Attackers found a way to use Microsoft Application Verifier to hijack security products, like antivirus devices. Accomplished Judith Myerson explains how it’s done and what to do to zekering it.
- Where can I find SCANUTIL.DLL? &ndash, SearchWindowsServer
- DoubleAgent malware could turn antivirus implements into . &ndash, SearchSecurity
- What is DLL? It’s more than a fresh and improved .EXE . &ndash, SearchSecurity
Attackers can reportedly hijack security products via Microsoft Application Verifier. What does this device do? How.
Proceed Reading This Article
Love this article spil well spil all of our content, including E-Guides, news, tips and more.
can wij zekering malicious use of this device?
Legitimate developers use Microsoft Application Verifier to find programming errors te their applications. The instrument has bot available since the days of Windows XP. The vertification contraption is part of the Windows Software Development Plak, not the Debugging Implements for Windows.
Flaws ter the Microsoft Application Verifier enable hackers to launch DoubleAgent attacks against antivirus products. They can take utter control of Norton AntiVirus, for example, and use it spil ransomware to encrypt or delete user files on a desktop.
The attack commences with the instrument loading a so-called verifier provider dynamic listig library (DLL) into the targeted application’s process for runtime testing. After creating the verifier instrument, the DLL is added to the Windows Registry spil a provider DLL for a specified process. Windows then automatically injects the DLL into all the processes with the product’s registered name.
Some antivirus vendors attempt to protect their products with the registry keys associated with their processes. The researchers at Cybellum, an Israeli company that specializes te zero-day prevention, lightly bypassed a product’s self-protection mechanism (the mechanism worked on all major antivirus products, according to the company). The researchers injected arbitrary code and registered a malicious DLL for a process associated with a product.
Check for the verification instrument’s patches
Not all impacted antivirus vendors have released patches for the Microsoft Application Verifier vulnerability. Those vendors that have released patches include Malwarebytes, AVG and Kaspersky Laboratorium. Albeit the Comodo antivirus product wasgoed slightly more difficult to defeat, a different unreleased proof of concept has bot used for the DoubleAgent attack.
Microsoft takes a different treatment to protecting antimalware services. It adds another layer of defense by implementing Windows Defender Security Center ter Windows 8.1 and beyond. You can view the status of antivirus products, firewall and network protection, app and browser controls, and device show and health.
Before you update your beloved antivirus product, visit the vendor’s webstek and the Common Vulnerabilities and Exposures webstek for the latest reports on the product’s vulnerabilities and patches.
Learn more about the effects vulnerabilities ter antivirus products have on the industry
Find out what enterprises can do about antivirus vulnerabilities