Forum Thread: Av Bypass Question

Av Bypass Question

I created a meterpreter reversetcp payload from metasploit that it can bypass the scan of antivirus (bitdefender) but when i am trying to run it the antivirus says suspicius activity and block it.

The payload is in an executable app (sumatra.exe) and i also have tried the port 443 and reverse https all undetectable on scan but not on execution.

Any suggestions ??

4 Responses

I would assume that it takes a few seconds of activity before the anitivirus detects the suspicious activity (it haopened to me with VIPRE antivirus) You could try to make it so that one of the first actions would be to call the killav.rb to stop the AV activity. Appart from that, i think you would need to craft your own payload to avoid the antivirus.

Yes it takes a few seconds before the av blocks it as a suspicious activity but i am unable to take meterpreter session.

Can i put the killav.rb in the payload ?
I cant make my own payload dodn`t have the knowledge (i am trying to learn c) but i am in basics.
Thanks for the help !

All payload are not necessarily in C. Anyways, it is a good language to learn and if you understand C many other languages won't seem as difficult or new particularly if you also understand object oriented programming. I am not an expert, at best i am a script kiddy with some theoritacal knowledge on computer science. From what i have seen, you can find the source code for different paylaods on meterpreter, just google the payloads name. Modifying it would allow you to kill the AV, and reading it can help you improve you programing

Never tried this before , all theory but can you make a Installer with excelsior package maker so it installs killav.rb first runs that and then

installs & runs the payload , you could also add a real program in there and make the payload look like a data file or something sneaky... again just an idea not sure if it works.

Share Your Thoughts

  • Hot
  • Active