Update: windows/smb/psexec is getting detected

[Mark <maark86 () gmail com>]

Just for reference, I think the AV was detecting metasploit's network
traffic. Every payload I tried got detected, but meterpreter/reverse_https
worked fine. Just thought I'd pass it along.

Mark

---------- Forwarded message ----------
From: HD Moore <hdm () metasploit com>
Date: Mon, May 17, 2010 at 5:57 AM
Subject: Re: [framework] windows/smb/psexec is getting detected
To: framework () spool metasploit com


On 5/17/2010 4:49 AM, Mark wrote:
> On the victim side, it pops up an AV warning for "Backdoor.Trojan" or
> something like that, with the executable's random filename. We're using
> Symantec Endpoint Protection v.11.0.5xxx.xxx and it's at r25 right now.
> Depending on endpoint protection for network security is really weak,
> but this detection could ruin my chances of convincing anyone to that
> end! I can provide a working copy of our Symantec setup if it would be
> helpful. Any help would be greatly appreciated!

This is the VT link for the service executable (service.exe) used for
psexec. It doesn't show Symantec' AV flagging it, so this may be
something specific to the Endpoint Protection product:

http://www.virustotal.com/analisis/dd8f7ce4bd7b56ebf5fc33c5e4791b89ecc9b4651a81ed6f898ce57d656360a3-1273885632

As long as we make our binaries public, the AV folks will continue to
signature them. You can try using the nmap script and see whether its
heuristics or static sigs, but your best bet is creating your own
replacement.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework