Security News New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

Solarquest · Mar 24, 2017

Lockdown said:
It's not something to fret about.

There have been malware in the past that used the technique.

AppVerif has to be on your system...

..but MW can also take care of it and "download/install it for you"...

Solarquest · Mar 24, 2017

Lockdown said:
The answer is in the article that you posted:

"Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process."

I posted? Anyway, thank you for the answer.

Solarquest · Mar 24, 2017

Azure Phoenix said:
Here's Fabian's response:

What Say Thee Emsisoft? DoubleAgent: Taking Full Control Over Your Antivirus

"I suggest having a quick read here:

http://www.kernelmode.info/forum/viewtopic.php?f=2&t=4687

There is really nothing else to add. Just some cheats trying to pass off publicly available knowledge as groundbreaking and original research."

Thank you for sharing.
Now, is Emsi vulnerable? Does Emsi creates Antivirus processes as “Protected Processes” as suggested by MSFT?
What other AV take profit of MSFT “Protected Processes”?

Summary of AV answers:
Microsoft tool exploit DoubleAgent can turn antivirus software into your worst enemy

Luke17 · Mar 24, 2017

It's an interesting finding, but if one needs to have admin privileges to change those keys, why bother with injecting code in the AV anyway ?

enaph · Mar 24, 2017

FreddyFreeloader said:
Is Windows Defender affected by this???

No.

enaph · Mar 24, 2017

Very interesting facts about Cybellum and their discovery:
KernelMode.info • View topic - Cybellum - another pseudo security company from Israel

amir 957 · Mar 24, 2017

Thanks for sharing that

Avast guys say that avast v 17.x.x isn't vulnerable ( avast and avg 2017 )
And only avast v12.3 and older are vulnerable
According this topics in avast forum:
Spec8472 from avast team answers:
AV products vulnerable to attack through Microsoft Aplication Verifier.

DoubleAgent attack

509322 · Mar 24, 2017

Solarquest said:
..but MW can also take care of it and "download/install it for you"...

My bad.

Faybert · Mar 24, 2017

This article describes which antivirus products are vulnerable to DoubleAgent scanning::Novo exploit DoubleAgent pode tomar o controle de softwares antivírus

"Several well-known anti-virus software, including those from companies like Avast, BitDefender, ESET, Kaspersky and F-Secure, are vulnerable to the DoubleAgent exploit."

Handsome Recluse · Mar 24, 2017

Lockdown said:
That post referred to learning AppGuard - and not abuse of AppVerif.

Sorry for the confusion. Yeah, I was talking about application whitelisting in general. Popular Avast doesn't even have Hardened mode by default. Afraid of risks maybe?
To clarify, the initial hurdle of learning whitelisting isn't the only thing that will stop them and even then, the trend is unlikely to change since the antivirus companies are still alive competing against each other. It's not a matter of capability but if it will be implemented. The antivirus companies are probably the one to introduce some form of whitelisting by default en masse anyway.

Azure · Mar 24, 2017

Like itman stated in this post
DoubleAgent: Taking Full Control Over Your Antivirus
For starters, Application Verifier most likely is not even installed on your PC:

So, before worrying it's probably a good idea to check system32 and see if Appverif.exe and Appverif.chm are there.

509322 · Mar 24, 2017

Azure Phoenix said:
Like itman stated in this post
DoubleAgent: Taking Full Control Over Your Antivirus
For starters, Application Verifier most likely is not even installed on your PC:

So, before worrying it's probably a good idea to check system32 and see if Appverif.exe and Appverif.chm are there.

Already covered at the very beginning of this thread:

Security Alert - New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

509322 · Mar 24, 2017

It really isn't something that should occupy a person's mind - not even a paranoid user.

509322 · Mar 24, 2017

TerrakionSmash said:
Popular Avast doesn't even have Hardened mode by default.

Avast Hardened Mode, Kaspersky KSN, COMODO FLS, Webroot "Block any file unless it is specifically whitelisted," etc... is whitelisting based upon file reputation query. It is whitelisting "for the masses." Select radio button or tick a box to enable...

AppGuard's restriction policies is whitelisting\application control based upon file system policies and, to a very limited extent, the publisher of a digitally signed file with a legitimate certificate.

On the face of it, it might appear that the underlying policy principles and concepts are quite different between the two camps - but actually they are essentially identical.

Deleted member 178 · Mar 25, 2017

And it needs admin rights to operate so basically, its targets only happy clickers

This "malware" is just a marketing trick made to promote the devs of a new next-gen company...

Search

Search

Security News New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

Solarquest

Moderator

Solarquest

Moderator

Solarquest

Moderator

Luke17

Level 1

enaph

Level 30

enaph

Level 30

amir 957

Level 6

509322

Faybert

Level 24

Handsome Recluse

Level 23

Azure

Level 28

509322

509322

509322

Deleted member 178

You may also like...