DoubleAgent makes your Windows antivirus act as malware

Edward Hudson By: Edward Hudson
2 minute read

Home » DoubleAgent makes your Windows antivirus act as malware

Security researchers have found that attackers can use Microsoft’s Application Verifier tool to take over various antivirus products. Israel-based security firm Cybellum claims that a new attack method dubbed DoubleAgent takes advantage of Windows tools created to prevent virus attacks – including McAfee, Panda, Avast, AVG, Avira, F-Secure, Kaspersky, Malwarebytes, Bitdefender, Trend Micro, Comodo, and ESET – and have them act as malware.

Cybellum says the DoubleAgent attack is also capable of compromising other antivirus products. The method works by manipulating the Microsoft Application Verifier, a runtime verification system that functions to detect bugs and boost the security of third-party Windows programs. The tool is included in Windows XP through to Windows 10.

How DoubleAgent works

Cybellum explained the way DoubleAgent works:

Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application. Application Verifier was created in order to strengthen application security by discovering and fixing bugs, and ironically DoubleAgent uses this feature in order to perform malicious operations.

The problem doesn’t lie within Windows but rather in the security vendors who offer the antivirus products. Cybellum claims DoubleAgent can be used to attack organizations that use the susceptible antivirus programs. Malwarebytes, AVG, and Trend Micro are some of the vendors that fixed the issue for their respective products. Windows Defender seems to be the only antivirus product that’s immune to DoubleAgent due to its use of a Windows mechanism called Protected Processes. The mechanism secures anti-malware services that run in user mode.


Microsoft offers Protected Processes as a way to allow trusted, signed code load. Therefore, attackers cannot use DoubleAgent against the antivirus even if an attacker finds a new zero-day technique as its code. A proof-of-concept attack code is now available on GitHub, courtesy of Cybellum.


Next up

3 Christmas gifts made of wood that everyone will love

Madeleine Dean By: Madeleine Dean
Less than a 1 minute read

Objects made of wood have a different kind of energy and they make for very nice gift ideas. In a world where plastic is the […]

Continue Reading

You can fix corrupted OBS files using these two quick methods

Sovan Mandal avatar. By: Sovan Mandal
2 minute read

Open Source Software or just OBS, as the name signifies, is a free and open source streaming and recording platform used by the media professionals, […]

Continue Reading

4 trendy Gears of War Christmas sweaters to gift this season

Madhuparna Sukul avatar. By: Madhuparna Sukul
Less than a 1 minute read

Wearing fashionable sweaters is no big deal during winters, but wearing an ugly sweater is. Yes, the trend of ugly Christmas sweaters is back. The […]

Continue Reading