If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Data Execution Prevention (DEP)
[Win 7 Pro SP1 64-bit with I7-4930K CPU]
Several years ago it was difficult to use the DEP capability provided by modern hardware because both older programs and the OS played silly tricks to save a microsecond here and there. I, like most of you I presume, only turned on DEP capability for OS functions. My question is what is recommended for today given that I'm no longer running all those old 95, 98, and XP programs that I thought I couldn't live without? Is it now standard to turn DEP on for everything? It's been years since I've seen any discussion of this topic and I'd like to get caught up. -- Jeff Barnett |
Ads |
#2
|
|||
|
|||
Data Execution Prevention (DEP)
On Sun, 14 Oct 2018 00:04:14 -0600, Jeff Barnett wrote:
[Win 7 Pro SP1 64-bit with I7-4930K CPU] Several years ago it was difficult to use the DEP capability provided by modern hardware because both older programs and the OS played silly tricks to save a microsecond here and there. I, like most of you I presume, only turned on DEP capability for OS functions. My question is what is recommended for today given that I'm no longer running all those old 95, 98, and XP programs that I thought I couldn't live without? Is it now standard to turn DEP on for everything? It's been years since I've seen any discussion of this topic and I'd like to get caught up. Considering that nowadays softwares put more effort on cool looks, I doubt they even care about compatibility with DEP - even if the applications are system tools which require administrator priviledges. However, I'd recommand configuring DEP for all programs. If any program is not compatible with DEP, then the program shouldn't be in the system. The exception is when they're old programs (i.e. not DEP aware), a non system tool, or if they're trully indispensable. DEP is an important protection and should be enabled for any program which require administrator priviledges. Especially if they're popular programs, because they tend to be targetted by malwares. |
#3
|
|||
|
|||
Data Execution Prevention (DEP)
On 14/10/2018 07:04, Jeff Barnett wrote:
[Win 7 Pro SP1 64-bit with I7-4930K CPU] Several years ago it was difficult to use the DEP capability provided by modern hardware because both older programs and the OS played silly tricks to save a microsecond here and there. I, like most of you I presume, only turned on DEP capability for OS functions. My question is what is recommended for today given that I'm no longer running all those old 95, 98, and XP programs that I thought I couldn't live without? Is it now standard to turn DEP on for everything? It's been years since I've seen any discussion of this topic and I'd like to get caught up. I run many different programs old and new on my Windows 7 systems. I think there has been only one program I ever found that needed to run with DEP switched off. (Part of an old version of Maxima (a computer algebra system)). -- Brian Gregory (in England). |
#4
|
|||
|
|||
Data Execution Prevention (DEP)
"Jeff Barnett" wrote
| Several years ago it was difficult to use the DEP capability provided by | modern hardware because both older programs and the OS played silly | tricks to save a microsecond here and there. I, like most of you I | presume, only turned on DEP capability for OS functions. My question is | what is recommended for today given that I'm no longer running all those | old 95, 98, and XP programs that I thought I couldn't live without? | You say you no longer use those programs, so what does it matter? In that case, why not enable DEP globally? If you decide to use one of the mentioned programs then why not just exempt it? DEP doesn't have to be set all or nothing. On the one hand, software should have dealt with DEP a long time ago. I wrote some DEP-ignoring software at one time based on code from Matthew Curland, a top Microsoft programmer. He'd written that code before DEP. It wasn't silly. It was very clever stuff. But it conflicted when DEP was instituted. I had to change that code more than 10 years ago. On the other hand, DEP addresses a very minor security issue that's likely to be relevant *maybe* in rare cases with browsers. It's about running executable code from RAM assigned for data storage. Anything that's already running on your computer can already execute, so DEP is for avoiding things like buffer overrun bugs in browsers. And any malware attacks that depend on DEP being disabled are not going to work very well. You could turn it off except for software that goes online. Personally I've had DEP disabled for years. But I'm also very careful online. I don't see any reason not to enable it globally if it doesn't cause problems. Why not? For good measure if nothing else. I just don't think it matters much one way or the other. Do what works. I assume it's already enabled in Win7 and you're not having any problems. So why worry about it? The only problem I can think of would be if you installed something non-DEP-aware and it kept crashing. I'm not sure you'd be able to figure out that the problem was DEP. I don't think it would ever occur to me. |
