What Is Data Execution Prevention and How Does It Work?

August 18, 2023 • Shannon Flynn

Advertisements


Staying safe amid frantically rising cybercrime rates can be challenging. Thankfully, your computer comes with several built-in protections to help stop these threats before you’d even recognize them. Data execution prevention (DEP) is one of these defenses.

Features like DEP often run in the background without you having to do anything. As a result, when an issue with these services pops up, you may not know what to do. To help you make the most informed decisions about keeping your computer safe, here’s a deeper dive into DEP, how it works and how you can use it effectively. 

What Is Data Execution Prevention?

Data Execution Prevention is a Microsoft security feature that stops some malicious code from running. DEP is part of all current Windows operating systems — which covers most devices today — but a similar service under a different name is available on MacOS and Linux.

DEP ensures that some parts of your computer’s memory are for storing data only, not for running code or apps. To enforce that, it monitors these data-only areas of your PC for executable code. Any time a program tries to run code in these locations, DEP will stop it and alert you of the issue.

The key security advantage of DEP is that it prevents buffer overflow attacks. In these attacks, cybercriminals overload your computer’s buffers that hold temporary storage data to write and execute code where they normally couldn’t. By stopping an application from running any code in data-only locations in your PC’s memory, DEP stops buffer overflow before it happens.

How Does Data Execution Prevention Work?

It’s important to recognize that DEP is not a complete security solution. It won’t stop common malware attacks or prevent ransomware from installing on your computer. It can stop malicious apps like this from running, though, and there are two main ways it does that: through hardware and software restrictions.

Hardware-Enforced DEP

The core of data execution prevention is hardware-enforced DEP. Hardware-based DEP marks all memory locations on your computer as non-executable. If one of these areas specifically holds executable code, though, DEP will make an exception. As its name implies, it enforces these restrictions through the device’s hardware, more specifically, its processor.

In hardware-enforced DEP, your CPU will mark every memory location with a specific indicator that your computer shouldn’t execute code from that area. How exactly it handles that marking varies between different processors, but the overall process remains the same. 

Any pre-built Windows PC you buy will be able to support this service one way or another because it’s a standard feature. If you’re building your own PC, though, check Microsoft’s hardware-enforced DEP requirements to ensure your CPU is compatible.

Some processors may list DEP as no-execute (NX) or execute disable (XD) support. You should also ensure you have hardware-enforced DEP enabled in BIOS. It should be that way by default, but it never hurts to double-check.

Software-Enforced DEP

Software protections are the other part of data execution prevention. Unlike its hardware-based counterpart, software-enforced DEP doesn’t rely on specific CPU hardware and compatibility to run. Instead, it uses software that comes as part of your operating system, so any processor capable of running Windows XP SP2 or later will support it.

Software-enforced DEP specifically targets attacks against your PC’s exception handling systems. Exception handling manages unexpected events like code errors, device failure or — most relevantly for DEP — buffer overflows. 

Without software-enforced DEP, these exceptions could let cybercriminals run malicious code where they normally couldn’t. By providing this extra layer of no-execute protection, Windows ensures you stay safe even in an unusual situation.

Importantly, software-enforced DEP only protects a few of your PC’s systems and storage areas. Consequently, you also need to enable hardware-enforced DEP to stay completely safe.

How to Turn DEP Off

As helpful a feature as data execution prevention is, it’s not perfect. Sometimes, DEP will stop and flag a program that’s totally harmless, which can stop you from running some apps. If you run into that error, you can turn off DEP to get around it. Here’s how you can do that.

Open the Start menu by either pressing the Windows key or clicking the Start icon on your taskbar. Type “Windows security” in the search bar and open the Windows Security app, which should appear at the top of the search results.

In the Security settings window, click “App & browser control,” then go into the “Exploit protection” submenu. Go into the “System settings” section of this menu, and you should see another section labeled “Data Execution Prevention.” From there, you can turn it off or set it to be off by default.

A Note About Security

Before you deactivate DEP, consider how it might affect your security. Hacking attempts happen roughly once every 39 seconds, and cybercriminals steal millions of records every day. Considering that massive scope, it’s best to use all the protections you can, and data execution prevention is an important part of these defenses.

It’s also important to recognize that DEP alone won’t be enough to keep you totally safe. This feature will stop malicious code from running, but not in all areas. It also won’t prevent malware and similar threats from installing on your computer in the first place.

In light of those threats, you should find a reliable antivirus solution to use on top of your PC’s built-in protections. It’s also a good idea to practice proper cyber hygiene, which includes using strong, unique passwords for all your accounts and enabling multi-factor authentication (MFA) wherever possible. Never click on any unsolicited links or give away sensitive information over email or text.

Keep Your PC Safe From All Threats

Data execution prevention may be just one step in a broader cybersecurity approach, but it’s a crucial one. This feature will ensure any malicious code that made its way into your computer won’t run in a storage-only part of your memory, preventing buffer overflow attacks.

Learning about DEP and similar protections will help you stay safe. When you know what these services do and why they’re important, you’ll know to keep them on as much as possible and what it means when you get an alert.



bg-pamplet-2