When penetration testing, and targeting Windows systems, writing some executable content to the file system is invariably required at some stage. Unfortunately today, the antivirus vendors have become quite adept with signatures that match assembly stub routines that are used to inject malware into a system. The A/V guys will also pick up on common service executable files such as being used with Metasploit’s bypassuac. Let’s face it, we still need to write stuff into temp directories from time to time.
a) Disable the A/V product of choice. b) Upload our favorite/useful executable content. (perhaps a reverse TCP meterpreter shell or similar) c) Upload Mark and Tim’s excellent vssown.vbs script a. Enable service and create volume shadow copy. b. Disable volume shadow copy service. d) Delete our favorite/useful executable content and modified timestamps accordingly assuming we want to be somewhat stealthy. e) Execute our content from the volume shadow copy using ‘wmic’ using the excellent vssown script, or just through ‘wmic process call create’.
The challenge presented is whether we can effectively disable the antivirus product of choice. Listed below are some possible techniques for three popular products which may get us what we need. None of these techniques are stealthy from a user interface perspective. Otherwise said, Windows security center and the A/V tray executable files themselves will try to inform the user that something is broken when we proceed with these recipes.
1. Grisoft’s AVG
Using the 2012 Freeware version, I note the following information about AVG. Services running are the AVG watchdog (avgwd), and the AVG IDS agent (avgidsagent). The running processes are as follows: avgidsagent.exe, avgwdsvc.exe, avgemca.exe, avgrsa.exe, avgcsrva.exe, and avgnsa.exe. The watchdog process is very persistent at restarting things, is not killable, and neither is the service stoppable.
DISABLING: a. Rename the binary files in %systemroot%\program files\avg\avg2012\ as follows.