Author Topic: AV products vulnerable to attack through Microsoft Aplication Verifier.  (Read 9954 times)

0 Members and 1 Guest are viewing this topic.

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
More info here: LINK.
This is one more reason to bring back the Early Launch Antimalware (the security component that you removed for unknown reasons after acquiring AVG) which is a prerequisite for registering Avast service as a protected antimalware service.  :)


AVG has been patched, what about Avast?

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 46295
  • 61 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Reported to Avast.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v21H2 64bit, 16 Gig Ram, 1TB SSD, AvastOmni 21.6, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline Charyb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2442

This article shows that Protected Processes has been available for more than 3 years and that no antivirus other than Windows Defender is using it. I wonder why not?

http://cybellum.com/doubleagent-taking-full-control-antivirus/

Quote
Mitigation
Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago. It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s legitimate part of the OS.
« Last Edit: March 22, 2017, 01:34:03 AM by Charyb »

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1910
More info here: LINK.
This is one more reason to bring back the Early Launch Antimalware (the security component that you removed for unknown reasons after acquiring AVG) which is a prerequisite for registering Avast service as a protected antimalware service.  :)


AVG has been patched, what about Avast?
Detail

Code injection vulnerability in Avast Premier 12.3 (and earlier), Internet Security 12.3 (and earlier), Pro Antivirus 12.3 (and earlier), and Free Antivirus 12.3 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Avast process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
https://hackertor.com/2017/03/21/na-cve-2017-5567-code-injection-vulnerability-in-avast-premier/
http://www.security-database.com/detail.php?alert=CVE-2017-5567&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Last100Alerts+%28Security-Database+Alerts+Monitor+%3A+Last+100+Alerts%29
« Last Edit: March 22, 2017, 04:09:58 AM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1910
The proof-of-concept code he's referring to is available on GitHub.
https://github.com/Cybellum/DoubleAgent#installation
Any news form avast side?
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Mugenix

  • Newbie
  • *
  • Posts: 13
So, that's a feature MS introduced in Win 8.1. Does that mean that feature would not be available in Win 7 and so the Antivirus program will always be vulnerable? Anyone knows?

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
So, that's a feature MS introduced in Win 8.1. Does that mean that feature would not be available in Win 7 and so the Antivirus program will always be vulnerable? Anyone knows?
Maybe Microsoft will fix their part of the vulnerability and Avast their part. But for Avast to be protected service and Windows to block 3rd party injections into the process you will need ELAM, which is only available on Windows 8 and above. We really are the ones who need to push Avast to make their product better, i guess that otherwise they won't do anything.

Offline Spec8472

  • Avast team
  • Sr. Member
  • *
  • Posts: 261
Only Avast 12.3 (and older) version is vulnerable.

Offline Spec8472

  • Avast team
  • Sr. Member
  • *
  • Posts: 261
Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1910
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72844
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #10 on: March 22, 2017, 11:42:25 AM »
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910
Win 8.1 [x64] - Avast PremSec 21.10.6772.IBC [UI.679] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.3 - SecureLine 5.14 - Driver Updater 21.3 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1910
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #11 on: March 22, 2017, 11:44:37 AM »
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910
vulnerability is fixed in version 17??
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72844
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #12 on: March 22, 2017, 11:46:04 AM »
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910
vulnerability is fixed in version 17??
Yep.
Win 8.1 [x64] - Avast PremSec 21.10.6772.IBC [UI.679] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.3 - SecureLine 5.14 - Driver Updater 21.3 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1910
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline A. User

  • Sr. Member
  • ****
  • Posts: 394
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #14 on: March 22, 2017, 02:56:21 PM »
Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)
But how, you need to use Early Launch Antimalware in order to be able to specify AvastSvc.exe as a protected service. Maybe you mean that you have taken unofficial quirks to protect the service? AVG had an option for Early Launch Antimalware in the menu, and also had a driver in %SystemRoot%\ELAMBKUP named avgboota.sys. Every AV that utilizes ELAM needs to have a backup driver located there by specification and ELAM is a prerequisite for Protected Service. It is good to take every single technology to provide better protection, especially when other reputable providers actually do this. I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.