A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows 7 » Windows 7 Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Data Execution Prevention (DEP)



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old October 14th 18, 07:04 AM posted to alt.windows7.general
Jeff Barnett[_2_]
external usenet poster
 
Posts: 268
Default Data Execution Prevention (DEP)

[Win 7 Pro SP1 64-bit with I7-4930K CPU]

Several years ago it was difficult to use the DEP capability provided by
modern hardware because both older programs and the OS played silly
tricks to save a microsecond here and there. I, like most of you I
presume, only turned on DEP capability for OS functions. My question is
what is recommended for today given that I'm no longer running all those
old 95, 98, and XP programs that I thought I couldn't live without? Is
it now standard to turn DEP on for everything? It's been years since
I've seen any discussion of this topic and I'd like to get caught up.
--
Jeff Barnett
Ads
  #2  
Old October 14th 18, 12:38 PM posted to alt.windows7.general
JJ[_11_]
external usenet poster
 
Posts: 613
Default Data Execution Prevention (DEP)

On Sun, 14 Oct 2018 00:04:14 -0600, Jeff Barnett wrote:
[Win 7 Pro SP1 64-bit with I7-4930K CPU]

Several years ago it was difficult to use the DEP capability provided by
modern hardware because both older programs and the OS played silly
tricks to save a microsecond here and there. I, like most of you I
presume, only turned on DEP capability for OS functions. My question is
what is recommended for today given that I'm no longer running all those
old 95, 98, and XP programs that I thought I couldn't live without? Is
it now standard to turn DEP on for everything? It's been years since
I've seen any discussion of this topic and I'd like to get caught up.


Considering that nowadays softwares put more effort on cool looks, I doubt
they even care about compatibility with DEP - even if the applications are
system tools which require administrator priviledges.

However, I'd recommand configuring DEP for all programs. If any program is
not compatible with DEP, then the program shouldn't be in the system. The
exception is when they're old programs (i.e. not DEP aware), a non system
tool, or if they're trully indispensable.

DEP is an important protection and should be enabled for any program which
require administrator priviledges. Especially if they're popular programs,
because they tend to be targetted by malwares.
  #3  
Old October 14th 18, 02:24 PM posted to alt.windows7.general
Brian Gregory[_2_]
external usenet poster
 
Posts: 108
Default Data Execution Prevention (DEP)

On 14/10/2018 07:04, Jeff Barnett wrote:
[Win 7 Pro SP1 64-bit with I7-4930K CPU]

Several years ago it was difficult to use the DEP capability provided by
modern hardware because both older programs and the OS played silly
tricks to save a microsecond here and there. I, like most of you I
presume, only turned on DEP capability for OS functions. My question is
what is recommended for today given that I'm no longer running all those
old 95, 98, and XP programs that I thought I couldn't live without? Is
it now standard to turn DEP on for everything? It's been years since
I've seen any discussion of this topic and I'd like to get caught up.


I run many different programs old and new on my Windows 7 systems.
I think there has been only one program I ever found that needed to run
with DEP switched off. (Part of an old version of Maxima (a computer
algebra system)).

--

Brian Gregory (in England).
  #4  
Old October 14th 18, 02:57 PM posted to alt.windows7.general
Mayayana
external usenet poster
 
Posts: 4,895
Default Data Execution Prevention (DEP)

"Jeff Barnett" wrote

| Several years ago it was difficult to use the DEP capability provided by
| modern hardware because both older programs and the OS played silly
| tricks to save a microsecond here and there. I, like most of you I
| presume, only turned on DEP capability for OS functions. My question is
| what is recommended for today given that I'm no longer running all those
| old 95, 98, and XP programs that I thought I couldn't live without?
|

You say you no longer use those programs, so what
does it matter? In that case, why not enable DEP
globally? If you decide to use one of the mentioned programs
then why not just exempt it? DEP doesn't have to be
set all or nothing.

