Microsoft tWindows Application Verifier debugging tool exploit DoubleAgent

[sman]

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/

Is this issue still around?

[Aura]

There's no need to panic.

https://www.gdatasoftware.com/blog/2017/03/29626-doubleagent

You need Admin Rights in order for DoubleAgent to be exploited, and as soon as a process gets Admin Rights on a system, it's game over.

[sman]

Under windows, it is generally with admin account usage, and mostly by default.. so, as per gdata, if admin privilege / rights are accessible, than no need for av take-over for hacker to realize his intentions, as the system is already compromised..

So, it's a question of protecting exploiting the admin account and how?

[Aura]

Quote

So, it's a question of protecting exploiting the admin account and how?

Make sure UAC is enabled at the default level at least (since if a process tries to configure DoubleAgent, it'll ask you for Admin Rights)

Do not give Admin Rights (when asked) to an unknown process and/or operation.

Simple as that.

[sman]

Hmm. with UAC the admin rights seem protected, but as far as I remember, there are ways to bypass UAC (there was some earlier discussions on MBAM/MBAE user privileges, where this aspect of Admin rights was explained and about some limitations. i dont' remenmber when.

[Aura]

In that case, the payload that tries to set up DoubleAgent would need to use a UAC bypass. And like stated above, setting up DoubleAgent isn't needed at all once you have Admin Rights on a system, even less if you have a UAC bypass exploit.

[sman]

windows UAC bypass (esp. in win 10)..

https://threatpost.com/windows-uac-bypass-leaves-systems-open-to-malicious-dlls/119468/

this only adds fuel to fire..

[sman]

another UAC bypass mode .https://threatpost.com/fileless-uac-bypass-uses-windows-backup-and-restore-utility/124579/

gets more curiouser and curiouser..

[Aura]

UAC bypass have been around for years. This is nothing new. As soon as they are discovered and reported to Microsoft, it fixes them.

[sman]

So, if UAC vulnerabilities are patched , well & good but creators update is expected in Autumn and expected to address many of the UAC vulnerabilities.. until then?

[Aura]

Until then an Anti-Exploit (like Malwarebytes 3 Premium or Malwarebytes Anti-Exploit Beta) should protect you. You know, if you use your computer with a bit of common sense, like not browsing suspicious websites, not downloading suspicious files or installing unknown programs, you wouldn't have to worry about all that. Protecting yourself against DoubleAgent, UAC bypass, etc. is the same as protecting yourself from every other malware out there.

[sman]

It is here that earlier discussions in the forum , assumes significance.. it was about something about MBAM privileges / feature suggestions maybe prior to version 2 or so in the forum, where some limitations were discussed.

[sman]

can't find that old thread on Windows account discussion.. It was here it was suggested for 'local account' use and risks with Admin account and the relevance with MBAM feature additions..

Yes, we all know AV protection alone is not sufficient and need to be complemented with MBAM/MBAE.. But, what about in case of IoT security products by these very AV vendors, and MBAM/MBAE complementary role? In fact, even standalone AV products like Comodo, Norton etc. do offer refund/compensation in case of infection while use of their AV product & offer viability.. 

As the core issue is about protection even under OS vulnerabilities on topic, the complementary security beef up of AV/IoT protection is what it boils to and looked for..

[sman]

Silence is golden but not always..

MBAM/MBAE complementary role with IoT security products esp. under the topic threat (keeping in view AV claims of complete protection and refund/compensation in case of infection during use of their product) is a grey region and needs to be defined..

[Aura]

What you're talking about now is subject for another discussion. It isn't even related to DoubleAgent anymore.

[sman]

The threat on topic can affect all Windows systems protected by standalone AV's / IoT products, so when it is about MBAM/MBAE mitigation of the threat, the role of MBAM/MBAE under IoT is what is to be defined (since IoT vendors, the very AV vendors, say the protection is complete and this when the standalone AV's too offer complete protection with refund/compensation on infection.).. so, it is relevant to define MBAM/MBAE role in protecting/mitigating the topic threat under AV/IoT environment.. Tks..

[sman]

Ok.. I'll take up the query with a fresh thread, if it is felt so?