- Jul 22, 2014
- 2,525
..but MW can also take care of it and "download/install it for you"...
New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software
- Thread starter LASER_oneXM
- Start date
- Jul 22, 2014
- 2,525
- Jul 22, 2014
- 2,525
Thank you for sharing.
Now, is Emsi vulnerable? Does Emsi creates Antivirus processes as “Protected Processes” as suggested by MSFT?
What other AV take profit of MSFT “Protected Processes”?
Summary of AV answers:
Microsoft tool exploit DoubleAgent can turn antivirus software into your worst enemy
It's an interesting finding, but if one needs to have admin privileges to change those keys, why bother with injecting code in the AV anyway ?
- Jun 14, 2011
- 1,857
- Jun 14, 2011
- 1,857
Very interesting facts about Cybellum and their discovery:
KernelMode.info • View topic - Cybellum - another pseudo security company from Israel
KernelMode.info • View topic - Cybellum - another pseudo security company from Israel
- Jan 9, 2017
- 246
Thanks for sharing that
Avast guys say that avast v 17.x.x isn't vulnerable ( avast and avg 2017 )
And only avast v12.3 and older are vulnerable
According this topics in avast forum:
Spec8472 from avast team answers:
AV products vulnerable to attack through Microsoft Aplication Verifier.
DoubleAgent attack
Avast guys say that avast v 17.x.x isn't vulnerable ( avast and avg 2017 )
And only avast v12.3 and older are vulnerable
According this topics in avast forum:
Spec8472 from avast team answers:
AV products vulnerable to attack through Microsoft Aplication Verifier.
DoubleAgent attack
Last edited:
- Jan 8, 2017
- 1,320
This article describes which antivirus products are vulnerable to DoubleAgent scanning::Novo exploit DoubleAgent pode tomar o controle de softwares antivírus
"Several well-known anti-virus software, including those from companies like Avast, BitDefender, ESET, Kaspersky and F-Secure, are vulnerable to the DoubleAgent exploit."
"Several well-known anti-virus software, including those from companies like Avast, BitDefender, ESET, Kaspersky and F-Secure, are vulnerable to the DoubleAgent exploit."
- Nov 17, 2016
- 1,242
Sorry for the confusion. Yeah, I was talking about application whitelisting in general. Popular Avast doesn't even have Hardened mode by default. Afraid of risks maybe?
To clarify, the initial hurdle of learning whitelisting isn't the only thing that will stop them and even then, the trend is unlikely to change since the antivirus companies are still alive competing against each other. It's not a matter of capability but if it will be implemented. The antivirus companies are probably the one to introduce some form of whitelisting by default en masse anyway.
Like itman stated in this post
DoubleAgent: Taking Full Control Over Your Antivirus
For starters, Application Verifier most likely is not even installed on your PC:
So, before worrying it's probably a good idea to check system32 and see if Appverif.exe and Appverif.chm are there.
DoubleAgent: Taking Full Control Over Your Antivirus
For starters, Application Verifier most likely is not even installed on your PC:
So, before worrying it's probably a good idea to check system32 and see if Appverif.exe and Appverif.chm are there.
Already covered at the very beginning of this thread:
Security Alert - New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software
Avast Hardened Mode, Kaspersky KSN, COMODO FLS, Webroot "Block any file unless it is specifically whitelisted," etc... is whitelisting based upon file reputation query. It is whitelisting "for the masses." Select radio button or tick a box to enable...
AppGuard's restriction policies is whitelisting\application control based upon file system policies and, to a very limited extent, the publisher of a digitally signed file with a legitimate certificate.
On the face of it, it might appear that the underlying policy principles and concepts are quite different between the two camps - but actually they are essentially identical.
And it needs admin rights to operate so basically, its targets only happy clickers
This "malware" is just a marketing trick made to promote the devs of a new next-gen company...
This "malware" is just a marketing trick made to promote the devs of a new next-gen company...
Similar threads
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
