Home page logo

metasploit logo Metasploit mailing list archives

Update: windows/smb/psexec is getting detected
From: Mark <maark86 () gmail com>
Date: Mon, 17 May 2010 23:22:53 -0700

Just for reference, I think the AV was detecting metasploit's network
traffic. Every payload I tried got detected, but meterpreter/reverse_https
worked fine. Just thought I'd pass it along.


---------- Forwarded message ----------
From: HD Moore <hdm () metasploit com>
Date: Mon, May 17, 2010 at 5:57 AM
Subject: Re: [framework] windows/smb/psexec is getting detected
To: framework () spool metasploit com

On 5/17/2010 4:49 AM, Mark wrote:
On the victim side, it pops up an AV warning for "Backdoor.Trojan" or
something like that, with the executable's random filename. We're using
Symantec Endpoint Protection v.11.0.5xxx.xxx and it's at r25 right now.
Depending on endpoint protection for network security is really weak,
but this detection could ruin my chances of convincing anyone to that
end! I can provide a working copy of our Symantec setup if it would be
helpful. Any help would be greatly appreciated!

This is the VT link for the service executable (service.exe) used for
psexec. It doesn't show Symantec' AV flagging it, so this may be
something specific to the Endpoint Protection product:


As long as we make our binaries public, the AV folks will continue to
signature them. You can try using the nmap script and see whether its
heuristics or static sigs, but your best bet is creating your own


  By Date           By Thread  

Current thread:
  • Update: windows/smb/psexec is getting detected Mark (May 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]