locked
VirtProt Check Failed? RRS feed

  • Question

  • I am seeing several endpoints in our environment which have EMET events for "VirtProt Check Failed".  They aren't any mitigations within EMET that are called VirtProt, nor is there anything in the user's guide about it.  Does anyone know why this is triggering or what it is?  If it helps, I am only seeing it on the AcroRd32 process.

    Win7 64bit

    EMET 4.0

    Thursday, September 19, 2013 4:55 PM

All replies

  • This is the ROPGuard protection that is listed as "MemProt" in the UI. It prevents calls to memory protection APIs such as VirtualProtectEx() to prevent an exploit from setting memory space as executable. Disable MemProt for AcroRd32 if necessary.

    We're seeing VirtProt failures on Outlook 2007 and have disabled MemProt mitigation on just that version of Outlook. Our XML profile contains the following:

        <Product Name="Outlook">
          <Version Path="*\Office12\OUTLOOK.EXE">
          <Mitigation Enabled="false" Name="MemProt"/>
          </Version>
        </Product>

    Wednesday, November 20, 2013 1:50 AM