I read about this several days ago, and have contacted someone from McAfee Labs/Threat Intelligence. If I hear anything more on this, I will update the thread.
I have a service-case open in regards to DoubleAgent, too.
I give you the answers I have received so far. For completeness sake, I state that I have edited them slightly to shorten them or to remove specific details not belonging here (in my opinion).
I asked if both VirusScan and Endpoint Security for Window are affected by the DoubleAgent exploit.
Here is what I got as an answer after I asked to state this information explicitly:
> I confirm that VirusScan 8.8 and Endpoint Security
> 10.5, in their default configuration, are not affected by (and are therefore
> protected from) the DoubleAgent-Zero-Day-Vulnerability (as described in this
> link: http://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique /).
As the design concept of "Protected Processes" recommended by Microsoft seems to help against this exploit (according to Cybellum), I also asked whether any of the two, VirusScan and/or Endpoint Security, have implemented/are following this design concept. Here is what I got as an answer:
> Yes confirmed, both products have the ‘protected process’ concept implemented, as [described] per the KB article (KB88085).
I also asked them, if McAfee/Intel is going to make an official statement in regards to DoubleAgent. Here is what I got as an answer:
> At this moment we do not know if there would be an official statement, we are trying to find this out for you.
[I have received no update since]
Quite frankly, I do not understand, why McAfee is not intending to make a statement in regards to DoubleAgent, especially if their anti-Virus products are not affected by this exploit.
I hope this helps a little bit.
As with (all) of the Security Vendors out there, their top priority is to keep our best interests at heart. I am certain and confident that they are and have been diligently working towards this very goal. Due to all the many years I have chosen McAfee to protect and secure my devices and personal information, I have yet to be doubtful/ disappointed/or concerned.
It is always good to keep a positive attitude during such instances, as I have grown to learn that sometimes it is best to deliver, than "Put it out to the masses" actions that have been taken. Which keeps Culprits wondering and attempt to stay one step ahead, as they often and indeed do.
Just my personal take ...
1 of 1 people found this helpful
Today i tested on VSE this, but maybe also ENS is vulnerable:
Tried to create a key with the name of mcshield.exe in HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/
/v Debugger /t REG_SZ /d "C:\windows\system32\notepad.exe"
If your McAfee has default options enabled, then you are protected.
Unfortunately if you create other keys like, but not only those: VsTskMgr.exe, mfevtps.exe after computer will restart your McAfee antivirus will not work as expected. On access scanner is disabled, so no protection for further downloaded malware.
Until McAfee will release a hotfix, you can prevent this through user defined policy.
McAfee and some other products have self defence,but sometimes it can be compromised by malwares.I've read that Microsoft released 'Protected Process' feature to help AVs to protect their files,and processes.Can u tell me the difference between this 'Protected Process' and Traditional 'Self-defence' system?
Yes,you're right CD