On the one hand, software should have dealt with
DEP a long time ago. I wrote some DEP-ignoring
software at one time based on code from Matthew
Curland, a top Microsoft programmer. He'd written
that code before DEP. It wasn't silly. It was very
clever stuff. But it conflicted when DEP was instituted.
I had to change that code more than 10 years ago.

On the other hand, DEP addresses a very minor security
issue that's likely to be relevant *maybe* in rare cases
with browsers. It's about running executable
code from RAM assigned for data storage. Anything that's
already running on your computer can already execute,
so DEP is for avoiding things like buffer overrun bugs
in browsers. And any malware attacks that depend on
DEP being disabled are not going to work very well.

You could turn it off except for software that goes
online. Personally I've had DEP disabled for years. But
I'm also very careful online. I don't see any reason not
to enable it globally if it doesn't cause problems. Why
not? For good measure if nothing else.

I just don't think it matters much one way or the other.
Do what works. I assume it's already enabled in Win7 and
you're not having any problems. So why worry about it?
The only problem I can think of would be if you installed
something non-DEP-aware and it kept crashing. I'm not
sure you'd be able to figure out that the problem was
DEP. I don't think it would ever occur to me.



  #5  
Old October 14th 18, 06:13 PM posted to alt.windows7.general
Paul[_32_]
external usenet poster
 
Posts: 7,539
Default Data Execution Prevention (DEP)

Jeff Barnett wrote:
[Win 7 Pro SP1 64-bit with I7-4930K CPU]

Several years ago it was difficult to use the DEP capability provided by
modern hardware because both older programs and the OS played silly
tricks to save a microsecond here and there. I, like most of you I
presume, only turned on DEP capability for OS functions. My question is
what is recommended for today given that I'm no longer running all those
old 95, 98, and XP programs that I thought I couldn't live without? Is
it now standard to turn DEP on for everything? It's been years since
I've seen any discussion of this topic and I'd like to get caught up.


You could use EMET. It went out of support in July
of this year. It comes with a user manual and
a few "standard" profiles.

https://support.microsoft.com/en-ca/...rience-toolkit

"The security mitigation technologies that EMET uses have an
application-compatibility risk. Some applications rely on
exactly the behavior that the mitigations block."

The age of the software isn't the only determinant. There
are modern software products, where the company making
the software, suggests turning DEP off for it.

I had DEP turned on for a time here, in WinXP, and
I started getting random applications tripping it.
I think that might have been my memory problem on
this machine that was doing it (memory since replaced).

Paul
  #6  
Old October 14th 18, 06:19 PM posted to alt.windows7.general
Jeff Barnett[_2_]
external usenet poster
 
Posts: 268
Default Data Execution Prevention (DEP)

Brian Gregory wrote on 10/14/2018 7:24 AM:
On 14/10/2018 07:04, Jeff Barnett wrote:
[Win 7 Pro SP1 64-bit with I7-4930K CPU]

Several years ago it was difficult to use the DEP capability provided
by modern hardware because both older programs and the OS played silly
tricks to save a microsecond here and there. I, like most of you I
presume, only turned on DEP capability for OS functions. My question
is what is recommended for today given that I'm no longer running all
those old 95, 98, and XP programs that I thought I couldn't live
without? Is it now standard to turn DEP on for everything? It's been
years since I've seen any discussion of this topic and I'd like to get
caught up.


I run many different programs old and new on my Windows 7 systems.
I think there has been only one program I ever found that needed to run
with DEP switched off. (Part of an old version of Maxima (a computer
algebra system)).


