[framework] anyone tested killav?

John Nash rootsecurityfreak at gmail.com
Tue Sep 7 21:05:52 PDT 2010


Rob,

I used a private exploit created by our team to break in and already have
system privs.

I want to install some standard malware/rootkit to show the client how easy
it is to do it. The minute i upload these files, the AV quarantines them.
This is why i need to shut the AV down.
Also, killing the AV will prove that even if you have a fully updated AV
does not mean you are secure.

In our review meeting the admin said "we updated our AVs everyday ....
nobody can break in..."


jn

On Wed, Sep 8, 2010 at 12:13 AM, Rob Fuller <mubix at room362.com> wrote:

> If you are already on the box, why do you need to kill av?
>
> Preemptive strike: Don't upload tools that get caught by AV. Or invest some
> time in making them so.
>
> --
> Rob Fuller | Mubix
> Certified Checkbox Unchecker
> Room362.com | Hak5.org
>
>
> On Tue, Sep 7, 2010 at 2:20 PM, John Nash <rootsecurityfreak at gmail.com>wrote:
>
>> I just tried it on a local setup with AVG 9 free edition and it is unable
>> to kill the av processes.
>>
>> Checked the script and found that the latest version of AVG has many more
>> processes loaded, so when killav kills some of them, i guess the watch dog
>> process seems to bring them right back up.
>>
>> Anyone else notice the same issue?
>>
>> jn
>>
>> _______________________________________________
>> https://mail.metasploit.com/mailman/listinfo/framework
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100908/eff5c061/attachment.html>


More information about the framework mailing list