Technical AVG Detail On DoubleAgent – Www.avg.com/retail
                     Technical AVG Detail On DoubleAgent –
Www.avg.com/retail
Technical AVG Detail On DoubleAgent AVG products / Intel Security has
been searching the impact of the so-called, “DoubleAgent zero-day”, 
technique of Windows debugging capabilities.
This injection technique uses an MS Windows debugging feature that 
requires administrative privileges. On the fly debugging is created to be 
used with all Microsoft Windows executables. It’s not specific to 
Antivirus products in general or AVG products in particular through 
www.avg.com/retail.
Techniques using Image File Execution option have been known for a 
number of years, as part of a continuing process to research and assess 
security-related techniques against software and hardware that we all 
depend upon. For example, similar techniques manipulating the 
Windows process debugging registry key have been publicly discussed 
for at least several years.  Get support for AVG by www.avg.com/retail 
expert.
This blog is not about the validity of any form of Image File Execution 
option attack. Nor are we discussing the advantages of this attack over 
the myriads of approaches that would allow for the attacker to misuse 
a Windows device. Once an attacker gains administrative privileges on a
Windows machine through whatever means, which attacks the attacker
may choose lies outside of this analysis.
Rather, this analysis attempts to establish the resilience of AVG Internet
Security solutions to this type of injection attack, to enumerate the 
mechanisms that are available to AVG’s customers to mitigate or 
negate such attacks, and the ability of our solutions to expose such 
attack attempts.
AVG software fundamentally must rely on the underlying operating 
system. Where techniques are identified that could impact the integrity
of software through operating system mechanisms such as IFEO, AVG 
software must implement detective and protective mechanisms. In this 
particular technique, for example, we have implemented measures into
our most up-to-date consumer and enterprise products that would 
prevent the execution of injected AVG binaries from malicious parties.
When it comes to our endpoint protection solutions and their ability to 
protect their own processes, there are multiple layers of protection at 
play.
For the most recent Internet Security Solution, AVG offers three 
mechanisms: (Technical AVG Detail On DoubleAgent)
 Self-protection rules to prevent the creation of lf-protection rules 
to prevent the creation of IFEO registry keys
 Self-protection rules to prevent process injection from untrusted 
processes
 Module sanitization to validate that a module (DLL) is validly 
signed by a trusted authority before loading the DLL (irrespective 
of the load mechanism, including injection)
You can find details about process injection self-protection and module 
sanitization in the following avg.com/retail
Module sanitization is enforced by default in our (Internet Security 
Solution).
Self-protection rules for the registry come in different flavors 
depending on the AVG products installed. The default rules shipped 
with the product protect core AVG services from allowing IFEO keys to 
be created. Since the current shipping rules focus on core services, we 
are pushing an update to add exhaustive coverage of all product 
binaries for each product that uses AVG’s Anti-Malware Core 
technologies, which includes Internet Security. For products using 
VirusScan, rules can be manually added.
Technical AVG Detail On DoubleAgent In addition to covering an 
exhaustive list of AVG binaries, the update for the self-protection 
registry rules will also include coverage against a technique variant in 
which a malicious Image File Execution Options key has been 
constructed elsewhere and then renamed.
Depending on the Image File Execution Options injection target, the 
system blocking the attack may differ. If the target is protected by self-
protection registry rules the attack will be mitigate. If the target is not 
protected by self-protection registry rules, then the injection will occur 
but then AVG’s module sanitization, where enforced, will block the 
attempted load and revoke trust for the injected process.  Get support 
for AVG by avg.com/retail product key expert.
In the worst-case scenario for Internet Security, if the registry entry is 
created and the injection occurs, the process will fail to launch because 
the load of the malicious DLL will be denied. The AVG Internet Security 
processes will not allow the malicious module to execute.
AVG products also offer generic protection that would prevent such 
attacks on other non-AVG processes. In the context of Internet Security,
customers can enforce the “Hijacking .EXE or other executable 
extensions” rule, which would prevent the creation of any 
[program].exe key under IFEO. Dynamic Application Containment (DAC)
would also restrict contained processes from creating IEFO keys.
It is important for customers to note that before the IFEO keys may be 
manipulated, an attacker must first gain entrance to a Windows system.
If the user account has not been given administrative privileges, then 
an additional step must be taken by the attacker to achieve these 
privileges. There are numerous techniques for achieving each of these 
steps.
We will continue research into those techniques that target hardware 
and software that we rely upon. This is crucial in providing customers 
the confidence to rely upon systems that their businesses and homes 
have grown to depend upon. Go to visit: avg.com/registration
#www.office.com/setup    #www.webroot.com/safe