Product guide
Blocking Buffer Overflow Exploits
Buffer overflow protection prevents exploited buffer overflows from executing arbitrary code
on your computer. It monitors user-mode API calls and recognizes when they are called as a
result of a buffer overflow.
When a detection occurs, information is recorded in the activity log and displayed in the
On-Access Scan Messages dialog box if you configured those options to do so.
VirusScan Enterprise uses a Buffer Overflow and Access Protection DAT file to protect
approximately 20 applications, including Internet Explorer, Microsoft Outlook, Outlook Express,
Microsoft Word, and MSN Messenger.
Contents
How buffer overflow exploits are defined
Configuring buffer overflow protection
How buffer overflow exploits are defined
A buffer overflow exploit is an attack technique that exploits a software design defect in an
application or process to force it to execute code on the computer. Applications have fixed-size
buffers that hold data. If an attacker sends too much data or code into one of these buffers,
the buffer overflows. The computer then executes the code that overflowed as a program. Since
the code execution occurs in the security content of the application, which is often at a
highly-privileged or administrative level, intruders gain access to execute commands not usually
accessible to them. An attacker can use this vulnerability to execute custom hacking code on
the computer and compromise its security and data integrity.
Configuring buffer overflow protection
To access the Buffer Overflow Protection properties:
• From the ePolicy Orchestrator console, go to Systems | Policy Catalog and select
VirusScan Enterprise 8.7.0 in the Product list and Buffer Overflow Protection Policies
in the Category list.
• From the VirusScan Console, open the Buffer Overflow Protection properties.
Configure the options on each tab. For option descriptions, click ? or Help on each tab.
19McAfee VirusScan Enterprise 8.7i