Metasploit mailing list archives
Update: windows/smb/psexec is getting detected
From: Mark <maark86 () gmail com>
Date: Mon, 17 May 2010 23:22:53 -0700
Just for reference, I think the AV was detecting metasploit's network traffic. Every payload I tried got detected, but meterpreter/reverse_https worked fine. Just thought I'd pass it along. Mark ---------- Forwarded message ---------- From: HD Moore <hdm () metasploit com> Date: Mon, May 17, 2010 at 5:57 AM Subject: Re: [framework] windows/smb/psexec is getting detected To: framework () spool metasploit com On 5/17/2010 4:49 AM, Mark wrote:
On the victim side, it pops up an AV warning for "Backdoor.Trojan" or something like that, with the executable's random filename. We're using Symantec Endpoint Protection v.11.0.5xxx.xxx and it's at r25 right now. Depending on endpoint protection for network security is really weak, but this detection could ruin my chances of convincing anyone to that end! I can provide a working copy of our Symantec setup if it would be helpful. Any help would be greatly appreciated!
This is the VT link for the service executable (service.exe) used for psexec. It doesn't show Symantec' AV flagging it, so this may be something specific to the Endpoint Protection product: http://www.virustotal.com/analisis/dd8f7ce4bd7b56ebf5fc33c5e4791b89ecc9b4651a81ed6f898ce57d656360a3-1273885632 As long as we make our binaries public, the AV folks will continue to signature them. You can try using the nmap script and see whether its heuristics or static sigs, but your best bet is creating your own replacement. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Update: windows/smb/psexec is getting detected Mark (May 17)