Naked Science Forum
Non Life Sciences => Geek Speak => Topic started by: paul.fr on 25/03/2009 21:08:21
-
When I turned my PC on tonight, it had a semi xp / windows classic mix! I rebooted and all looked fine except I got a Data Execution Prevention message:
Understanding Data Execution PreventionData Execution Prevention (DEP) helps prevent damage from viruses and other security threats that attack by running (executing) malicious code from memory locations that only Windows and other programs should use. This type of threat causes damage by taking over one or more memory locations in use by a program. Then it spreads and harms other programs, files, and even your e-mail contacts.
Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable". If a program tries to run code—malicious or not—from a protected location, DEP closes the program and notifies you.
DEP can take advantage of software and hardware support. To use DEP, your computer must be running Microsoft Windows XP Service Pack 2 (SP2) or later, or Windows Server 2003 Service Pack 1 or later. DEP software alone helps protect against certain types of malicious code attacks but to take full advantage of the protection that DEP can offer, your processor must support "execution protection". This is a hardware-based technology designed to mark memory locations as non-executable. If your processor does not support hardware-based DEP, it's a good idea to upgrade to a processor that offers execution protection features.
Is it safe to run a program again if DEP has closed it?
Yes, but only if you leave DEP turned on for that program. Windows can continue to detect attempts to execute code from protected memory locations and help prevent attacks. In cases where a program does not run correctly with DEP turned on, you can reduce security risks by getting a DEP-compatible version of the program from the software publisher. For more information about what to do after DEP closes a program, click Related Topics.
How can I tell if DEP is available on my computer?
To open System Properties, click Start, click Control Panel, click Performance and Maintenance, and then click System.
Click the Advanced tab and, under Performance, click Settings.
Click the Data Execution Prevention tab.
Note
By default, DEP is only turned on for essential Windows operating system programs and services. To help protect more programs with DEP, select Turn on DEP for all programs and services except those I select.
I guess somewhere there is a nastly bugger trying to do something with my pc, is that correct?
If yes, what should I use to search for it?
Many thanks...
-
It could be something nasty going on. As you can get on the net, try googling some of the key bits from the message and see if other people have had the same experience, which is likely. That should help you figure out what to do, if anything needs doing.
-
Have you got SpyBot S&D? That's pretty good at rooting out naughty adware & spyware stuff. And it's free.
You can get it HERE (http://spybot.search-destroy2009.com/index.asp?aff=103&camp=gg_spybot_uk&se=google)
Have you not got an anti-virus program? I would recommend Avast. I've never had any viruses since I started using it. You can download it free from HERE (http://www.snapfiles.com/Freeware/security/fwvirus.html). Just scroll down til you find it.
-
There could be something nasty going on, but another possibility is that there's just something above board happening which is "incompatible" with DEP.
Did the messages start after you'd knowing installed something, or perhaps downloaded automatic software updates for Windows (Windows Update, Acrobat Reader (you should be on ver 9.1 by now), Adobe Flash etc etc?
-
Cheers, Lee, will do.
Have you got SpyBot S&D? That's pretty good at rooting out naughty adware & spyware stuff. And it's free.
You can get it HERE (http://spybot.search-destroy2009.com/index.asp?aff=103&camp=gg_spybot_uk&se=google)
Have you not got an anti-virus program? I would recommend Avast. I've never had any viruses since I started using it. You can download it free from HERE (http://www.snapfiles.com/Freeware/security/fwvirus.html). Just scroll down til you find it.
I have them Eth, they found nothing!
There could be something nasty going on, but another possibility is that there's just something above board happening which is "incompatible" with DEP.
Did the messages start after you'd knowing installed something, or perhaps downloaded automatic software updates for Windows (Windows Update, Acrobat Reader (you should be on ver 9.1 by now), Adobe Flash etc etc?
Thanks, Anderw. The latest windows update was...last week, and this was the first time the error has occured...it has not occured today!
-
Data "is held in memory location chunks called addresses".
The program instruction stack "is held in memory location chunks called addresses".
Note the similarity of the two sentences above.
DEP does not allow data addresses' chunks to be used by program instruction stack.
A program attempted to use locked out(DEP assigned) data space, possibly a virus or a piece of freeware that has a C/C++ program part that also bolts to an assembly written(as part of Assembly program or machine language code punching system e.g. TASM ,MASM ,PASM , unidentifiable program sub-program) section of program.
