Working with Memory Injection Policies

Memory Injection Policies protect against external code executing within an authorized process. These policies can be used in the same way as other Application Control policies.

With Memory Injection Policies, it is important to remember that some files may legitimately execute external code within an authorized process. If such files generate a false positive you can disable or unassign the relevant policy, edit it to change the Enforcement option or create a policy exception for the file, then enable or reassign the policy to maintain protection against memory injection attacks.

Creating a Memory Injection Policy

A Memory Injection policy protects an endpoint’s running processes from malicious attack. It is created using the Memory Injection Policy wizard.

  1. Select Manage > Memory Protection Policies.
    The Application Control Policies page opens at the Memory Protection tab.

    2. Even though Memory Protection Policies is a separate menu item from Application Control Policies, the feature is part of Application Control.

  2. Click Create.
    The Memory Injection Policy wizard opens
  3. Type a Policy Name for the new Memory Injection policy.

    4. Give the policy a descriptive name. For example, if this policy relates to a group of endpoints used by Product Managers you could name it Product Management - Memory Policy.

  4. Select an Enforcement option.

    5. Enforce - Stop a process when memory injection is detected

    This will stop any process on any assigned endpoint when memory injection is detected, unless the relevant file or application is specified as an exception.

    Audit only - Do not stop a process when memory injection is discovered

    This will not stop a process when memory injection is discovered, but it will log the event. You can analyze the logs to determine what files or applications legitimately use memory injection, and you can then specify them as exceptions.

  5. Select a Logging option. The logging option available depends on the Enforcement option selected in the previous step.

    6. Enforce option selected

    The Logging check box is selected by default but can be deselected if logging is not required.
    Audit only option selected

    The Logging check box is selected and disabled, which means that logging is mandatory.

  6. Select an option under Activation.

    7. Option

    Description

    Enable

    The policy will be enabled once it is created, as long as you assign it to a group or endpoint.

    Disable

    The policy will be disabled once created, even if it is assigned to a group or endpoint. You can enable it at a later time.

  7. Click Next.

    8. If you click Finish at this point, the policy will be created but not assigned to any endpoints. You can assign the policy to endpoints at a later time.

    The Memory Injection Policy Wizard opens to the Policy Exceptions page.

  8. [Optional] Create one or more policy exceptions to prevent file processes from being stopped.
    1. Enter the path or filename.
      • Ensure paths end with a backslash (\), otherwise they will be interpreted as filenames.
      • A path's files and folders are excluded recursively.
      • Paths and filenames are not case-sensitive.
      • To exclude a specific file, use the fully qualified path e.g. C:\folder\subfolder\file.exe.
    2. Select the exception option.
      3. Log memory injection events, but do not stop process from running

      If a memory injection event occurs, it will be logged but the process will not be stopped. Note that logging must be turned on.

      Exclude from policy

      The file is not monitored for memory injection.

    3. Click Add.
      The file name is displayed in the exception list.
    4. [Optional] Repeat the previous steps to add all required paths or files.
  9. Click Next.

    10. If you click Finish at this point, the policy will be created but not assigned to any endpoints. You can assign the policy to endpoints at a later time.

    The Memory Injection Policy Wizard opens to the Assign the Memory Injection Policy to groups and/or endpoints page.

  10. Build a list of targets (groups or endpoints) for the policy, using any of the following methods:

    11. Method

    Steps

    To add groups of endpoints:

    1. Select a group or groups from the Groups list.
    2. Click Add >.

    To add individual endpoints:

    1. Select an endpoint or endpoints from the Endpoints list.
    2. Click Add >.

    To remove groups of endpoints:

    1. Select a group or groups from the Assigned list.
    2. Click < Remove.

    To remove individual endpoints:

    1. Select an endpoint or endpoints from the Assigned list.
    2. Click < Remove.

    Use the double-arrows ( ) to switch between groups and endpoints.

    The selected groups and/or endpoints are displayed in the Assigned list.

  11. Click Finish.
    The Memory Injection policy is created and assigned to the selected groups or endpoints. The new policy is displayed on the Memory Protection tab.

Assigning a Memory Injection Policy

You can select a Memory Injection policy and assign it to endpoints and/or groups of endpoints.

