Author Topic: AV products vulnerable to attack through Microsoft Aplication Verifier.  (Read 10537 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86498
  • No support PMs thanks
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #15 on: March 22, 2017, 03:13:26 PM »
Quote from:  link=topic=199290.msg1379967#msg1379967 date=1490190981
Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)
<snip>
I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.
« Last Edit: December 14, 2021, 11:22:00 AM by Eva137 »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline A. User

  • Sr. Member
  • ****
  • Posts: 389
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #16 on: March 22, 2017, 03:30:44 PM »
Quote from:  link=topic=199290.msg1379967#msg1379967 date=1490190981
Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)
<snip>
I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.
I'm not asking about implementation details or source code, i'm just asking them to tell me if they have implemented it (because i doubt it) in spite of the specification and requirements in the absence of evidence.
« Last Edit: December 13, 2021, 03:43:32 PM by Eva137 »

Offline Spec8472

  • Avast team
  • Sr. Member
  • *
  • Posts: 270
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #17 on: March 22, 2017, 03:46:28 PM »
Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).
« Last Edit: March 22, 2017, 03:52:35 PM by Spec8472 »

Offline A. User

  • Sr. Member
  • ****
  • Posts: 389
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #18 on: March 22, 2017, 03:48:21 PM »
Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled.
Okay, this is good to know. :) Do you have any plans about ELAM?

Offline Spec8472

  • Avast team
  • Sr. Member
  • *
  • Posts: 270
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #19 on: March 22, 2017, 04:02:57 PM »
No, we've found it unworthy

Offline A. User

  • Sr. Member
  • ****
  • Posts: 389
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #20 on: March 22, 2017, 04:03:58 PM »
No, we've found it unworthy
Okay, you know better. Have a nice day!

Offline SchaOn2

  • Newbie
  • *
  • Posts: 1
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #21 on: March 22, 2017, 06:38:08 PM »
Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).

It seems that the Avast Business Security 17.2.2517 build 17.2.3419.64 is still UNProtected at the moment... or is there something special that we have to do to get this turned on?

FYI --- running Windows 10 (fully up-to-date).
« Last Edit: March 22, 2017, 06:40:37 PM by SchaOn2 »

gapo57@aol.com

  • Guest
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #22 on: March 24, 2017, 04:11:09 PM »
Quote
Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/

mjbrady@acm.org

  • Guest
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #23 on: March 24, 2017, 08:10:29 PM »
Quote
Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/
Should be aware, though, that in Windows 10 those logging in with their MS Account (the default) run as administrator at all times. While not difficult to set up, MS kind of hides the ability to use local accounts, and if somebody with a local standard (non-admin) account ever starts using their MS Account (which automatically changes the user account to administrator) its quite fiddly and time-consuming to reverse the process. So simply brushing off an issue because "if they're admin they can do anything" is perhaps not realistic?

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 47021
  • 62 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #24 on: March 24, 2017, 08:29:05 PM »
@ mjbrady,
I believe the Admin reference was primarily directed toward those still using an older version of Avast.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v21H2 64bit, 16 Gig Ram, 1TB SSD, Avast One 21.11, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bi

Offline Patrick2

  • Poster
  • *
  • Posts: 490
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #25 on: March 24, 2017, 10:25:09 PM »
@mjbrady

I personally use Microsoft account all the time since Windows 8.0, 8.1, and Windows 10 Pro, always set my secondary local account as Admin, and personally change my Microsoft Account login to Standard user, so no it doesn't run as Admin all the time,  To Change account type, Open Control Panel, user accounts, Change account type, switch Local account to Admin, then Switch Microsoft Account login to Standard done


Avast works fine, all programs do as well

Sometimes get Popup from UAC for Admin account password, but otherwise don't mind that at all

Just thought i'd point that out regarding that

« Last Edit: March 24, 2017, 10:27:15 PM by Patrick2 »
Windows 10 Pro 64bit 1909 18363.476, Intel I7 7700 Nvidia Geforce 1050 16gb DDR4, WD 250GBSSD, 1tb Storage, Avast Free 19.8.2393
HP Omen Laptop Intel I7 7700HQ, 8gb Of Ram Windows 10 Home x64 1909 18363.476 128GB SSD, 1tb Storage, Avast Free 19.8.2393

Offline top_stuff

  • Jr. Member
  • **
  • Posts: 21
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #26 on: March 25, 2017, 08:15:44 PM »
Will 12.3.2280 be patched? I find it to be the most stable version to use.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 75412
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
« Reply #27 on: March 25, 2017, 08:21:43 PM »
Will 12.3.2280 be patched? I find it to be the most stable version to use.
I doubt that outdated versions get patched.
Win 8.1 [x64] - Avast PremSec 22.5.7216.B [UI.704] - Firefox ESR 91.9 [NS/uBO/PB] - Thunderbird 91.9.0
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0