March 22, 2017: DoubleAgent Attack
Intel Security / McAfee is investigating the impact of the DoubleAgent zero-day attack announced on March 22, 2017.
This injection technique uses a Microsoft Windows feature that requires administrative privileges and impacts all executables on a Microsoft Windows computer.
This attack does not exploit any product vulnerabilities in McAfee products.
Our focus is on the resilience of our products against this attack vector and the self-protection mechanisms inside these products running on Microsoft Windows.
McAfee products running on Microsoft Windows contain a number of detective and protective mechanisms against registry manipulations and memory injection techniques, including injections into McAfee binaries.
For example, our enterprise antivirus product, McAfee Endpoint Security (ENS) 10.5, provides multiple mechanisms designed to detect and prevent a DoubleAgent attack on McAfee processes, including a module sanitization feature that only allows trusted, signed code to be loaded.
We will be updating this article with links to one or more Security Bulletins (SB) as our investigation progresses.