AV products vulnerable to attack through Microsoft Aplication Verifier.

[DavidR]

Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)

<snip>
I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.

[A. User]

Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)

<snip>
I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.

I'm not asking about implementation details or source code, i'm just asking them to tell me if they have implemented it (because i doubt it) in spite of the specification and requirements in the absence of evidence.

[Spec8472]

Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).

[A. User]

Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled.

Okay, this is good to know. Do you have any plans about ELAM?

[Spec8472]

No, we've found it unworthy

[A. User]

No, we've found it unworthy

Okay, you know better. Have a nice day!

[SchaOn2]

Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).

It seems that the Avast Business Security 17.2.2517 build 17.2.3419.64 is still UNProtected at the moment... or is there something special that we have to do to get this turned on?

FYI --- running Windows 10 (fully up-to-date).

[REDACTED]

Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/

[REDACTED]

Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/

Should be aware, though, that in Windows 10 those logging in with their MS Account (the default) run as administrator at all times. While not difficult to set up, MS kind of hides the ability to use local accounts, and if somebody with a local standard (non-admin) account ever starts using their MS Account (which automatically changes the user account to administrator) its quite fiddly and time-consuming to reverse the process. So simply brushing off an issue because "if they're admin they can do anything" is perhaps not realistic?

[bob3160]

@ mjbrady,
I believe the Admin reference was primarily directed toward those still using an older version of Avast.

[Patrick2]

@mjbrady

I personally use Microsoft account all the time since Windows 8.0, 8.1, and Windows 10 Pro, always set my secondary local account as Admin, and personally change my Microsoft Account login to Standard user, so no it doesn't run as Admin all the time,  To Change account type, Open Control Panel, user accounts, Change account type, switch Local account to Admin, then Switch Microsoft Account login to Standard done


Avast works fine, all programs do as well

Sometimes get Popup from UAC for Admin account password, but otherwise don't mind that at all

Just thought i'd point that out regarding that

[top_stuff]

Will 12.3.2280 be patched? I find it to be the most stable version to use.

[Asyn]

Will 12.3.2280 be patched? I find it to be the most stable version to use.

I doubt that outdated versions get patched.