Cybellum recently discovered a zero-day attack called DoubleAgent, which exploits Microsoft's Application Verifier tool, and in turn affects a large number of anti-virus software including Norton. I would like to know what versions of SEP 12.x & 14.x that are not affected by this zero-day vulnerability.
Their security advisories don't mention it for SEP so SEP may not be affected:
For Norton, best to post in their community:
Thanks Brian. Can I get confirmation on if SEP 12.x or 14.x are affected?
Their security advisory doesn't show it as affected. So either it's not or Symantec hasn't released those details. Someone from Symantec will need to weigh in though.
this attack method needs to have some requirements.
1) You must have administrative access to the machine to modify the registry!
2) Tamper Protection must be disabled to change registry settings
If you have this requirements, you don't need to use any Microsoft tool to proceed.
Here is a statement:
Symantec has fully investigated this claim and confirmed Endpoint Protection / Norton security are not vulnerable to an attack and there is no product patching required. Symantec has released the following signatures, which will block attempts to modify the registry key required to carry out the attack.
These signatures work in conjunction with Tamper Protection to provide protection for the Proof of Concept (PoC) code: SONAR.IFEO!gen1, SONAR.IFEO!gen2.
If you need to deactivate Tamper Protection for any purpose, please ensure, that you have created an ADC policy to secure necessary parts of the registry.
Please set also a password for disabling the client services!
MICROSOFT DOMAIN GPO: Computer Configuration\Windows Settings\Security Settings\Registry
Here you can set additional audit settings to monitor if you can't use ADC or SONAR isn't installed.
I hope this clarify the situation a little bit.
I agree with tknorr's comments, above. Take measures to ensure physical security, keep your user credentials (username and password) secure, ensure passwords are not easy to brute-force, use the principle of least privilege... once a laptop or other computer falls into someone's hands and they get admin access, it is completely "pwned." The DoubleAgent Attack is just one illustration of how an attacker can manipulate some programs (SEP not included) once they are "in."
Thanks tknorr. That's all need.