Technical AVG Detail On DoubleAgent – Www.avg.com/retail

 Technical AVG Detail On DoubleAgent AVG products / Intel Security has been searching the impact of the so-called, “DoubleAgent zero-day”, technique of Windows debugging capabilities.


This injection technique uses an MS Windows debugging feature that requires administrative privileges. On the fly debugging is created to be used with all Microsoft Windows executables. It’s not specific to Antivirus products in general or AVG products in particular through www.avg.com/retail.

 

Techniques using Image File Execution option have been known for a number of years, as part of a continuing process to research and assess security-related techniques against software and hardware that we all depend upon. For example, similar techniques manipulating the Windows process debugging registry key have been publicly discussed for at least several years.  Get support for AVG by avg.com/retail expert.

 

This blog is not about the validity of any form of Image File Execution option attack. Nor are we discussing the advantages of this attack over the myriads of approaches that would allow for the attacker to misuse a Windows device. Once an attacker gains administrative privileges on a Windows machine through whatever means, which attacks the attacker may choose lies outside of this analysis.

 

Rather, this analysis attempts to establish the resilience of AVG Internet Security solutions to this type of injection attack, to enumerate the mechanisms that are available to AVG’s customers to mitigate or negate such attacks, and the ability of our solutions to expose such attack attempts.

 

AVG software fundamentally must rely on the underlying operating system. Where techniques are identified that could impact the integrity of software through operating system mechanisms such as IFEO, AVG software must implement detective and protective mechanisms. In this particular technique, for example, we have implemented measures into our most up-to-date consumer and enterprise products that would prevent the execution of injected AVG binaries from malicious parties.

When it comes to our endpoint protection solutions and their ability to protect their own processes, there are multiple layers of protection at play.

 

For the most recent Internet Security Solution, AVG offers three mechanisms: (Technical AVG Detail On DoubleAgent)

  • Self-protection rules to prevent the creation of lf-protection rules to prevent the creation of IFEO registry keys
  • Self-protection rules to prevent process injection from untrusted processes
  • Module sanitization to validate that a module (DLL) is validly signed by a trusted authority before loading the DLL (irrespective of the load mechanism, including injection)

You can find details about process injection self-protection and module sanitization in the following www.avg.com/retail

 

Module sanitization is enforced by default in our (Internet Security Solution).

Self-protection rules for the registry come in different flavors depending on the AVG products installed. The default rules shipped with the product protect core AVG services from allowing IFEO keys to be created. Since the current shipping rules focus on core services, we are pushing an update to add exhaustive coverage of all product binaries for each product that uses AVG’s Anti-Malware Core technologies, which includes Internet Security. For products using VirusScan, rules can be manually added.

 

Technical AVG Detail On DoubleAgent In addition to covering an exhaustive list of AVG binaries, the update for the self-protection registry rules will also include coverage against a technique variant in which a malicious Image File Execution Options key has been constructed elsewhere and then renamed.

 

Depending on the Image File Execution Options injection target, the system blocking the attack may differ. If the target is protected by self-protection registry rules the attack will be mitigate. If the target is not protected by self-protection registry rules, then the injection will occur but then AVG’s module sanitization, where enforced, will block the attempted load and revoke trust for the injected process.  Get support for AVG by avg.com/retail product key expert.

 

In the worst-case scenario for Internet Security, if the registry entry is created and the injection occurs, the process will fail to launch because the load of the malicious DLL will be denied. The AVG Internet Security processes will not allow the malicious module to execute.

AVG products also offer generic protection that would prevent such attacks on other non-AVG processes. In the context of Internet Security, customers can enforce the “Hijacking .EXE or other executable extensions” rule, which would prevent the creation of any [program].exe key under IFEO. Dynamic Application Containment (DAC) would also restrict contained processes from creating IEFO keys.

 

It is important for customers to note that before the IFEO keys may be manipulated, an attacker must first gain entrance to a Windows system. If the user account has not been given administrative privileges, then an additional step must be taken by the attacker to achieve these privileges. There are numerous techniques for achieving each of these steps.

 

We will continue research into those techniques that target hardware and software that we rely upon. This is crucial in providing customers the confidence to rely upon systems that their businesses and homes have grown to depend upon. Go to visit: avg.com/registration

 

#office.com/setup    #webroot.com/safe

Comments

Popular posts from this blog

Try AVG Free Trial Products before Downloading from www.avg.com/retail

Support for Businesses and Avg Products | AVG Support

How do I get an Activating AVG Internet Security code? – www.avg.com/retail