Endpoint Protection

Cybellum recently discovered a zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool, and in turn affects a large number of anti-virus software including Norton. I would like to know what versions of SEP 12.x & 14.x that are not affected by this zero-day vulnerability.

 

Source: https://www.engadget.com/2017/03/21/doubleagent-attack-anti-virus-hijack-your-pc/

Their security advisories don't mention it for SEP so SEP may not be affected:

https://www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory

For Norton, best to post in their community:

https://community.norton.com

Thanks Brian. Can I get confirmation on if SEP 12.x or 14.x are affected?

Their security advisory doesn't show it as affected. So either it's not or Symantec hasn't released those details. Someone from Symantec will need to weigh in though.

Adding the link to this blog: https://www.symantec.com/connect/ideas/doubleagent-zero-day-hijacks-microsoft-tool-turn-antivirus

I have found this video for doubleagent attacking on Norton product http://www.zdnet.com/article/windows-10-doubleagent-zero-day-hijacks-microsoft-tool-to-turn-antivirus-into-malware/ But in case of SEP, it has tamper protection that do not allow other applications or any attacker to tamper SEP and bypass it Tamper Protection provides real-time protection for the Symantec applications that run on servers and clients. It protects Symantec processes and internal objects from the attacks that non-Symantec processes such as worms, Trojan horses, viruses, and security risks may make. Tamper Protection can block or log the attempts to modify the Symantec processes or the internal software objects that synchronize Symantec threads and processes. But i found no info on if double agent affects it or not

Norton products also has tamper protection but it's getting affected by doubleagent

Hi all,

this attack method needs to have some requirements.

1) You must have administrative access to the machine to modify the registry!

2) Tamper Protection must be disabled to change registry settings

If you have this requirements, you don't need to use any Microsoft tool to proceed.

Here is a statement:

Symantec has fully investigated this claim and confirmed Endpoint Protection / Norton security are not vulnerable to an attack and there is no product patching required. Symantec has released the following signatures, which will block attempts to modify the registry key required to carry out the attack.
These signatures work in conjunction with Tamper Protection to provide protection for the Proof of Concept (PoC) code: SONAR.IFEO!gen1, SONAR.IFEO!gen2.

If you need to deactivate Tamper Protection for any purpose, please ensure, that you have created an ADC policy to secure necessary parts of the registry.
Please set also a password for disabling the client services!

MICROSOFT DOMAIN GPO: Computer Configuration\Windows Settings\Security Settings\Registry

Here you can set additional audit settings to monitor if you can't use ADC or SONAR isn't installed.

I hope this clarify the situation a little bit.

 

I agree with tknorr's comments, above.  Take measures to ensure physical security, keep your user credentials (username and password) secure, ensure passwords are not easy to brute-force, use the principle of least privilege... once a laptop or other computer falls into someone's hands and they get admin access, it is completely "pwned."  The DoubleAgent Attack is just one illustration of how an attacker can manipulate some programs (SEP not included) once they are "in."      

Thanks tknorr. That's all need.