As part of a workstation pen test, I copy a simple metasploit payload onto the w

Question

As part of a workstation pen test, I copy a simple metasploit payload onto the workstation, and try to run it. Usually this is blocked by anti-virus software. However, sometimes it isn't (I won't name the offenders). The AV software is running and correctly detects EICAR, but it doesn't detect a simple non-encoded metasploit payload.

My instinct is that this is a failure of the AV software, and should be reported as a vulnerability. However, I wondered if this behaviour might in fact be intended? Are there legitimate arguments that "metasploit is not a virus"?

In this case the payload is windows/meterpreter/reverse_tcp encoded as an exe file, without obfuscation. Generated using this command:

Explanation / Answer

It's an arms race. The developers of metasploit want to develop plugins that defeat anti-virus. The developers of anti-virus want to defeat metasploit plugins.

They can't both be successful, so sometimes the AV will roll out signatures that detect all metasploit modules, sometimes the metasploit developers will find a new way to evade AV.

You'd think that the AV vendors had the advantage due to metasploit being open-source, but obviously not in this case.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.