Metasploit mailing list archives
Re: windows/smb/psexec is getting detected
From: HD Moore <hdm () metasploit com>
Date: Mon, 17 May 2010 07:57:23 -0500
On 5/17/2010 4:49 AM, Mark wrote:
On the victim side, it pops up an AV warning for "Backdoor.Trojan" or something like that, with the executable's random filename. We're using Symantec Endpoint Protection v.11.0.5xxx.xxx and it's at r25 right now. Depending on endpoint protection for network security is really weak, but this detection could ruin my chances of convincing anyone to that end! I can provide a working copy of our Symantec setup if it would be helpful. Any help would be greatly appreciated!
This is the VT link for the service executable (service.exe) used for psexec. It doesn't show Symantec' AV flagging it, so this may be something specific to the Endpoint Protection product: http://www.virustotal.com/analisis/dd8f7ce4bd7b56ebf5fc33c5e4791b89ecc9b4651a81ed6f898ce57d656360a3-1273885632 As long as we make our binaries public, the AV folks will continue to signature them. You can try using the nmap script and see whether its heuristics or static sigs, but your best bet is creating your own replacement. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- windows/smb/psexec is getting detected Mark (May 17)
- Re: windows/smb/psexec is getting detected HD Moore (May 17)