#5
|
|||
|
|||
Data Execution Prevention (DEP)
Jeff Barnett wrote:
[Win 7 Pro SP1 64-bit with I7-4930K CPU] Several years ago it was difficult to use the DEP capability provided by modern hardware because both older programs and the OS played silly tricks to save a microsecond here and there. I, like most of you I presume, only turned on DEP capability for OS functions. My question is what is recommended for today given that I'm no longer running all those old 95, 98, and XP programs that I thought I couldn't live without? Is it now standard to turn DEP on for everything? It's been years since I've seen any discussion of this topic and I'd like to get caught up. You could use EMET. It went out of support in July of this year. It comes with a user manual and a few "standard" profiles. https://support.microsoft.com/en-ca/...rience-toolkit "The security mitigation technologies that EMET uses have an application-compatibility risk. Some applications rely on exactly the behavior that the mitigations block." The age of the software isn't the only determinant. There are modern software products, where the company making the software, suggests turning DEP off for it. I had DEP turned on for a time here, in WinXP, and I started getting random applications tripping it. I think that might have been my memory problem on this machine that was doing it (memory since replaced). Paul |
#6
|
|||
|
|||
Data Execution Prevention (DEP)
Brian Gregory wrote on 10/14/2018 7:24 AM:
On 14/10/2018 07:04, Jeff Barnett wrote: [Win 7 Pro SP1 64-bit with I7-4930K CPU] Several years ago it was difficult to use the DEP capability provided by modern hardware because both older programs and the OS played silly tricks to save a microsecond here and there. I, like most of you I presume, only turned on DEP capability for OS functions. My question is what is recommended for today given that I'm no longer running all those old 95, 98, and XP programs that I thought I couldn't live without? Is it now standard to turn DEP on for everything? It's been years since I've seen any discussion of this topic and I'd like to get caught up. I run many different programs old and new on my Windows 7 systems. I think there has been only one program I ever found that needed to run with DEP switched off. (Part of an old version of Maxima (a computer algebra system)). Interesting: I have Maxima on my computer and the disk and code for Macsyma too. I haven't used either in years. -- Jeff Barnett |
#7
|
|||
|
|||
Data Execution Prevention (DEP)
On 14/10/2018 18:19, Jeff Barnett wrote:
Brian Gregory wrote on 10/14/2018 7:24 AM: On 14/10/2018 07:04, Jeff Barnett wrote: [Win 7 Pro SP1 64-bit with I7-4930K CPU] Several years ago it was difficult to use the DEP capability provided by modern hardware because both older programs and the OS played silly tricks to save a microsecond here and there. I, like most of you I presume, only turned on DEP capability for OS functions. My question is what is recommended for today given that I'm no longer running all those old 95, 98, and XP programs that I thought I couldn't live without? Is it now standard to turn DEP on for everything? It's been years since I've seen any discussion of this topic and I'd like to get caught up. I run many different programs old and new on my Windows 7 systems. I think there has been only one program I ever found that needed to run with DEP switched off. (Part of an old version of Maxima (a computer algebra system)). Interesting: I have Maxima on my computer and the disk and code for Macsyma too. I haven't used either in years. As far as I remember it was one of the Lisp interpreters or executors or something that was a problem, probably sbcl.exe. The version I have installed at the moment has, I think, a 64 bit version of the same thing and is okay with DEP on. I disapprove of the very latest Maxima versions that seem to need write access to their program directory. The people that port it to Windows obviously want to do the absolute minimum amount of work and don't care about how Windows software is supposed to work. -- Brian Gregory (in England). |
#8
|
|||
|
|||
Data Execution Prevention (DEP)
On 14/10/2018 14:57, Mayayana wrote:
"Jeff Barnett" wrote | Several years ago it was difficult to use the DEP capability provided by | modern hardware because both older programs and the OS played silly | tricks to save a microsecond here and there. I, like most of you I | presume, only turned on DEP capability for OS functions. My question is | what is recommended for today given that I'm no longer running all those | old 95, 98, and XP programs that I thought I couldn't live without? | You say you no longer use those programs, so what does it matter? In that case, why not enable DEP globally? If you decide to use one of the mentioned programs then why not just exempt it? DEP doesn't have to be set all or nothing. On the one hand, software should have dealt with DEP a long time ago. I wrote some DEP-ignoring software at one time based on code from Matthew Curland, a top Microsoft programmer. He'd written that code before DEP. It wasn't silly. It was very clever stuff. But it conflicted