  1. Select Manage > Memory Protection Policies.
  2. Select a Memory Injection policy.
    The selected policy is highlighted.
  3. Click Assign.
    The Memory Injection Policy dialog is displayed.
  4. Build a list of targets (groups or endpoints) for the policy, using any of the following methods:

    5. Method

    Steps

    To add groups of endpoints:

    1. Select a group or groups from the Groups list.
    2. Click Add >.

    To add individual endpoints:

    1. Select an endpoint or endpoints from the Endpoints list.
    2. Click Add >.

    To remove groups of endpoints:

    1. Select a group or groups from the Assigned list.
    2. Click < Remove.

    To remove individual endpoints:

    1. Select an endpoint or endpoints from the Assigned list.
    2. Click < Remove.

    Use the double-arrows ( ) to switch between groups and endpoints.

    The selected groups and/or endpoints are displayed in the Assigned list.

  5. Click OK.
    The Memory Injection policy is assigned to endpoints and/or groups of endpoints.

Assigning a Memory Injection Policy to a Group

You can assign a Memory Injection policy to a selected group of endpoints using the Assign Policy dialog.

The Assign Policy dialog is also used to assign a Memory Injection policy to a selected endpoint. See Assigning a Memory Injection Policy to an Endpoint if you are assigning the policy to an endpoint.

  1. Select Manage > Groups.
    The Groups page is displayed.
  2. Select a group from the Browser tree.
  3. From the View list, select Application Control Policies.
    The Application Control policies for the selected group are displayed.

    4. Inherited policies can not be selected. In addition, the Source column reads Inherited.

  4. From the toolbar, select Assign > Memory Injection Policies.
    The Assign Policy dialog is displayed, listing existing Memory Injection policies.
  5. Select one or more Memory Injection policies.

    6. If multiple Memory Injection polices are assigned to a group, policy settings may conflict. Go to Multiple Policy Resultant Value Rules to see how these conflicts are resolved.

  6. Click OK.
    One or more Memory Injection policies are assigned to the group.

Assigning a Memory Injection Policy to an Endpoint

You can assign a Memory Injection policy to a selected endpoint.

  1. Select Manage > Endpoints.
    The Endpoints page opens to the All tab.
  2. In the Endpoint Name column, click an endpoint link.
    Detailed information for the selected endpoint is displayed.
  3. Select the Application Control Policies tab.
    A list of Application Control policies assigned to the endpoint is displayed.
  4. From the toolbar, select Assign > Memory Injection Policies.
    The Assign Policy dialog is displayed, listing existing Memory Injection policies.
  5. Select one or more Memory Injection policies.

    6. If multiple Memory Injection polices are assigned to an endpoint, policy settings may conflict. Go to Multiple Policy Resultant Value Rules to see how these conflicts are resolved.

  6. Click OK.
    One or more Memory Injection policies are assigned to the endpoint.

Unassigning a Memory Injection Policy

You can unassign a Memory Injection policy, removing the association between it and any endpoints. Policies that are no longer assigned to an endpoint remain in the system as unassigned policies, which you can re-assign to endpoints at a later time.

  1. Select Manage > Memory Protection Policies.
  2. Select one or more Memory Injection policies.
    The selected policies are highlighted.
  3. Click Unassign.
    One of two confirmation dialogs is displayed, depending on whether you selected a single policy or multiple policies.


  4. Click Yes.
    One or more Memory Injection policies are unassigned.

Editing a Memory Injection Policy

You can edit a Memory Injection policy and, for example, change its Enforcement option or the endpoints to which the policy is assigned.

  1. Select Manage > Memory Protection Policies.
  2. Select the Memory Injection policy to be edited.

    3. You can only edit one policy at a time.

    The selected policy is highlighted.

  3. Click Edit.
    The Memory Injection Policy Wizard opens.
  4. [Optional] Edit the Policy Name.
  5. [Optional] Select an Enforcement option.

    6. Enforce - Stop a process when memory injection is detected

    This will stop any process on any assigned endpoint when memory injection is detected, unless the relevant file or application is specified as an exception.

