Home page logo

metasploit logo Metasploit mailing list archives

Re: windows/smb/psexec is getting detected
From: HD Moore <hdm () metasploit com>
Date: Mon, 17 May 2010 07:57:23 -0500

On 5/17/2010 4:49 AM, Mark wrote:
On the victim side, it pops up an AV warning for "Backdoor.Trojan" or
something like that, with the executable's random filename. We're using
Symantec Endpoint Protection v.11.0.5xxx.xxx and it's at r25 right now.
Depending on endpoint protection for network security is really weak,
but this detection could ruin my chances of convincing anyone to that
end! I can provide a working copy of our Symantec setup if it would be
helpful. Any help would be greatly appreciated!

This is the VT link for the service executable (service.exe) used for
psexec. It doesn't show Symantec' AV flagging it, so this may be
something specific to the Endpoint Protection product:


As long as we make our binaries public, the AV folks will continue to
signature them. You can try using the nmap script and see whether its
heuristics or static sigs, but your best bet is creating your own


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]