Support for protection against 16 bit executables in 32 bit operating systems
Last Updated August 03, 2017
Within an environment that runs 16 bit applications on Windows 32 bit based systems, such as Windows 7, Windows 2003 and Windows 2008, Endpoint Protection does not block the execution of 16 bit applications when configured in System Lockdown Whitelist mode.
16 bit application, executed on a Windows 32 bit Operating Systems supported by Endpoint Protection.
Please see the release documentation for 32 bit operating system compatibility with Endpoint Protection Agent.
Note: Windows 64 bit does not support execution of 16 bit applications.
Despite System Lockdown settings, 16 bit applications execute despite not being included in the Whitelist.
Sysfer.dll is the library used by Symantec Endpoint Protection to provide Application Device Control and System Lockdown functionality. Sysfer.dll is a native 32 bit library, and therefore, cannot inject directly into a 16 bit process. On the 32 bit Operating Systems described in this article, 16 bit applications are emulated using Virtual DOS Machine, or NTVDM.
NTVDM is a virtualization technology which emulates hardware and software in a Virtual DOS Machine environment to execute 16 bit applications on a native 32 bit operating system. At the time of this article, there are no known methods in which NTVDM.exe can gain SYSTEM access to the host machine that runs the Virtual DOS Machine, assuming all Windows updates have been applied.
NTVDM.exe is a 32 bit process, and as such Sysfer.dll can inject into it. However, due to the nature of 16 bit applications emulated by NTVDM.exe, there is no child process created for the 16 bit executable, and Sysfer cannot detect the 16 bit application name, or prevent execution directly using System Lockdown.
Symantec recommends that organizations carefully consider their security posture regarding 16 bit applications and NTVDM. If NTVDM is not required to execute legacy applications, it can be disabled via the following methods:
2. Remove the NTVDM feature from Windows. On typical Windows 8 systems, this feature can be removed from Windows Features under Legacy Support category.
3. Take a fingerprint of the system for use with Whitelist Mode of System Lockdown. Prior to the fingerprint process, re-name ntvdm.exe, located in c:\Windows\System32, to a temporary name. See Configuring system lockdown. Once the whitelist has been configured and ntvdm.exe is no longer on the fingerprint, it can be named back to it's original name and all execution will be stopped, as ntvdm.exe will not be present on the whitelist.
In the case that specific 16 bit application executable names which should be prevented from execution are known, Application and Device Control can be used to stop the execution of a 16 bit application. Note, this configuration will not affect System Lockdown Whitelist/Blacklist mode in any manner, and each new file to be blocked must be added manually. See Block or log unauthorized software with Application and Device Control for more details.
Imported Document ID: TECH139233
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe