Showing results for 
Search instead for 
Did you mean: 

Penetration test with metasploit

Our security team is doing penetration tests with basic metasploit payloads known by all AV softwares.

Our VSE doesn't block it . Is it possible that I miss a configuration?

Software :

agent =

engine = 5700.7163


7 Replies

Re: Penetration test with metasploit

may be metasploit directory was excluded,  or on access scan has been disabled!

Re: Penetration test with metasploit

No directory was excluded and on access scan was enabled.
I was able to block the attack with activating the access protection policie -> Common Maximum Protection:Prevent programs registering as a service
Threat Source Process Name : C:\Windows\system32\services.exe
Threat Target File Path : \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LWbPgbhS
But with this rule I have a lot of false possitives.

Can you tell me which parameter has to be enabled on On-access scan or which policie I have to use?

Level 11
Report Inappropriate Content
Message 4 of 8

Re: Penetration test with metasploit

Hi David,

Your better bet would be look at using the Host Intrusion Prevention System (HIPS) product. It provides host and network IPS functionality for the endpoint and contains a vast library of signatures that are constantly being updated. Given that the standard use for metasploit is to launch remote attacks against a system, HIPS will monitor the network traffic against the policy that you have applied and take the defined action based on your policy.



Re: Penetration test with metasploit

An antivirus will not protect against an exploit; however you stated the payload is 'known by all AV vendors', that is the disturbing part.  If the payload hits the disk, it should get captured.

lets test this first; copy the payload manually to the endpoint to see if it gets detected.  From there, lets take a look at your low-risk process policy, you may have a low-risk process that matches action being performed (java.exe etc)

SafeBoot Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: Penetration test with metasploit

x2 on this - AV mostly describes detecting an existing known bad thing. Vulnerability mitigation is something completely different (and as Tomz2 said, covered with HIPS).

Most endpoint security solutions offer a combination of technologies which you can pick and choose between - I agree this could be simpler but it's a legacy problem solved by using the recommended suite, not just picking one technology.

Yes, this is a bit odd when the customer ask is "protect me from cyberthreats", but that's the way this industry has grown up - new solutions like ENS10 take a step in the right direction to solve it though through simplification.

Re: Penetration test with metasploit


The payload gets detected when I copy it manually to the endpoint.

I have no special low-risk process policy, it's the mcafee default.

Level 11
Report Inappropriate Content
Message 8 of 8

Re: Penetration test with metasploit

Hi David -

You're likely looking at two different scenarios here.

1) Metasploit payload file copied to an endpoint manually and being written to disk. VSE, if known (heuristics/DAT), will take action on the file as defined in your policy. In this case, the metasploit file is known to Intel Security, whether by heuristics or DAT and is being detected.

2) Your team that is using Metasploit to launch a remote "attack" is doing so over the network. VSE likely won't capture the payload in this scenario unless a part of the metasploit payload is to copy a file such as a malware dropper or something that might be known. You'd want HIPS in this scenario.

As mentioned by myself and SafeBoot, you really should be looking at a layered approach to covering things like a pen test. You want to use HIPS because it is monitoring the network traffic on the host and has signatures for many of the known vulnerabilities that tools like metasploit well...exploit. You want VSE on the systems as well to capture any sort of malware that may be loaded to an endpoint whether by an attacker or by a user of the system.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community