    Audit only - Do not stop a process when memory injection is discovered

    This will not stop a process when memory injection is discovered, but it will log the event. You can analyze the logs to determine what files or applications legitimately use memory injection, and you can then specify them as exceptions.
  6. [Optional] Select a Logging option. The logging option available depends on the Enforcement option selected in the previous step.
    7. Enforce option selected

    The Logging check box is selected by default but can be deselected if logging is not required.
    Audit only option selected

    The Logging check box is selected and disabled, which means that logging is mandatory.
  7. Select an option under Activation.

    8. Option

    Description

    Enable

    The policy will be enabled once it is created, as long as you assign it to a group or endpoint.

    Disable

    The policy will be disabled once created, even if it is assigned to a group or endpoint. You can enable it at a later time.

  8. Click Next.

    9. If you click Finish at this point, the policy will be created but not assigned to any endpoints. You can assign the policy to endpoints at a later time.

    The Memory Injection Policy Wizard opens to the Policy Exceptions page.

  9. [Optional] Create one or more policy exceptions to prevent file processes from being stopped.
    1. Enter the path or filename.
    2. Select the exception option.
      3. Log memory injection events, but do not stop process from running

      If a memory injection event occurs, it will be logged but the process will not be stopped. Note that logging must be turned on.

      Exclude from policy

      The file is not monitored for memory injection.

    3. Click Add.
      The file name is displayed in the exception list.
    4. [Optional] Repeat the previous steps to add all required paths or files.
  10. [Optional] Remove a policy exception.
    1. Select a policy exception from the exception list.
    2. Click Remove.
  11. [Optional] Edit a policy exception.
    1. Select a policy exception from the exception list.
    2. Click Edit.
      The form is loaded with the path/file name and the Exception option of the selected policy exception.
    3. Change the path/file name or the Exception option.
  12. Click Next.
    The Memory Injection Policy Wizard opens to the Assign the Memory Injection Policy to groups and/or endpoints page.
  13. Build a list of targets (groups or endpoints) for the policy, using any of the following methods:

    14. Method

    Steps

    To add groups of endpoints:

    1. Select a group or groups from the Groups list.
    2. Click Add >.

    To add individual endpoints:

    1. Select an endpoint or endpoints from the Endpoints list.
    2. Click Add >.

    To remove groups of endpoints:

    1. Select a group or groups from the Assigned list.
    2. Click < Remove.

    To remove individual endpoints:

    1. Select an endpoint or endpoints from the Assigned list.
    2. Click < Remove.

    Use the double-arrows ( ) to switch between groups and endpoints.

    The selected groups and/or endpoints are displayed in the Assigned list.

  14. Click Finish.
    The Memory Injection policy is edited.

Disabling a Memory Injection Policy

You can disable Memory Injection policies without deleting them. The details of the policies are retained and you can enable the policies at a later time.

  1. Select Manage > Memory Protection Policies.
  2. Select the enabled Memory Injection policies that you want to disable.
    The selected policies are highlighted.
  3. Click Disable.
    The selected Memory Injection policies are disabled.

Enabling a Memory Injection Policy

You can enable Memory Injection policies that are currently disabled.

  1. Select Manage > Memory Protection Policies.
  2. Select the disabled Memory Injection policy or policies that you want to enable.
    The selected policies are highlighted.
  3. Click Enable.
    The selected Memory Injection policies are enabled.

Deleting a Memory Injection Policy

You can delete a Memory Injection policy, as long as it is not assigned to any endpoint.

  1. Select Manage > Memory Protection Policies.
  2. Select the Memory Injection policy you want to delete, ensuring it is not assigned to an endpoint (Assigned column value of Not Assigned).
    The selected policy is highlighted.
  3. Click Delete.
    A confirmation dialog is displayed.

    4. If the policy is currently in use, a message is displayed telling you that the policy can not be deleted until it has been unassigned.

  4. Click Yes.
    The Memory Injection policy is deleted.

Exporting Memory Injection Policies

You can export a list of policies to a CSV (Comma Separated Value) file. To export data, refer to Exporting Data.

The list of policies is saved as a CSV file with the following columns:

Name

Description

Status

Enabled or Disabled

Policy Name

The name of the policy

Assigned

Assigned/Not Assigned (if assigned, export includes the groups and endpoints that the policy is assigned to)

Policy Type

The type of policy (Easy Lockdown, Trusted Updater, and so on)

Last Updated Date (Server)

The date and time (on the server) that the policy was last changed