Kaspersky Security for Windows Server provides the ability to protect process memory from exploits. This feature is implemented in the Exploit Prevention component. You can change the component's activity status and configure process memory protection settings.
The component protects process memory from exploits by inserting an external Process Protection Agent (“Agent”) in the protected process.
A Process Protection Agent is a dynamically loaded Kaspersky Security for Windows Server module that is inserted in protected processes to monitor their integrity and reduce the risk of being exploited.
The Agent's operation within the protected process requires starting and stopping the process: the initial loading of the Agent into a process added to the protected process list is only possible if the process is restarted. Additionally, after a process has been removed from the protected process list, the Agent can be unloaded only after the process has been restarted.
The Agent must be stopped to unload it from protected processes: if the Exploit Prevention component is uninstalled, the application freezes the environment and forces the Agent to be unloaded from protected processes. If during uninstallation of the component Agent is inserted in any of the protected processes, you must terminate the affected process. A protected device restart may be required (for example, if system process is being protected).
If evidence of an exploit attack in a protected process is detected, Kaspersky Security for Windows Server performs one of the following actions:
You can stop process protection using one of the following methods:
Kaspersky Security Exploit Prevention Service
The Kaspersky Security Exploit Prevention Service is required on the protected device in order for the Exploit Prevention component to be most effective. This service and the Exploit Prevention component are part of the recommended installation. During installation of the service on the protected device, the kavfswh process is created and started. This communicates information about protected processes from the component to the Security Agent.
After the Kaspersky Security Exploit Prevention Service is stopped, Kaspersky Security for Windows Server continues to protect processes added to the protected process list, is also loaded in newly-added processes, and applies all available exploit prevention techniques to protect process memory.
If your device is running the Windows 10 operating system or later, the application will not continue to protect processes and process memory after the Kaspersky Security Exploit Prevention Service is stopped.
If the Kaspersky Security Exploit Prevention Service is stopped, the application will not receive information about events occurring with protected processes (including information about exploit attacks and the termination of processes). Furthermore, the Agent will not be able to receive information about new protection settings and the addition of new processes to the protected process list.
Exploit Prevention mode
You can select one of the following modes to configure actions taken to reduce risks that vulnerabilities will be exploited in protected processes:
Upon detecting an attempt to exploit a vulnerability in a protected critical operating system process, Kaspersky Security for Windows Server does not terminate the process, regardless of the mode indicated in the Exploit Prevention component settings.
If this mode is selected, Kaspersky Security for Windows Server creates events to log all attempts to exploit vulnerabilities.