• Automatic Exploit Prevention (AEP), part of Kaspersky Lab’s multi-layered, next generation protection, specifically targets malware that takes advantage of software vulnerabilities. It was designed to add an additional layer of protection for the most frequently targeted programs and technologies. AEP provides an efficient and non-intrusive way for blocking and detection of both known and unknown exploits. AEP is an integral part of Kaspersky Lab’s behavior-based detection capabilities.

    Exploit “kill chains” consist of multiple stages. For example, web-based exploits often utilize drive-by download attacks. Infection starts when a victim visits a compromised website injected with malicious Javascript code. After multiple checks, the victim is finally redirected to a landing page with a Flash, Silverlight, Java or Web Browser exploit. For Microsoft Office or Adobe Reader vulnerabilities, on the other hand, the initial infection vector can be a phishing email or malicious attachment.

    After performing the initial delivery stage, the attacker exploits one or more software vulnerabilities to get control of the process execution flow and moves on to the exploitation stage. Due to Operating System built-in security mitigations, directly running arbitrary code is often not possible, so the attacker must first bypass them. Successful exploitation allows for a shellcode execution, where the attacker’s arbitrary code starts to run, finally resulting in a payload execution. Payloads can be downloaded as a file, or even loaded and executed directly from system memory.

    No matter how initial steps are performed – the ultimate goal of an attacker is to launch the payload and start the malicious activity. Launching another application or execution thread can be very suspicious, especially if the app in question is known to be lacking such functionality. Automatic Exploit Prevention technology monitors those actions, and pauses execution flow of an application, applying additional analysis to check whether the attempted action was legal or not. Program activity that took place before the suspicious code launch (memory changes in particular memory areas, as well as source of the attempted code launch) is used to identify if an action was made by an exploit. Not only that, AEP also applies a number of security mitigation to address most of the attacking techniques used in exploits, including Dll Hijacking, Reflective Dll Injection, Heap Spray Allocation, Stack Pivot and so on. Those additional behavioral indicators, provided by an execution tracking mechanism of the System Watcher component, allow the technology to block payload execution with confidence.

Related Products

US 8990934 B2

Automated protection against computer exploits

Read more

US 9336390 B2

Selective assessment of maliciousness of software code executed in the address space of a trusted...

Read more

US 9407648 B1

System and method for detecting malicious code in random access memory

Read more

BlackOasis APT and new targeted attacks leveraging zero-day exploit

Read more

The mysterious case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day

Read more

Blocking NetTraveler: our answer to sophisticated cyber-espionage

Read more

Corking the Bottleneck: How To Block an Exploit

Read more

Automatic Exploit Prevention Technology

Read more

Independent Benchmark Results

  • Real World Enterprise Security Exploit Prevention Test (November 2016)

  • Product Comparative Real-World Protection Test Focus on Exploit and In-The-Wild Malware (April 2016)

  • Product Comparative Real-World Protection Test Focus on Exploit and In-The-Wild Malware (April 2016)

  • Real World Enterprise Security Exploit Prevention Test (April 2015)

  • Real World Enterprise Security Exploit Prevention Test (February 2014)

Related Technologies

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.

Accept and Close