Hardware Secrets

Uncomplicating the complicated

How to Enable Processor-Based Security

by | Feb 27, 2007 | CPU

[nextpage title=”Introduction”]
At last PCs operating under Windows have a security level similar to that used by high performance servers. This technology – known under names that vary from manufacturer to manufacturer, such as NX (No eXecute), EVP (Enhanced Virus Protection), XD (eXecute Disable), or DEP (Data Execution Protection) – allows the processor itself to detect when a malicious code (such as a virus or a Trojan horse) is attempting to run and automatically disables such code, “drowning” the virus. In this short tutorial we will teach you how to enable this feature.
This technology works creating separate areas for the execution of programs and for data storage in the RAM memory of the computer, If a code in the area set aside for data storage tries to run, the processor understands that as something suspicious and prevents the execution of the code.
It is important to note that the processor itself doesn’t have the capacity of removing the virus from your computer. If a PC in which the NX technology has been enabled is infected by a virus, the processor will warn you (through the operating system) that your computer is possibly infected and will not permit the virus to turn, but you will still have to run an antivirus to remove the virus from your machine and avoid contaminating friends (for instance, when sending e-mails with attached files).
To have this level of security in your machine you need to fulfill three prerequisites. First, your processor must have this security technology. Second, your operating system has to be capable of recognizing it. Third, it must be enabled on your operating system.
So, the first thing to do is check whether your CPU has this technology or not. This can be done with the aid of a hardware identification utility, such as Sandra or Hwinfo.
On Sandra, click on Hardware, Processors and the program will list all features provided by your CPU. This list will be long and you should scroll down the page that will show up to the “Extended Features” section and look for “XD/NX – No-execute Page Execution Protection” feature. You will see a “yes” besides it if your CPU supports this level of security.
On Figures 1 and 2 we give two examples. The CPU in Figure 1 was from AMD (an Athlon 64 3800+) and the CPU in Figure 2 was from Intel (a Core 2 Extreme X6800). As you can see the latest CPUs from both manufacturers support this technology.

NX FeatureFigure 1: AMD CPU with NX feature.

NX FeatureFigure 2: Intel CPU with NX feature.

If your CPU doesn’t have this feature you won’t be able to enable this protection, of course.
The next step is configuring Windows to correctly enable this feature.
[nextpage title=”Configuring the Operating System”]
As of operating systems, both Linux and Solaris have already adopted this technology for years, but for the Windows operating systems this technology is only present from Windows XP SP2 on. So if you use Windows XP you need to have Service Pack 2 installed. You can check whether SP2 is installed or not by clicking on System icon on Control Panel (a shortcut to this is pressing Windows Pause/Break). If SP2 is installed, it should be listed under “System”. If it isn’t, you need to download and install it.
On Windows XP SP2 and Windows Vista, you can check whether NX technology is correctly enabled or not by clicking on System icon on Control Panel (a shortcut to this is pressing Windows Pause/Break). On the window that will show up, click on Advanced tab, see Figure 3.

Enabling NX FeatureFigure 3: Advanced system configurations.

On this window, click on the first Settings button, the on “Performance” field. On the window that will show up click on Data Execution Prevention tab, see Figure 4. This is where the NX technology is configured.

Enabling NX FeatureFigure 4: Configuring NX technology.

As you can see, there are two option: “Turn on DEP for essential Windows programs and services only” and “Turn on DEP for all programs and services except those I select”. The main problem is that the first option is the one selected by default. This means that this technology will protect only essential Windows programs and services. With this configuration NX technology won’t protect you from a virus or Trojan Horse if they attack a regular program, for example.
Thus we recommend you selecting the second option, where all programs and services will be protected by NX technology. If in the future you have any kind of false positive – i.e., Windows complaining that a program that you know that isn’t infected is trying to execute code on a memory location mapped as data area –, you can simply go to this window and add the program that is a false positive to the list of exceptions, by clicking on Add.
Click on Ok, restart your computer and now your PC is truly protected with NX technology. But like we said, with this technology you still have to use an anti-virus program and keep it updated. This is just an extra feature that adds an extra security layer to your PC.