Forum Thread: NEED HELP in DISABLING Anti-Virus Service-Meterpreter

did u try to generate a custom payload or u r using those by default in metasploit?

yes my payload is the pdf,I created it using the metasploit

. when any 1 opens the pdf , it stablishes a reverse tcp connection between my computer and the target and thus i get meterpreter prompt . which i use to do further exploitation.

But i am unable to disable the AV. all AVs are coming with this " SELF PROTECTION MODULe". without switching it off , i think AV service cant be disabled.

can registry be used to disable the "MODULE"??

try to change the signature of your payload, so the av cant detect it.

https://null-byte.wonderhowto.com/how-to/hack-like-pro-bypass-antivirus-software-by-disguising-exploits-signature-0141122/

https://null-byte.wonderhowto.com/how-to/hack-like-pro-change-signature-metasploit-payloads-evade-antivirus-detection-0149867/

good links

i agree encoding payload evade AV detection. and thnx for the links.

But modern AVs like 360 total security are coming with behavioral blocking not just signature.
So dont u think post exploitation with AV active will cause problem in exploting??.

and isnt disabling AV a ground rule for any explotation..?

Disabling your target's AV will also make him more suspicious about what's going on, so it's not always a good idea. Also, you don't want other malware to take control of the box you have just pwned (unless it's a hit-and-run case). You can try to make the post exp modules undetected, or you simply find a way to include execution in the ignore list of his antivirus. It's usually buried deep inside the AV settings, and your operation will last longer undetected.

THNX for the reply,
ya u are correct,the target will become suspicious.
So how to add the payload in the ignore list of AV?

i think with "Self protection module " of AV turned on , it will not allow the attacker to make any changes to its setting.thats why all AVs r coming with this module..

Don't know that this 'self protection module' is (maybe something that ensures the service is always running, I suppose?)... but even old antivirus had an option to password-lock the settings, so you can't add exceptions to AV.

Adding exceptions depends on antivirus, each AV has its own way to handle it, so you have to go case by case.

I'm looking for this for a long time and I tried to delete the AV folder, kill it's processor etc.. but every time I get access denied.

I hope someone here give us a method to turn off the AV because we can't use attacks such as persistence, vnc... as long as the AV is on.

yes man.. the problem is .. all the hacking post(that includes disabling AV) in this site are 2 or more yrs old , at that time anti viruses were not having this "SELF PROTECTION MODULE" ..

without this module killing AV is piece of cake.
This module ensures that no malware or remote user/hacker can make changes to AV settings..

every time i type the command (mentioned above) i get access denied though i have administrative rights on the target PC, tried all tokens

same result..

And this is why one escalates his privileges... It's the 3rd step in OTW's awesome tutorial on Hacking methodology here

Get yourself promoted to system and in principle you should be able to run the command, i believe