1 2 Previous Next 12 Replies Latest reply on Mar 29, 2017 8:57 PM by secpro m

    Threat:Double Agent

    soumyab

      I've just saw a video:

      https://m.youtube.com/watch?v=1ZkxD789xVI

      regarding a new exploit that can impact all windows users,and turn a AV into malware.

      So,It would be nice if McAfee team can update or make sure that the latest version is immune to this issue

        • 1. Re: Threat:Double Agent
          catdaddy

          I read about this several days ago, and have contacted someone from McAfee Labs/Threat Intelligence. If I hear anything more on this, I will update the thread.

           

          New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

          • 2. Re: Threat:Double Agent
            ustadie

            Hi,

             

            I have a service-case open in regards to DoubleAgent, too.

            I give you the answers I have received so far. For completeness sake, I state that I have edited them slightly to shorten them or to remove specific details not belonging here (in my opinion).

             

            I asked if both VirusScan and Endpoint Security for Window are affected by the DoubleAgent exploit.

            Here is what I got as an answer after I asked to state this information explicitly:

             

            > I confirm that VirusScan 8.8 and Endpoint Security
            > 10.5, in their default configuration, are not affected by (and are therefore
            > protected from) the DoubleAgent-Zero-Day-Vulnerability (as described in this
            > link: http://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique /).

             

            As the design concept of "Protected Processes" recommended by Microsoft seems to help against this exploit (according to Cybellum), I also asked whether any of the two, VirusScan and/or Endpoint Security, have implemented/are following this design concept. Here is what I got as an answer:

             

            > Yes confirmed, both products have the ‘protected process’ concept implemented, as [described] per the KB article (KB88085).

             

            I also asked them, if McAfee/Intel is going to make an official statement in regards to DoubleAgent. Here is what I got as an answer:

            > At this moment we do not know if there would be an official statement, we are trying to find this out for you.

            [I have received no update since]

             

            Quite frankly, I do not understand, why McAfee is not intending to make a statement in regards to DoubleAgent, especially if their anti-Virus products are not affected by this exploit.

             

            I hope this helps a little bit.

            • 3. Re: Threat:Double Agent
              catdaddy

              ustadie,

                                   As with (all) of the Security Vendors out there, their top priority is to keep our best interests at heart. I am certain and confident that they are and have been diligently working towards this very goal. Due to all the many years I have chosen McAfee to protect and secure my devices and personal information, I have yet to be doubtful/ disappointed/or concerned.

               

                                     It is always good to keep a positive attitude during such instances, as I have grown to learn that sometimes it is best to deliver, than "Put it out to the masses" actions that have been taken. Which keeps Culprits wondering and attempt to stay one step ahead, as they often and indeed do.

               

                                      Just my personal take ...

              • 4. Re: Threat:Double Agent
                jabii

                ustadie soumyab

                 

                Today i tested on VSE this, but maybe also ENS is vulnerable:

                 

                Tried to create a key with the name of mcshield.exe in HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/

                /v Debugger /t REG_SZ /d "C:\windows\system32\notepad.exe"

                If your McAfee has default options enabled, then you are protected.

                 

                Unfortunately if you create other keys like, but not only those: VsTskMgr.exe, mfevtps.exe after computer will restart your McAfee antivirus will not work as expected. On access scanner is disabled, so no protection for further downloaded malware.

                 

                Until McAfee will release a hotfix, you can prevent this through user defined policy.

                1 of 1 people found this helpful
                • 5. Re: Threat:Double Agent
                  soumyab

                  McAfee and some other products have self defence,but sometimes it can be compromised by malwares.I've read that Microsoft released 'Protected Process' feature to help AVs to protect their files,and processes.Can u tell me the difference between this 'Protected Process' and Traditional 'Self-defence' system?

                  • 6. Re: Threat:Double Agent
                    soumyab

                    Yes,you're right CD

                    • 7. Re: Threat:Double Agent
                      catdaddy

                        soumyab  I am following you, could you kindly hover over my Avatar and click ok/done and follow me? Thank you.

                      • 8. Re: Threat:Double Agent
                        soumyab

                        ok done

                        • 9. Re: Threat:Double Agent
                          Nielsb
                          1 of 1 people found this helpful
                          1 2 Previous Next