I suppose DEP did its job.
Thats what happens if something does that, It terminates the program and clears the space of contents.
-
DEP looks for what it sees as suspect code, that's not necessarily the same as a virus, it may just be that you installed a program using some, to DEP, unusual 'shortcuts' with its code. If you look at the "Data Execution Prevention tab" you will see the possibility to define what programs it should accept manually. This will get programs that you know is ok to work as 'exceptions' defined by you. I've have had some problems with DEP and third party software before. it adheres to the 'Microsoft coding standard' for writing third party software as I understands it, not necessarily a 'open coding standard'. http://www.mydigitallife.info/2007/01/15/disable-and-turn-off-or-enable-or-turn-on-data-execution-prevention-dep-in-windows-vista/
---
Here is how you 'control' it in W-XP
http://support.microsoft.com/kb/875352
-
Yeah, what nicephotog and yor_on wrote seems correct to me.
The reason you even get an error screen is a new feature, which really isn't a bug (or so they thought). As nicephotog says, it asserts that in your computer's memory, data is seperated from code.
There is a common type of security hole called memory leak. It originates from badly written code, and it's extremely hard for programmers to prevent from occuring in big projects. Basically, this security hole can leak data into the execution "area" of your memory. Thats called a buffer overflow. If an attacker knows where exactly something leaks, he can have his own code leaked into the execution "area".
This type of attack used to be responsible for a big percentage of all security threats, and DEP is meant to prevent it.
With that in mind, Windows presents you with an error screen whenever it thinks that something has leaked. But in practice, Windows might
a) just be paranoid, because there are examples of legitimate transfers of data into the execution "area" (I think that's what yor_on meant), or
b) have encountered a real leak, but one that is not currently being abused by anyone
So... I have no additional advice to give. It just is like that, and understanding the background might enable you to decide what to do.
-
DEP can be triggered by bugs in perfectly legitimate programs sometimes, but you should assume the worst and runs several different system scans just in case.
-
Thanks all. I have done several scans and nothing has been found! Saying that, DEP has not caused an issue since the initial one, my inclination is to wing it and hope it was a one off conflict somewhere..
-
It could well have been that the program was under attack at the time. If DEP caught it, and shut it down, then it should have prevented infection.
-
Dep usually get triggered when you are trying to install or just have installed and are going to use that program for the first time. If you want to see DEP as protecting your computer it's to late by then. You installing a program gives it administrative rights and 'access' to your system. If it is a 'root kit' it may create a rudimentary 'virtual' OS for your anti virus to see while it does its own thing, or it could do the opposite too.
As long as it can 'redirect' all services and filter those your Anti virus would get upset about it will be undiscovered. So by allowing it to start (installing) you have, in that case already corrupted your computer. To be honest I'm not really sure what DEP is seen to protect? If you have a root kit DEP probably won't notice in any way. If it is a virus then it's already there, in your computer and will probably write itself to all your executional code like *.exe *.com files, etc etc, not caring for what DEP will do or not :)
-
If you want to see DEP as protecting your computer it's to late by then. You installing a program gives it administrative rights and 'access' to your system.
...
To be honest I'm not really sure what DEP is seen to protect? If you have a root kit DEP probably won't notice in any way. If it is a virus then it's already there, in your computer and will probably write itself to all your executional code like *.exe *.com files, etc etc, not caring for what DEP will do or not :)
DEP is primarily intended to stop a program, such as a worm, getting a toe-hold in the first place via a network attack.
These attacks often work by a technique called a 'buffer overflow' which will often cause malicious data, supplied by the worm, to be executed. This is caught by DEP, and the program shutdown without allowing the infection process to complete.
When DEP triggers an infection is usually headed off. It does not deal with any existing infections, nor does it prevent viruses.
-
To be honest I'm not really sure what DEP is seen to protect? If you have a root kit DEP probably won't notice in any way.
Exactly. DEP is not a general purpose anti-bad-thing-solution, and I think wolfekeeper put it nicely.
The wikipedia page on buffer overflows might shed some light on what's going on in this very specific method of attack called buffer overflow (http://en.wikipedia.org/wiki/Buffer_Overflow#Executable_space_protection).