Windows 7 - Fine-Tuning Data Execution Prevention

Data Execution Prevention (DEP) is a memory protection technology. Your computer uses DEP to mark all memory locations used by applications as nonexecutable unless the location explicitly contains executable code. If an application attempts to execute code from a memory page marked as nonexecutable, the processor can raise an exception and prevent it from executing. This behavior is designed to thwart a malicious program, such as a virus, from inserting itself into areas of memory. By allowing only specific areas of memory to run executable code, DEP protects your computer from many types of self-replicating viruses.

You can implement DEP via hardware or software. Hardware-based DEP is more robust because you can extend it to any program or service running on the computer. Softwarebased DEP is less robust because it typically works best when protecting Windows programs and services.

Windows 32-bit versions support DEP as implemented originally by Advanced Micro
Devices Inc. (AMD) processors that provide the no-execute page-protection (NX) processor feature. Such processors support the related instructions and must be running in Physical Address Extension (PAE) mode. Windows 64-bit versions also support the
NX processor feature but do not need to be running in PAE mode. And 64-bit computers natively support very large memory configurations.

You can determine whether your computer hardware supports DEP by completing the following steps:
1. In the Control Panel, click the System and Security category heading link.

2. Click System. In the left pane under See Also, click Performance Information and Tools.

3. Under Tasks, click “Adjust visual effects.” This opens the Performance Options dialog box.

4. Click the Data Execution Prevention tab. The lower portion of this tab lists the DEP support available.

Once you’ve accessed the Data Execution Prevention tab, you can configure the way DEP works using these options:

Turn on DEP for essential Windows programs and services only
Enables DEP only for the operating system services, programs, and components. This is the default and recommended option for computers that support execution protection and are configured appropriately.

Turn on DEP for all programs except those I select
Enables DEP for the operating system, as well as all programs and services you are running.

Because some programs won’t work with or will become unstable with software-based
DEP, you may find that you have to add exceptions when you enable DEP for all programs. Click Add to specify programs that should run without execution protection.
In this way, execution protection will work for all programs except those you have listed.

Source of Information : OReilly Windows 7 The Definitive Guide

No comments:

Virtual tape

The desire to reduce the dependency on tape for recovery gave rise to the development of virtual tape libraries (VTLs) that use disk drives ...