I may be off base here, but I've found that 3-4 passes of shikata ga nai works well. Unfortunately, when I do the 10 passes it seems to be found more often than not. If it's still being detected I usually try to run it through PEScrambler (http://www.rnicrosoft.net/tools/PEScrambler_v0_1.zip) and that tends to work well.
On Tue, Dec 29, 2009 at 11:21 AM, David Porcello < [email protected]> wrote: > Hi all, > > I'm doing an in-house pen-test and I'm having a heck of a time building an > msfpayload executable that evades McAfee AV detection. I've tried all the > techniques in Metasploit Unleashed (section 08 / Antivirus Bypass), > including the windows/shell/reverse_tcp method that's only detected by 3 out > of 32 major AV engines (unfortunately McAfee being one of them). I even > tried a simple windows/exec payload to net stop the AV services, but that's > caught as well. McAfee's detecting all of these as "Downloader-BQQ". > > Anyone have any other tricks? > > Thanks in advance! > dave. > > NOTICE: The information contained in this e-mail and any attachments is > intended solely for the recipient(s) named above, and may be confidential > and legally privileged. If you received this e-mail in error, please notify > the sender immediately by return e-mail and delete the original message and > any copy of it from your computer system. If you are not the intended > recipient, you are hereby notified that any review, disclosure, > retransmission, dissemination, distribution, copying, or other use of this > e-mail, or any of its contents, is strictly prohibited. > > Although this e-mail and any attachments are believed to be free of any > virus or other defects, it is the responsibility of the recipient to ensure > that it is virus-free and no responsibility is accepted by the sender for > any loss or damage arising if such a virus or defect exists. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Thanks, Rick Hayes CISSP, GSEC, GIPS, GCFA, GSLC, CCNP, CCSP InfoSec Daily Podcast: http://www.isdpodcast.com iTunes Keywords: InfoSec Daily
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
