When launching certain applications, such as web browsers or Adobe software, the application does not open. Instead it is blocked due by Symantec Endpoint Protection, and a "Memory Exploit Mitigation: Heap Spray" detection is logged. This occurs on systems with Columbiasoft Document Locator and related plugins installed.
Impacted Endpoint Protection family products include:
Symantec Endpoint (SEP) 14
Symantec Endpoint Protection Small Business Edition (SEP SBE .cloud)
Symantec Endpoint Protection Cloud (SEP Cloud)
Note that depending on the specific version installed, the technology responsible for might be referred to as Memory Exploit Mitigation (MEM), Proactive Expoit Protection (PEP), or Generic Exploit Mitigation (GEM).
Symantec Security Response has reviewed this behavior and determined that the detection occurs due to activity related to the "CSSInjLoad Module" which is included with Columbiasoft's software, and is related to how this component is accessing memory.
At this time, Symantec plans on making no changes to our Heap Spray detection, as this would negatively impact our ability to block legitimate risks.
Based on information that was provided by Columbiasoft, the CSSInjLoad Module is no longer necessary for their software to function correctly. The following workaround was provided to disable the module:
From the Start Menu, select All Programs and then Startup.
Locate and “Document Locator Common Dialog.” Right click on this item and delete it.
Reboot the PC.
From Windows Task Manager, go the the Startup Tab.
Locate the entry for “CSSInjLoad Module.”
Right click on this item and select disable.
Reboot the PC.
For further details regarding this module, and to verify the above workaround is valid for your version of the software, Symantec recommends contacting Columbiasoft Support.