DoubleAgent makes your Windows antivirus act as malware

Edward Hudson By: Edward Hudson
2 minute read

Home » News » DoubleAgent makes your Windows antivirus act as malware

Security researchers have found that attackers can use Microsoft’s Application Verifier tool to take over various antivirus products. Israel-based security firm Cybellum claims that a new attack method dubbed DoubleAgent takes advantage of Windows tools created to prevent virus attacks – including McAfee, Panda, Avast, AVG, Avira, F-Secure, Kaspersky, Malwarebytes, Bitdefender, Trend Micro, Comodo, and ESET – and have them act as malware.

Cybellum says the DoubleAgent attack is also capable of compromising other antivirus products. The method works by manipulating the Microsoft Application Verifier, a runtime verification system that functions to detect bugs and boost the security of third-party Windows programs. The tool is included in Windows XP through to Windows 10.

How DoubleAgent works

Cybellum explained the way DoubleAgent works:

Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application. Application Verifier was created in order to strengthen application security by discovering and fixing bugs, and ironically DoubleAgent uses this feature in order to perform malicious operations.

The problem doesn’t lie within Windows but rather in the security vendors who offer the antivirus products. Cybellum claims DoubleAgent can be used to attack organizations that use the susceptible antivirus programs. Malwarebytes, AVG, and Trend Micro are some of the vendors that fixed the issue for their respective products. Windows Defender seems to be the only antivirus product that’s immune to DoubleAgent due to its use of a Windows mechanism called Protected Processes. The mechanism secures anti-malware services that run in user mode.


Microsoft offers Protected Processes as a way to allow trusted, signed code load. Therefore, attackers cannot use DoubleAgent against the antivirus even if an attacker finds a new zero-day technique as its code. A proof-of-concept attack code is now available on GitHub, courtesy of Cybellum.


Next up

This realistic phishing scam is after your Facebook credentials

Zille Huma avatar. By: Zille Huma
2 minute read

A new phishing attack surfaced online that aims at stealing Facebook credentials. The attack was identified by Myki that is actually a password management company. […]

Continue Reading

KB4487011 and KB4487006 fix unresponsive app issues

Rabia Noureen avatar. By: Rabia Noureen
4 minute read

Microsoft recently released Windows 10 cumulative updates KB4487006, KB4487011, KB4487021, and KB4487029  addressing non-security bugs in the operating system. The company aims to enhance the reliability of […]

Continue Reading

Windows was unable to install your Android [FIX IT NOW]

Aleksandar Ognjanovic By: Aleksandar Ognjanovic
4 minute read

Installing Android drivers on a PC should be a walk in a park. You connect your handset with the PC via the USB cable and, […]

Continue Reading