Interesting: I have Maxima on my computer and the disk and code for
Macsyma too. I haven't used either in years.
--
Jeff Barnett

  #7  
Old October 14th 18, 07:53 PM posted to alt.windows7.general
Brian Gregory[_2_]
external usenet poster
 
Posts: 108
Default Data Execution Prevention (DEP)

On 14/10/2018 18:19, Jeff Barnett wrote:
Brian Gregory wrote on 10/14/2018 7:24 AM:
On 14/10/2018 07:04, Jeff Barnett wrote:
[Win 7 Pro SP1 64-bit with I7-4930K CPU]

Several years ago it was difficult to use the DEP capability provided
by modern hardware because both older programs and the OS played
silly tricks to save a microsecond here and there. I, like most of
you I presume, only turned on DEP capability for OS functions. My
question is what is recommended for today given that I'm no longer
running all those old 95, 98, and XP programs that I thought I
couldn't live without? Is it now standard to turn DEP on for
everything? It's been years since I've seen any discussion of this
topic and I'd like to get caught up.


I run many different programs old and new on my Windows 7 systems.
I think there has been only one program I ever found that needed to
run with DEP switched off. (Part of an old version of Maxima (a
computer algebra system)).


Interesting: I have Maxima on my computer and the disk and code for
Macsyma too. I haven't used either in years.


As far as I remember it was one of the Lisp interpreters or executors or
something that was a problem, probably sbcl.exe. The version I have
installed at the moment has, I think, a 64 bit version of the same thing
and is okay with DEP on.

I disapprove of the very latest Maxima versions that seem to need write
access to their program directory. The people that port it to Windows
obviously want to do the absolute minimum amount of work and don't care
about how Windows software is supposed to work.

--

Brian Gregory (in England).
  #8  
Old October 14th 18, 08:01 PM posted to alt.windows7.general
Brian Gregory[_2_]
external usenet poster
 
Posts: 108
Default Data Execution Prevention (DEP)

On 14/10/2018 14:57, Mayayana wrote:
"Jeff Barnett" wrote

| Several years ago it was difficult to use the DEP capability provided by
| modern hardware because both older programs and the OS played silly
| tricks to save a microsecond here and there. I, like most of you I
| presume, only turned on DEP capability for OS functions. My question is
| what is recommended for today given that I'm no longer running all those
| old 95, 98, and XP programs that I thought I couldn't live without?
|

You say you no longer use those programs, so what
does it matter? In that case, why not enable DEP
globally? If you decide to use one of the mentioned programs
then why not just exempt it? DEP doesn't have to be
set all or nothing.

On the one hand, software should have dealt with
DEP a long time ago. I wrote some DEP-ignoring
software at one time based on code from Matthew
Curland, a top Microsoft programmer. He'd written
that code before DEP. It wasn't silly. It was very
clever stuff. But it conflicted when DEP was instituted.
I had to change that code more than 10 years ago.

On the other hand, DEP addresses a very minor security
issue that's likely to be relevant *maybe* in rare cases
with browsers. It's about running executable
code from RAM assigned for data storage. Anything that's
already running on your computer can already execute,
so DEP is for avoiding things like buffer overrun bugs
in browsers. And any malware attacks that depend on
DEP being disabled are not going to work very well.

You could turn it off except for software that goes
online. Personally I've had DEP disabled for years. But
I'm also very careful online. I don't see any reason not
to enable it globally if it doesn't cause problems. Why
not? For good measure if nothing else.

I just don't think it matters much one way or the other.
Do what works. I assume it's already enabled in Win7 and
you're not having any problems. So why worry about it?
The only problem I can think of would be if you installed
something non-DEP-aware and it kept crashing. I'm not
sure you'd be able to figure out that the problem was
DEP. I don't think it would ever occur to me.


I disagree that DEP addresses a minor security issue.

Without DEP many buffer overflow exploits are trivial to exploit
compared with the situation with DEP where things get tricky, especially
when there is also ASLR and the like to make successful exploit of
buffer overflow even harder. But disable DEP and ASLR becomes largely
irrelevant and the exploit is easy again.

