Endpoint Protection

Expand all | Collapse all

What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

Jump to Best Answer
  • 1.  What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-23-2017 02:03 PM

    Cybellum recently discovered a zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool, and in turn affects a large number of anti-virus software including Norton. I would like to know what versions of SEP 12.x & 14.x that are not affected by this zero-day vulnerability.

     

    Source: https://www.engadget.com/2017/03/21/doubleagent-attack-anti-virus-hijack-your-pc/



  • 2.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-23-2017 02:34 PM

    Their security advisories don't mention it for SEP so SEP may not be affected:

    https://www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory

    For Norton, best to post in their community:

    https://community.norton.com



  • 3.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-23-2017 03:00 PM

    Thanks Brian. Can I get confirmation on if SEP 12.x or 14.x are affected?



  • 4.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-23-2017 03:06 PM

    Their security advisory doesn't show it as affected. So either it's not or Symantec hasn't released those details. Someone from Symantec will need to weigh in though.



  • 5.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-23-2017 11:44 PM
    Adding the link to this blog: https://www.symantec.com/connect/ideas/doubleagent-zero-day-hijacks-microsoft-tool-turn-antivirus


  • 6.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-24-2017 02:37 AM
    I have found this video for doubleagent attacking on Norton product http://www.zdnet.com/article/windows-10-doubleagent-zero-day-hijacks-microsoft-tool-to-turn-antivirus-into-malware/ But in case of SEP, it has tamper protection that do not allow other applications or any attacker to tamper SEP and bypass it Tamper Protection provides real-time protection for the Symantec applications that run on servers and clients. It protects Symantec processes and internal objects from the attacks that non-Symantec processes such as worms, Trojan horses, viruses, and security risks may make. Tamper Protection can block or log the attempts to modify the Symantec processes or the internal software objects that synchronize Symantec threads and processes. But i found no info on if double agent affects it or not


  • 7.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-24-2017 02:39 AM
    Norton products also has tamper protection but it's getting affected by doubleagent


  • 8.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?
    Best Answer

     
    Posted 03-24-2017 03:50 AM

    Hi all,

    this attack method needs to have some requirements.

    1) You must have administrative access to the machine to modify the registry!

    2) Tamper Protection must be disabled to change registry settings

    If you have this requirements, you don't need to use any Microsoft tool to proceed.

    Here is a statement:

    Symantec has fully investigated this claim and confirmed Endpoint Protection / Norton security are not vulnerable to an attack and there is no product patching required. Symantec has released the following signatures, which will block attempts to modify the registry key required to carry out the attack.
    These signatures work in conjunction with Tamper Protection to provide protection for the Proof of Concept (PoC) code: SONAR.IFEO!gen1, SONAR.IFEO!gen2.

    If you need to deactivate Tamper Protection for any purpose, please ensure, that you have created an ADC policy to secure necessary parts of the registry.
    Please set also a password for disabling the client services!

    MICROSOFT DOMAIN GPO: Computer Configuration\Windows Settings\Security Settings\Registry

    Here you can set additional audit settings to monitor if you can't use ADC or SONAR isn't installed.

    I hope this clarify the situation a little bit.

     



  • 9.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-24-2017 07:03 AM

    I agree with tknorr's comments, above.  Take measures to ensure physical security, keep your user credentials (username and password) secure, ensure passwords are not easy to brute-force, use the principle of least privilege... once a laptop or other computer falls into someone's hands and they get admin access, it is completely "pwned."  The DoubleAgent Attack is just one illustration of how an attacker can manipulate some programs (SEP not included) once they are "in."      



  • 10.  RE: What versions of SEP 12.x & 14.x are protected from zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool?

    Posted 03-24-2017 12:35 PM

    Thanks tknorr. That's all need.