background image

3

Data Execution Prevention (DEP)

What does Data Execution Prevention do?

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform checks on 

memory to help protect against malicious code and viruses. In Windows XP SP2, DEP is enforced by both 

hardware and software.

Data Execution Prevention Exception Message Box

If an application or driver attempts to execute code from an area where it should not on a DEP-protected 

computer, Windows displays the following exception error:

Hardware-Enforced DEP

Hardware-enforced DEP marks all memory locations as non-executable (you cannot execute code in this 

portion of memory) unless the location explicitly contains executable code. There is a class of attacks that 

attempts to insert and execute code from non-executable memory locations. DEP helps prevent these 

attacks by intercepting them and displaying the DEP message box.
Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates 

that code should not be executed from that memory. The actual hardware implementation of DEP varies 

by processor architecture. However, processors that support hardware-enforced DEP are capable of rais-

ing an exception when code is executed from a memory location where it should not be executed.
Both Advanced Micro Devices™ (AMD) and Intel® Corporation have defined and shipped Windows-

compatible architectures that support DEP. Beginning with Windows XP Service Pack 2, the 32-bit version 

of Windows utilizes the no-execute page-protection (NX) processor feature as defined by AMD and the 

Execute Disable (XD) bit feature as defined by Intel. AMD also refers to this feature as “Enhanced Virus 

Protection.” To use these processor features, the processor must run in Physical Address Extension (PAE) 

mode. HP ships Windows XP with PAE enabled.

Summary of Contents for xw4200

Page 1: ...om virus attacks 5 What are the required components for XD NX to function 5 How do I control the DEP functionality on my computer 8 DEP Level Chart 9 Data Execution Prevention Tab No XD NX Processor 1...

Page 2: ...e European Commission in Brussels to name a few Microsoft s Windows XP Service Pack 2 includes multiple security improvements Network protection Memory protection Email handling Web browsing security...

Page 3: ...helps prevent these attacks by intercepting them and displaying the DEP message box Hardware enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should...

Page 4: ...ed for arith metic calculations or to keep track of internal operations In normal system operations code is not typically executed from the default heap and stack Hardware enforced DEP detects code th...

Page 5: ...essors for the desktop market starting with the E0 stepping of the Prescott Pentium 4 processor Both Intel Pentium 4 and Celeron processors have XD support Using Intel s new pro cessor naming scheme a...

Page 6: ...stems Default NX support is disabled for Transmeta systems The BIOS for Intel 915 and Intel 945 based desktop systems uses the CPUID instruction to look for the Exe cute Disable bit to determine if XD...

Page 7: ...essors in the following product line not all systems available in all regions dx5150 The BIOS for the bc1000 disables NX support for the Transmeta processor There is no option to enable NX The followi...

Page 8: ...d to a program to provide an enhancement and installing it with the application All program and services except those I select This option equates to the OptOut policy which allows a user to select ap...

Page 9: ...Off No hardware or software enforced DEP is available for any part of the system The processor will not run in PAE mode unless a PAE switch is present in the BOOT INI OptIn Default Hardware and softw...

Page 10: ...event Windows XP SP2 from using DEP set the operating system to alwaysoff in the BOOT INI file Software Enforced DEP Software enforced DEP is a set of DEP security checks built into Windows XP SP2 tha...

Page 11: ...nd software enforced DEP Unfortunately at this time you can only test hardware enforced DEP because Microsoft has not yet supplied the tools to test software enforced DEP You can test hardware enforce...

Page 12: ...em when it expects a 32 bit PTE but instead gets a 64 bit PTE Driver cannot DMA properly with a 64 bit physical addresses To a lesser extent some drivers create code in real time These drivers encount...

Page 13: ...ATI Catalyst Control Center Exception error Add to exclusion list ATI Driver Setup exe Exception error during installation Add to exclusion list Broadcom Management Apps Exception error Add to exclusi...

Page 14: ...Add to exclusion list Microsoft Office Pro 2003 Exception error Add to exclusion list Microsoft Office SB 2003 Exception error Add to exclusion list Norton Anti Virus Exception error Add to exclusion...

Page 15: ...ve afterwards Windows Catalog Exception error Add to exclusion list Driver Effect Creative Audigy 2NX Exception error during installation Add to exclusion list HP Deskjet 450ci Driver Prints out blank...

Page 16: ...ns a buffer with code and then executes this code Unlike a firewall or antivirus program DEP does not help prevent harmful programs from being installed on your computer Instead it monitors your progr...

Page 17: ...applications or drivers that attempt to execute out of data memory You should test your images before deploying XD NX If a problem does occur with an application driver associated with a trusted softw...

Page 18: ...e same methods you use to protect all operating system and BIOS settings For example you can use Setup passwords to control who can change items in F10 Setup Also you can allow only users with adminis...

Page 19: ...nging is the chipset changing as well For Intel based systems newer chipsets starting with the i915 chipset provide support for XD Will the system board change with the processor change Intel chipset...

Page 20: ...ly test software enforced DEP HP encourages you to perform your own validation if you plan to use your own image or proprietary software What does it mean when XD NX is disabled but the DEP is set for...

Page 21: ...vices Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein HP Hewlett Packard and the Hewlet...

Reviews: