How affective is CIS vs heap spray and / or ROP chain?

Is the shell-code injection protection of D+ good to go against heap spray and / or ROP chain exploits?

That stuff is scary as all get-out. A root-kit drive by download is the stuff of nightmares.

I’m configured D+ paranoid. I gets D+ alert for everything. ALL rules are custom except:

Windows System Applications (sans SVCHost) - Windows System Applications
Windows Updater Applications - Installer Updater
Update, i.e., %windir%\SoftwareDistribution\Download*\update\update.exe, ?:*\install.exe, ?:*\HotFixInstaller.exe, - Installer / updater
drwtsn32.exe - trusted
dwwin - trusted
ntbackup - trusted
shell32 - Installer / updater

That being said, SVCHost was removed from the default CIS file-gruop and runs per its own custom.

AFAIU, CIS will block execution and access to any ‘resource’ by any process that CIS don’ know anything 'bout.

The qwexion in my mind how robust is CIS against heap spray type attack whereby CIS becomes corrupt per its internal polls.

Lets see, 45 views after 3 days, and I spent ALL day today answereing all sorts of naive questions; I’m lighting a fire:

Perhaps the powers that be might notice the smoke.

EDIT: after hitting the ‘post’ button, I became aware of this information:

I’m certain the ROP chain issue is also stop-gapped too, eh?

Trust NOTHING (verify everything).

Given the nature of the heap spray / ROP chain attack mechanism, NO technology exists at present for either mitigation nor peace of mind with respect to the threat.

Spray the IE heap w/ROP NOP: