meterpreter detected by virus software

[pcriscuolo at gmail.com (Paul Criscuolo)]

On a recent engagement, Symantec Antivirus detected the dll injection  
that meterpreter uses.  I was able to exploit different boxes with a  
variety of exploits and used the reverse tcp meterpreter as the  
payload.  The dll injection completed successfully, but as soon as I  
attempted to load a module, usually the priv in version 3 revision  
5140, it just hung.

I attempted to kill the antivirus with the killav command, but no  
love.  I had to create a username and password after dropping into a  
command shell and then manually killing the antivirus processes.  Has  
anyone else seen this?  I am a little confused as to how the AV  
detected it.  Any suggestions on how to get around this by maybe  
modifying the payloads before an engagement?

Any help is appreciated.