Metasploit mailing list archives
windows/smb/psexec is getting detected
From: Mark <maark86 () gmail com>
Date: Mon, 17 May 2010 02:49:30 -0700
Hello, I can confirm that the most recent windows/smb/psexec exploit gets detected by Symantec Endpoint Protection. It seems that Symantec isn't detecting the msf-generated executable, which is well randomized. Maybe the psexec exploitation process is heuristically easy to detect? I'm really not sure what could be setting it off, but I am a big fan of the psexec exploit and I would hate to see it lose it's "excellent" rating... Here's a log of the detection, on the console side: [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \aXecRCwF.exe... [*] Exploit completed, but no session was created. On the victim side, it pops up an AV warning for "Backdoor.Trojan" or something like that, with the executable's random filename. We're using Symantec Endpoint Protection v.11.0.5xxx.xxx and it's at r25 right now. Depending on endpoint protection for network security is really weak, but this detection could ruin my chances of convincing anyone to that end! I can provide a working copy of our Symantec setup if it would be helpful. Any help would be greatly appreciated! Regards, Mark
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- windows/smb/psexec is getting detected Mark (May 17)
- Re: windows/smb/psexec is getting detected HD Moore (May 17)