About Exploit Prevention
August 3, 2023
Kaspersky Industrial CyberSecurity for Nodes provides the ability to protect process memory from exploits. This feature is implemented in the Exploit Prevention component. You can change the component's activity status and configure process memory protection settings.
The component protects process memory from exploits by inserting an external Process Protection Agent (“Protection Agent”) in the protected process.
A Process Protection Agent is a dynamically loaded Kaspersky Industrial CyberSecurity for Nodes module that is inserted in protected processes to monitor their integrity and reduce the risk of being exploited.
The Agent's operation within the protected process requires starting and stopping the process: the initial loading of the Agent into a process added to the protected process list is only possible if the process is restarted. Additionally, after a process has been removed from the protected process list, the Agent can be unloaded only after the process has been restarted.
The Agent must be stopped to unload it from protected processes: if the Exploit Prevention component is uninstalled, the application freezes the environment and forces the Agent to be unloaded from protected processes. If during uninstallation of the component Agent is inserted in any of the protected processes, you must terminate the affected process. A protected device restart may be required (for example, if system process is being protected).
If evidence of an exploit attack in a protected process is detected, Kaspersky Industrial CyberSecurity for Nodes performs one of the following actions:
- Terminates the process if an exploit attempt is made.
- Reports the fact that the process has been compromised.
You can stop process protection using one of the following methods:
- Uninstalling the component.
- Removing the process from the list of protected processes and restarting the process.
Kaspersky Security Exploit Prevention Service
The Kaspersky Security Exploit Prevention Service is required on the protected device in order for the Exploit Prevention component to be most effective. This service and the Exploit Prevention component are part of the recommended installation. During installation of the service on the protected device, the kavfswh process is created and started. This communicates information about protected processes from the component to the Protection Agent.
After the Kaspersky Security Exploit Prevention Service is stopped, Kaspersky Industrial CyberSecurity for Nodes continues to protect processes added to the protected process list, is also loaded in newly-added processes, and applies all available exploit prevention techniques to protect process memory.
If your device is running the Windows 10 operating system or later, the application will not continue to protect processes and process memory after the Kaspersky Security Exploit Prevention Service is stopped.
If the Kaspersky Security Exploit Prevention Service is stopped, the application will not receive information about events occurring with protected processes (including information about exploit attacks and the termination of processes). Furthermore, the Agent will not be able to receive information about new protection settings and the addition of new processes to the protected process list.
Exploit Prevention mode
You can select one of the following modes to configure actions taken to reduce risks that vulnerabilities will be exploited in protected processes:
- Terminate on exploit: apply this mode to terminate a process when an exploit attempt is made.
Upon detecting an attempt to exploit a vulnerability in a protected critical operating system process, Kaspersky Industrial CyberSecurity for Nodes does not terminate the process, regardless of the mode indicated in the Exploit Prevention component settings.
- Notify only: apply this mode to receive information about instances of exploits in protected processes using events in the Security log.
If this mode is selected, Kaspersky Industrial CyberSecurity for Nodes creates events to log all attempts to exploit vulnerabilities. Selected by default.