when DEP was instituted. I had to change that code more than 10 years ago. On the other hand, DEP addresses a very minor security issue that's likely to be relevant *maybe* in rare cases with browsers. It's about running executable code from RAM assigned for data storage. Anything that's already running on your computer can already execute, so DEP is for avoiding things like buffer overrun bugs in browsers. And any malware attacks that depend on DEP being disabled are not going to work very well. You could turn it off except for software that goes online. Personally I've had DEP disabled for years. But I'm also very careful online. I don't see any reason not to enable it globally if it doesn't cause problems. Why not? For good measure if nothing else. I just don't think it matters much one way or the other. Do what works. I assume it's already enabled in Win7 and you're not having any problems. So why worry about it? The only problem I can think of would be if you installed something non-DEP-aware and it kept crashing. I'm not sure you'd be able to figure out that the problem was DEP. I don't think it would ever occur to me. I disagree that DEP addresses a minor security issue. Without DEP many buffer overflow exploits are trivial to exploit compared with the situation with DEP where things get tricky, especially when there is also ASLR and the like to make successful exploit of buffer overflow even harder. But disable DEP and ASLR becomes largely irrelevant and the exploit is easy again. -- Brian Gregory (in England). |
#9
|
|||
|
|||
Data Execution Prevention (DEP)
"Brian Gregory" wrote
| I disagree that DEP addresses a minor security issue. | | Without DEP many buffer overflow exploits are trivial to exploit Yes. Which is what I said. So if you allow script in your browser routinely you could be at slight risk. If you allow iframes and cross-site scripting you're at more risk. If you don't block major ad servers the risk is still higher. Enabling DEP for your browser would be a good idea and shouldn't have any down side. But why would you need it enabled for other software? Anything running on your computer is already allowed to execute without needing to exploit a vulnerability. So why not only enable DEP for your browser, and maybe your email program, if you're worried about it? I'm just trying to put it in perspective. Risks have contexts. |
#10
|
|||
|
|||
Data Execution Prevention (DEP)
Mayayana wrote on 10/14/2018 3:14 PM:
"Brian Gregory" wrote | I disagree that DEP addresses a minor security issue. | | Without DEP many buffer overflow exploits are trivial to exploit Yes. Which is what I said. So if you allow script in your browser routinely you could be at slight risk. If you allow iframes and cross-site scripting you're at more risk. If you don't block major ad servers the risk is still higher. Enabling DEP for your browser would be a good idea and shouldn't have any down side. But why would you need it enabled for other software? Anything running on your computer is already allowed to execute without needing to exploit a vulnerability. So why not only enable DEP for your browser, and maybe your email program, if you're worried about it? I'm just trying to put it in perspective. Risks have contexts. I believe that if DEP is enabled you may opt out various programs but there is no way to turn it off except for programs opted in. -- Jeff Barnett |
#11
|
|||
|
|||
Data Execution Prevention (DEP)
On 14/10/2018 22:45, Jeff Barnett wrote:
I believe that if DEP is enabled you may opt out various programs but there is no way to turn it off except for programs opted in. Correct (on Windows 7 anyway, I don't know about 8.x & 10). Unless you install something extra (like EMET ?) to give you more control. -- Brian Gregory (in England). |
#12
|
|||
|
|||
Data Execution Prevention (DEP)
On 14/10/2018 22:14, Mayayana wrote:
But why would you need [ DEP ] enabled for other software? Why would you not want it enabled if it doesn't cause any problem? -- Brian Gregory (in England). |
#13
|
|||
|
|||
Data Execution Prevention (DEP)
"Jeff Barnett" wrote
| I believe that if DEP is enabled you may opt out various programs but | there is no way to turn it off except for programs opted in. https://4sysops.com/archives/how-to-...revention-dep/ You can turn it completely off if you want to. But why not just use OptOut and then make exceptions for anything that could be an issue? Just don't opt out your browser. That way you get maximum protection without compatibility hassles. You get better protection than Win7 is giving you by default. The only down side is that you'll have to keep track of existing and new software that might have problems. The default for Win7 is as you said -- on for system processes. I would think if you're going to bother with it at all you should have protection for your browser. They're giving you a setting optimized for lack of hassle but not optimized for security. Just my opinion. I don't bother with it myself but do make sure I don't make software that conflicts with it. It's up to you, as long as you understand the pros and cons. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|