More info here: LINK.
This is one more reason to bring back the Early Launch Antimalware (the security component that you removed for unknown reasons after acquiring AVG) which is a prerequisite for registering Avast service as a protected antimalware service.

AVG has been patched, what about Avast?

Reported to Avast.

This article shows that Protected Processes has been available for more than 3 years and that no antivirus other than Windows Defender is using it. I wonder why not?

http://cybellum.com/doubleagent-taking-full-control-antivirus/

Mitigation Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago. It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s legitimate part of the OS.

More info here: [url=https://www.bleepingcomputer.com/news/security/new-attack-uses-microsofts-application-verifier-to-hijack-antivirus-software/]LINK[/url]. This is one more reason to bring back the Early Launch Antimalware (the security component that you removed for unknown reasons after acquiring AVG) which is a prerequisite for registering Avast service as a protected antimalware service. :)

AVG has been patched, what about Avast?

Code injection vulnerability in Avast Premier 12.3 (and earlier), Internet Security 12.3 (and earlier), Pro Antivirus 12.3 (and earlier), and Free Antivirus 12.3 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Avast process via a “DoubleAgent” attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
https://hackertor.com/2017/03/21/na-cve-2017-5567-code-injection-vulnerability-in-avast-premier/
http://www.security-database.com/detail.php?alert=CVE-2017-5567&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Last100Alerts+(Security-Database+Alerts+Monitor+%3A+Last+100+Alerts)

The proof-of-concept code he’s referring to is available on GitHub.
https://github.com/Cybellum/DoubleAgent#installation
Any news form avast side?

So, that’s a feature MS introduced in Win 8.1. Does that mean that feature would not be available in Win 7 and so the Antivirus program will always be vulnerable? Anyone knows?

Maybe Microsoft will fix their part of the vulnerability and Avast their part. But for Avast to be protected service and Windows to block 3rd party injections into the process you will need ELAM, which is only available on Windows 8 and above. We really are the ones who need to push Avast to make their product better, i guess that otherwise they won’t do anything.

Only Avast 12.3 (and older) version is vulnerable.

Also don’t worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)

The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.

Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910

vulnerability is fixed in version 17??

Yep.

Ok.

But how, you need to use Early Launch Antimalware in order to be able to specify AvastSvc.exe as a protected service. Maybe you mean that you have taken unofficial quirks to protect the service? AVG had an option for Early Launch Antimalware in the menu, and also had a driver in %SystemRoot%\ELAMBKUP named avgboota.sys. Every AV that utilizes ELAM needs to have a backup driver located there by specification and ELAM is a prerequisite for Protected Service. It is good to take every single technology to provide better protection, especially when other reputable providers actually do this. I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

[quote="Spec8472 post:9, topic:734820"] Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17) [/quote] I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.

I’m not asking about implementation details or source code, i’m just asking them to tell me if they have implemented it (because i doubt it) in spite of the specification and requirements in the absence of evidence.

Liubomir, I’am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).

Okay, this is good to know. Do you have any plans about ELAM?

No, we’ve found it unworthy