Windows 7 / Getting Started

Thwarting Exploits with DEP

Thwarting malware attacks that exploit software vulnerabilities is the most important element of automatic updates. But Windows 7 offers a second way of thwarting such attacks. It's called Data Execution Prevention (DEP). You don't want to use DEP as an alternative to other techniques. Rather, you want to use it in addition to other techniques.

To give you a little background, many malware attacks use a technique called buffer overflow (or buffer overrun) to sneak code (program instructions) into areas of memory that only the operating system (Windows) should be using. Those areas of memory have direct access to everything on your computer. So any bad code that sneaks into that area can do great damage.

Data Execution Prevention is a security antidote to such attacks. It monitors programs to make sure they use only safe and appropriate memory locations. If DEP notices a program trying to do anything sneaky, it shuts that program down before it can do any harm.

By default, DEP is enabled for essential Windows programs and services only. When coupled with antivirus protection, that setting is usually adequate. You can crank it up to monitor all programs and services. But if you do, you might also have to individually choose programs that are allowed to bypass DEP.

To get to options for DEP, first open the System window using whichever technique is most convenient:

  • Click the Start button, right-click Computer, and choose Properties.
  • Press WINDOW button, type sys, and click System under the Programs heading.

Regardless of the method used, you end up in the System window. In the left column, click Advanced System Settings. That takes you to the System Properties dialog box. In System Properties, click the Advanced tab, click the Settings button on the Performance heading, and then click the Data Execution Prevention tab.

By default, the option to apply DEP to essential Windows programs and services only is selected. For stronger protection, you can turn on DEP for all programs and services. If you choose that option, DEP may sometimes shut down a program to prevent it from running.

Note Many modern processors offer NX technologies, which prevent buffer overflows at the hardware level. When that's the case, Windows supports that hardware-based DEP. For processors that don't have hardware DEP, Windows uses DEP software to achieve the same result.

If DEP does shut down a program you need, you have a couple of choices. One is to contact the program manufacturer to find out whether there's a version of the program that runs under DEP. Otherwise, if you trust the program, you can add it to the list of programs that are allowed to bypass DEP. To accomplish that, you need to click the Add button and then navigate to and double-click the executable file (typically, such a file has the extension .exe) that DEP is shutting down.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 and Other software Up to Date
  2. Understanding Windows Live
  3. Updates versus upgrades
  4. Why updates are important
  5. Windows Update
  6. Windows Update: The essentials
  7. Types of Updates
  8. Completing an Update
  9. Configuring automatic Updating
  10. Windows Update Applet and Functions
  11. Manually Install Updates Using Windows Update
  12. Action Center
  13. Updates Do Not Install Properly
  14. Other Windows Update Settings
  15. Configuring Windows 7 Update to Use a Proxy Server
  16. Can't Find Hidden Update
  17. Viewing and Changing Installed Updates
  18. Can't Uninstall Current Update
  19. Upgrade Windows Anytime
  20. Understanding Windows Server Update Services
  21. Windows Update Policies
  22. Updating Drivers
  23. Using Device Manager to Update Drivers
  24. Windows Update Driver Settings
  25. Windows 7 Service Packs
  26. Basic Service Pack Information
  27. Installation of Service Packs
  28. Installing and Removing Software
  29. Installation via CD or DVD
  30. Problem Installing from Disc
  31. Installation via Downloaded Program
  32. Viewing and Changing Programs
  33. Uninstalling Software
  34. Compatibility Issues in 64-Bit Version
  35. Upgrade Issues with 64-Bit Windows 7
  36. Other Program Compatibility Issues
  37. Side-by-Side Installs and Virtual Registries
  38. Removing Updates from Windows 7
  39. Thwarting Exploits with DEP
  40. Microsoft Baseline Security Analyzer
  41. Picking Computers to Scan
  42. Vulnerability Checks
  43. Installing MBSA
  44. Running the MBSA
  45. Running the MBSACLI
  46. MBSACLI Location
  47. Running in an Isolated Environment
  48. Using Windows Server Update Services
  49. WSUS Updates
  50. WSUS Requirements
  51. Installing, Configuring, and Using WSUS
  52. Adding the Application Server and Web Server (IIS) Roles
  53. Installing the Report Viewer
  54. Installing WSUS
  55. Configuring Group Policy Settings for WSUS
  56. Creating a GPO to Configure Clients to Use WSUS
  57. Verifying That Clients Are Using GPO Settings for WSUS
  58. Verifying That Clients Are Using GPO Settings with GPResult
  59. Creating Computer Groups on WSUS
  60. Approving Updates in WSUS
  61. Viewing WSUS Reports