Enhanced Virus Protection / Execute Disable bit

Enhanced Virus Protection (EVP) / Execute Disable (XD) bit is a feature that prevents execution of malicious code in program data memory. The feature works only when it is supported by an operating system. Worms and other malware programs often use buffer overrun method to get unauthorized access to protected system resources, such as local or privileged computer accounts. This method targets programs that accept input data from untrusted sources, store the data in program's memory, and do not verify the length of stored data. Such programs can be easily exploited:

• Malware provides very long text (called "payload") as input data for a program. This text is always longer than the size of memory allocated for input data, and it always contains malicious executable code. When the program stores the payload in program's data memory, it overwrites part of program's data memory that was not supposed to be overwritten.
• The payload is usually crafted in such a way that, when stored in program's data memory, it changes how control is transferred between different parts of the program. As a result, instead of proceeding with normal program execution, at some point the program transfers control to the malicious code stored in the payload.

Enhanced Virus Protection and Execute Disable bit features allow the operating system to mark program data memory as non-executable. So, when program control is transferred to the malicious code in program's data memory, the microprocessor stops program execution and transfers control back to the operating system.

Enhanced Virus Protection, sometimes called NX-bit, is a name used by AMD. Intel uses Execute Disable bit name. Both features are compatible with each other.