Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureData Guardian

221

222

223

224

225

226

227

228

229

230

Security Management Server v10.2.7 AdminHelp

213

Process Injection:

Remote DYLD

Injection (Mac OS X

only)

Alert

Ignore

Alert

Block

Terminate

Specify the action to take when a remote DYLD injection threat is detected.

Ignore - No action is taken against identified memory violations.

Alert - Record the violation and report the incident to the Dell Server.

Block - Block the process call if an application attempts to call a memory

violation process. The application that made the call is allowed to continue to

run.

Terminate - Block the process call if an application attempts to call a memory

violation process and terminate the application that made the call.

DYLD Injection - An environment variable has been set to cause a shared

library to be injected into a launched process. Attacks can modify the plist of

applications like Safari or replace applications with bash scripts, that cause

their modules to be loaded automatically when an application starts.

The DYLD Injection process injection affects macOS operating systems. This

policy does not apply to Windows clients.

Escalation: LSASS

Read

Alert

Ignore

Alert

Block

Terminate

Specify the action to take when an LSASS read threat is detected.

Ignore - No action is taken against identified memory violations.

Alert - Record the violation and report the incident to the Dell Server.

Block - Block the process call if an application attempts to call a memory

violation process. The application that made the call is allowed to continue to

run.

Terminate - Block the process call if an application attempts to call a memory

violation process and terminate the application that made the call.

LSASS Read - Memory belonging to the Windows Local Security Authority

process has been accessed in a manner that indicates an attempt to obtain

users' passwords.

The LSASS Read escalation affects Windows operating systems. This policy

does not apply to Mac clients.

Escalation: Zero

Allocate

Alert

Ignore

Alert

Block

Terminate

Specify the action to take when a zero byte allocation threat is detected.

Ignore - No action is taken against identified memory violations.

Alert - Record the violation and report the incident to the Dell Server.

Block - Block the process call if an application attempts to call a memory

violation process. The application that made the call is allowed to continue to

run.

Terminate - Block the process call if an application attempts to call a memory

violation process and terminate the application that made the call.

Zero Allocate - A null page has been allocated. The memory region is typically

reserved, but in certain circumstances it can be allocated. Attacks can use this

to setup privilege escalation by taking advantage of some known null de-

reference exploit, typically in the kernel.

The Zero Allocate escalation affects Windows and macOS operating systems.

Execution Control

Prevent Service

Shutdown from

Device

Not Selected

Selected

Not Selected

If selected, the Advanced Threat Prevention service is protected from being

shut down either manually or by another process.