Security News New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
The answer is in the article that you posted:

"Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process."
I posted? Anyway, thank you for the answer.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Here's Fabian's response:

What Say Thee Emsisoft? DoubleAgent: Taking Full Control Over Your Antivirus

"I suggest having a quick read here:

http://www.kernelmode.info/forum/viewtopic.php?f=2&t=4687

There is really nothing else to add. Just some cheats trying to pass off publicly available knowledge as groundbreaking and original research."

Thank you for sharing.
Now, is Emsi vulnerable? Does Emsi creates Antivirus processes as “Protected Processes” as suggested by MSFT?
What other AV take profit of MSFT “Protected Processes”?

Summary of AV answers:
Microsoft tool exploit DoubleAgent can turn antivirus software into your worst enemy
 
  • Like
Reactions: Der.Reisende

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
That post referred to learning AppGuard - and not abuse of AppVerif.
Sorry for the confusion. Yeah, I was talking about application whitelisting in general. Popular Avast doesn't even have Hardened mode by default. Afraid of risks maybe?
To clarify, the initial hurdle of learning whitelisting isn't the only thing that will stop them and even then, the trend is unlikely to change since the antivirus companies are still alive competing against each other. It's not a matter of capability but if it will be implemented. The antivirus companies are probably the one to introduce some form of whitelisting by default en masse anyway.
 
5

509322

  • Like
Reactions: Azure
5

509322

It really isn't something that should occupy a person's mind - not even a paranoid user.
 
Last edited by a moderator:
  • Like
Reactions: Azure
5

509322

Popular Avast doesn't even have Hardened mode by default.

Avast Hardened Mode, Kaspersky KSN, COMODO FLS, Webroot "Block any file unless it is specifically whitelisted," etc... is whitelisting based upon file reputation query. It is whitelisting "for the masses." Select radio button or tick a box to enable...

AppGuard's restriction policies is whitelisting\application control based upon file system policies and, to a very limited extent, the publisher of a digitally signed file with a legitimate certificate.

On the face of it, it might appear that the underlying policy principles and concepts are quite different between the two camps - but actually they are essentially identical.
 
  • Like
Reactions: Captain Awesome

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top