WORKFLOW
Figure – Memory Exploit Protection Workflow
-
Create Host Profile – Create Host Profile with “Memory Exploit Protection” enabled. Refer Section Create Profile for more information
-
Attacker Process Terminated – In cases where Protect mode is enabled, the attacker process is terminated when an attack is detected
-
Incident Reported – For both Protect and Detect modes, whenever an attack is detected, an incident is generated with the type Memory Integrity. Navigate to Monitor > Incidents in the left navigation pane to view the incident. A sample is depicted below
-
Add to Exclusion List (Optional) – If a particular process does not need monitoring, it can be added to the Exclusion list using the below link on the incident. Complete file name must be added to the Exclusion list. It is also case-sensitive
NOTE:
For Linux, regex-based exclusions are not supported currently
-
Click Add to Exclusions on the incident
-
Select whether the Profile or Global Exclusion List must be appended. Click LAUNCH EXCLUSION LIST
-
The values are pre-populated. Click SAVE
-