--

Brian Gregory (in England).
  #9  
Old October 14th 18, 10:14 PM posted to alt.windows7.general
Mayayana
external usenet poster
 
Posts: 4,895
Default Data Execution Prevention (DEP)

"Brian Gregory" wrote

| I disagree that DEP addresses a minor security issue.
|
| Without DEP many buffer overflow exploits are trivial to exploit

Yes. Which is what I said. So if you allow script in
your browser routinely you could be at slight risk. If
you allow iframes and cross-site scripting you're at
more risk. If you don't block major ad servers the risk
is still higher. Enabling DEP for your browser would
be a good idea and shouldn't have any down side.

But why would you need it enabled for other software?
Anything running on your computer is already allowed
to execute without needing to exploit a vulnerability.
So why not only enable DEP for your browser, and maybe
your email program, if you're worried about it? I'm just
trying to put it in perspective. Risks have contexts.


  #10  
Old October 14th 18, 10:45 PM posted to alt.windows7.general
Jeff Barnett[_2_]
external usenet poster
 
Posts: 268
Default Data Execution Prevention (DEP)

Mayayana wrote on 10/14/2018 3:14 PM:
"Brian Gregory" wrote

| I disagree that DEP addresses a minor security issue.
|
| Without DEP many buffer overflow exploits are trivial to exploit

Yes. Which is what I said. So if you allow script in
your browser routinely you could be at slight risk. If
you allow iframes and cross-site scripting you're at
more risk. If you don't block major ad servers the risk
is still higher. Enabling DEP for your browser would
be a good idea and shouldn't have any down side.

But why would you need it enabled for other software?
Anything running on your computer is already allowed
to execute without needing to exploit a vulnerability.
So why not only enable DEP for your browser, and maybe
your email program, if you're worried about it? I'm just
trying to put it in perspective. Risks have contexts.


I believe that if DEP is enabled you may opt out various programs but
there is no way to turn it off except for programs opted in.
--
Jeff Barnett


  #11  
Old October 15th 18, 01:33 AM posted to alt.windows7.general
Brian Gregory[_2_]
external usenet poster
 
Posts: 108
Default Data Execution Prevention (DEP)

On 14/10/2018 22:45, Jeff Barnett wrote:
I believe that if DEP is enabled you may opt out various programs but
there is no way to turn it off except for programs opted in.


Correct (on Windows 7 anyway, I don't know about 8.x & 10).

Unless you install something extra (like EMET ?) to give you more control.

--

Brian Gregory (in England).
  #12  
Old October 15th 18, 01:35 AM posted to alt.windows7.general
Brian Gregory[_2_]
external usenet poster
 
Posts: 108
Default Data Execution Prevention (DEP)

On 14/10/2018 22:14, Mayayana wrote:
But why would you need [ DEP ] enabled for other software?


Why would you not want it enabled if it doesn't cause any problem?

--

Brian Gregory (in England).
  #13  
Old October 15th 18, 03:11 AM posted to alt.windows7.general
Mayayana
external usenet poster
 
Posts: 4,895
Default Data Execution Prevention (DEP)

"Jeff Barnett" wrote

| I believe that if DEP is enabled you may opt out various programs but
| there is no way to turn it off except for programs opted in.

https://4sysops.com/archives/how-to-...revention-dep/

You can turn it completely off if you want to.
But why not just use OptOut and then make
exceptions for anything that could be an issue?
Just don't opt out your browser. That way you
get maximum protection without compatibility
hassles. You get better protection than Win7
is giving you by default. The only down side is
that you'll have to keep track of existing and
new software that might have problems.

The default for Win7 is as you said -- on for
system processes. I would think if you're going
to bother with it at all you should have protection
for your browser. They're giving you a setting
optimized for lack of hassle but not optimized
for security.

Just my opinion. I don't bother with it myself but
do make sure I don't make software that conflicts
with it. It's up to you, as long as you understand
the pros and cons.


 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 08:03 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright 2004-2018 PCbanter.
The comments are property of their posters.