As Xcitium Advanced Endpoint Protection (AEP) protects your endpoints against malware, the AEP application itself routinely comes under attack by malicious applications trying to circumvent its protection. Fortunately, Xcitium AEP includes robust self-protection countermeasures that prevent malicious applications from gaining control or circumventing Xcitium AEP services.
AEP does this by intercepting system calls that might present a threat to the applications such as Terminate Process or
Create Remote Thread are obvious examples of calls that might pose a risk to AEP. Other less obvious but actually more dangerous
call would be CreateFile as it can do a lot more than just create a file. Xcitium AEP intercepts these calls and only allows
them to proceed if they won’t harm the Xcitium process. Xcitium AEP also contains a kernel mode driver that it uses to prevent
attempts to modify the system kernel directly.
One potential method of interfering with AEP execution is to install a global customized module to
target the application by calling the command SetWindowsHook/SetWinEventHook. AEP prohibits this by intercepting
these system calls in the driver and intercepting these operations in file system minifilter that prevents unknown
modules from being loaded into AEP applications.
Window GUI APIs such as include SendMessage, PostMessage, and EndTask can be used to change or close target windows and generate
messages that can potentially affect window status. AEP closely monitors these API and prevents its user interface windows from
being controlled by other applications. Preventing attacks through the user interface.
AEP saves its configuration and internal data in registry. In order to protect this data from being changed by malicious
applications, AEP uses a registry filtering driver to monitor all sensitive registry locations and block write attempts
from untrusted applications.
Additionally, Xcitium Advanced Endpoint Protection also employs DEP – Data
Execution Prevention along with Address Space Layout Randomization (ASLR). These protocols randomize where application data is
stored in system memory, effectively hiding from malicious attempts to find and shut down the application, with these protocols
enabled, only applications that are authorized are allowed to modify AEP’s application data..
AEP uses filter ports and LPC to communicate between its internal components (driver, services, injected module, etc). If a
malicious application somehow managed to inject code into the AEP application, the malware could attempt to disconnect
these ports and thereby disable protection features. In order to prevent against these types of attacks, the system call,
NtClose, is intercepted to prevent these communication handles from being closed unexpectedly.
There are also attacks that simulate mouse and keyboard input to manipulate the target application. These types of attacks
can launch the AEP GUI and modify the settings automatically. AEP detects and blocks all these types of inputs by
intercepting related system calls like NtUserSendInput to ensure the user interface is not being maliciously
manipulated.
The Windows driver has a high privilege and can take control of an entire system including AEP. AEP intercepts all related system calls to prevent harmful applications from installing drivers that call either service related API or NtLoadDriver
routine directly.