivial number of cases, the

> software still crashes randomly, without notice. Setting DEP to

> AlwaysOff in boot.ini resolves the issue.

>

> The problem only occurs on hardware which supports NX, the pure-software

> DEP appears to exclude properly in all cases.

> </span>

 

[Ray]

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote:

<span style="color:blue">

> Why is Windows closing my program?

> http://windowshelp.microsoft.com/Windows/e...e93886b9-292f-4

> 2e2-8702-512e67ae63cf1033.mspx

> <span style="color:green">

>> Windows might close a program and then notify you if it

>> determines that the program is either a security risk or

>> incompatible with this version of Windows. When Windows closes a

>> program because of a security risk, it is because some programs

>> might use your computer's random access memory (RAM) in a way

>> that could be exploited by a virus and harm your computer. Data

>> Execution Prevention (DEP), a security feature of Windows, tracks

>> how programs use memory. If DEP finds memory being used

>> incorrectly, DEP will close the program and let you know. If you

>> trust the program, you can add it to an exceptions list so that

>> DEP won't close it, but you should first check with the

>> manufacturer of the program to see if there is an updated,

>> DEP-compatible version available. </span>

> <snip>

>

> Have the programs been added to the DEP exception list ? According

> to the above one should be

> notified if one hasn't added them to the exception list.</span>

No, they haven't been added to the list, which is why they don't run.

But DEP has never notified me when it has stopped a program.

Fortunately I learned early on that if a program doesn't do anything

when I click its icon, then DEP is stopping it. Once the program is

added to the exception list, it works fine.

--

Ray

(remove the Xs to reply)

 

[Ray]

<JohnDavid@discussions.microsoft.com> wrote:

<span style="color:blue">

> For what it's worth, I've experienced inconsistent responses from

> DEP. Sometimes a msg box states that DEP has prevented a program

> from running, yet other times it happens as you described -- the

> exe doesn't run and nothing displays to alert me to that fact.

> I've also learned to add them to the exception list. The obvious

> danger with the latter is that we are cicrcumventing the

> protection that DEP is supposed to be providing. </span>

True, but in my case the programs I've had problems with are ones I've

used for years in earlier versions of Windows, so security isn't an

issue.

--

Ray

(remove the Xs to reply)

 

[DevilsPGD]

In message <C0BC5232-15B6-48D0-84EF-56D036D54B48@microsoft.com>

JohnDavid <JohnDavid@discussions.microsoft.com> wrote:

<span style="color:blue">

>Yes, I've also experienced the (sometimes) ineffectiveness of the exclusion

>list. I've wondered (but not researched) how DEP is trying to perform its

>function: does it simply exclude the entered EXE; does it try to relate the

>entered EXE to other components of the application; is the exclude feature

>failing or is DEP invoked for a related EXE in the app or even for code

>executed out of a DLL run by some other process.</span>

I've tried adding DLLs to the exclusion list too, without any success.

However, that may or may not be supported, or even possible.

<span style="color:blue">

>Since my encounters with DEP are only in the home environment, my approach

>has been that if I can't get the app past DEP after a few tweaks (of what to

>exclude), then I just don't run the app -- luckily, no software I've paid

>for so far.</span>

On my desktop, I tend to agree. However, we've got some fairly large

server packages where this isn't an option.

The software is mainly written in C++, but has a built-in AV feature (AV

definitions can actually contain scriptlets or even executable code in

some cases), plus some third party components in compiled PERL, none of

which is especially DEP friendly right now.

However, the vendor has a pretty strong security track record, both in

terms of overall vulnerabilities discovered, and rate of patching, so

the lack of DEP doesn't stress me much.