AV products vulnerable to attack through Microsoft Aplication Verifier.

system · 2017-03-22T06:59:57.000Z

So, that’s a feature MS introduced in Win 8.1. Does that mean that feature would not be available in Win 7 and so the Antivirus program will always be vulnerable? Anyone knows?

A.User · 2017-03-22T07:55:46.000Z

Mugenix post:6:

So, that’s a feature MS introduced in Win 8.1. Does that mean that feature would not be available in Win 7 and so the Antivirus program will always be vulnerable? Anyone knows?

Maybe Microsoft will fix their part of the vulnerability and Avast their part. But for Avast to be protected service and Windows to block 3rd party injections into the process you will need ELAM, which is only available on Windows 8 and above. We really are the ones who need to push Avast to make their product better, i guess that otherwise they won’t do anything.

Spec8472 · 2017-03-22T10:23:43.000Z

Only Avast 12.3 (and older) version is vulnerable.

Spec8472 · 2017-03-22T10:30:01.000Z

Also don’t worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)

BeSecure · 2017-03-22T10:39:13.000Z

Spec8472 post:8:

Only Avast 12.3 (and older) version is vulnerable.

The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.

Asyn · 2017-03-22T10:42:25.000Z

Be Secure post:10:

Spec8472 post:8:

Only Avast 12.3 (and older) version is vulnerable.

The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.

Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910

BeSecure · 2017-03-22T10:44:37.000Z

Asyn post:11:

Be Secure post:10:

Spec8472 post:8:

Only Avast 12.3 (and older) version is vulnerable.

The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.

Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910

vulnerability is fixed in version 17??

Asyn · 2017-03-22T10:46:04.000Z

Be Secure post:12:

Asyn post:11:

Be Secure post:10:

Spec8472 post:8:

Only Avast 12.3 (and older) version is vulnerable.

The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.

Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910

vulnerability is fixed in version 17??

Yep.

BeSecure · 2017-03-22T10:46:53.000Z

Asyn post:13:

Be Secure post:12:

Asyn post:11:

Be Secure post:10:

Spec8472 post:8:

Only Avast 12.3 (and older) version is vulnerable.

The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.

Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910

vulnerability is fixed in version 17??

Yep.

Ok.

A.User · 2017-03-22T13:56:21.000Z

Spec8472 post:9:

Also don’t worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)

But how, you need to use Early Launch Antimalware in order to be able to specify AvastSvc.exe as a protected service. Maybe you mean that you have taken unofficial quirks to protect the service? AVG had an option for Early Launch Antimalware in the menu, and also had a driver in %SystemRoot%\ELAMBKUP named avgboota.sys. Every AV that utilizes ELAM needs to have a backup driver located there by specification and ELAM is a prerequisite for Protected Service. It is good to take every single technology to provide better protection, especially when other reputable providers actually do this. I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

DavidR · 2017-03-22T14:13:26.000Z

[quote="Spec8472 post:9, topic:734820"] Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17) [/quote] I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.

A.User · 2017-03-22T14:30:44.000Z

DavidR post:16:

[quote="Spec8472 post:9, topic:734820"] Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17) [/quote] I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.

I’m not asking about implementation details or source code, i’m just asking them to tell me if they have implemented it (because i doubt it) in spite of the specification and requirements in the absence of evidence.

Spec8472 · 2017-03-22T14:46:28.000Z

Liubomir, I’am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).

A.User · 2017-03-22T14:48:21.000Z

Spec8472 post:18:

Liubomir, I’am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled.

Okay, this is good to know. Do you have any plans about ELAM?

Spec8472 · 2017-03-22T15:02:57.000Z

No, we’ve found it unworthy

A.User · 2017-03-22T15:03:58.000Z

Spec8472 post:20:

No, we’ve found it unworthy

Okay, you know better. Have a nice day!

SchaOn2 · 2017-03-22T17:38:08.000Z

Spec8472 post:18:

Liubomir, I’am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).

It seems that the Avast Business Security 17.2.2517 build 17.2.3419.64 is still UNProtected at the moment… or is there something special that we have to do to get this turned on?

FYI — running Windows 10 (fully up-to-date).

system · 2017-03-24T15:11:09.000Z

Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/

system · 2017-03-24T19:10:29.000Z

avon post:23:

Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/

Should be aware, though, that in Windows 10 those logging in with their MS Account (the default) run as administrator at all times. While not difficult to set up, MS kind of hides the ability to use local accounts, and if somebody with a local standard (non-admin) account ever starts using their MS Account (which automatically changes the user account to administrator) its quite fiddly and time-consuming to reverse the process. So simply brushing off an issue because “if they’re admin they can do anything” is perhaps not realistic?

bob3160 · 2017-03-24T19:29:05.000Z

@ mjbrady,
I believe the Admin reference was primarily directed toward those still using an older version of Avast.

Announcements