Forum Thread: NEED HELP in DISABLING Anti-Virus Service-Meterpreter

I am stuck at post exploitation scenario.

using bugged pdf i am successfully getting a meterpreter prompt. i can successfully close the firewall and windows balloon on the target system(Win Xp Sp 3) using the meterpreter

But the problem is with antivirus.. Killav.rb command is not potent .so i am trying to disable the antivirus service using following command in shell.

sc config <service name> start= disabled

I am getting error as access denied, I have administrative rights, i am sure about that..

what i have found is that all latest AV be it avast, avg etc are coming with
SELF PROTECTION MODULE . and i think without disabling the module Anivirus cant be killed on the target system..

Can any one tell me how to disable the MODULE, once its diabled i can succesfully disable the AV..

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

10 Responses

did u try to generate a custom payload or u r using those by default in metasploit?

yes my payload is the pdf,I created it using the metasploit

. when any 1 opens the pdf , it stablishes a reverse tcp connection between my computer and the target and thus i get meterpreter prompt . which i use to do further exploitation.

But i am unable to disable the AV. all AVs are coming with this " SELF PROTECTION MODULe". without switching it off , i think AV service cant be disabled.

can registry be used to disable the "MODULE"??

i agree encoding payload evade AV detection. and thnx for the links.

But modern AVs like 360 total security are coming with behavioral blocking not just signature.
So dont u think post exploitation with AV active will cause problem in exploting??.

and isnt disabling AV a ground rule for any explotation..?

Disabling your target's AV will also make him more suspicious about what's going on, so it's not always a good idea. Also, you don't want other malware to take control of the box you have just pwned (unless it's a hit-and-run case). You can try to make the post exp modules undetected, or you simply find a way to include execution in the ignore list of his antivirus. It's usually buried deep inside the AV settings, and your operation will last longer undetected.

THNX for the reply,
ya u are correct,the target will become suspicious.
So how to add the payload in the ignore list of AV?

i think with "Self protection module " of AV turned on , it will not allow the attacker to make any changes to its setting.thats why all AVs r coming with this module..

Don't know that this 'self protection module' is (maybe something that ensures the service is always running, I suppose?)... but even old antivirus had an option to password-lock the settings, so you can't add exceptions to AV.

Adding exceptions depends on antivirus, each AV has its own way to handle it, so you have to go case by case.

I'm looking for this for a long time and I tried to delete the AV folder, kill it's processor etc.. but every time I get access denied.

I hope someone here give us a method to turn off the AV because we can't use attacks such as persistence, vnc... as long as the AV is on.

yes man.. the problem is .. all the hacking post(that includes disabling AV) in this site are 2 or more yrs old , at that time anti viruses were not having this "SELF PROTECTION MODULE" ..

without this module killing AV is piece of cake.
This module ensures that no malware or remote user/hacker can make changes to AV settings..

every time i type the command (mentioned above) i get access denied though i have administrative rights on the target PC, tried all tokens

same result..

And this is why one escalates his privileges... It's the 3rd step in OTW's awesome tutorial on Hacking methodology here

Get yourself promoted to system and in principle you should be able to run the command, i believe

Share Your Thoughts

  • Hot
  • Active