may be metasploit directory was excluded, or on access scan has been disabled!
No directory was excluded and on access scan was enabled.
I was able to block the attack with activating the access protection policie -> Common Maximum Protection:Prevent programs registering as a service
Threat Source Process Name : C:\Windows\system32\services.exe
Threat Target File Path : \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LWbPgbhS
But with this rule I have a lot of false possitives.
Can you tell me which parameter has to be enabled on On-access scan or which policie I have to use?
Your better bet would be look at using the Host Intrusion Prevention System (HIPS) product. It provides host and network IPS functionality for the endpoint and contains a vast library of signatures that are constantly being updated. Given that the standard use for metasploit is to launch remote attacks against a system, HIPS will monitor the network traffic against the policy that you have applied and take the defined action based on your policy.
An antivirus will not protect against an exploit; however you stated the payload is 'known by all AV vendors', that is the disturbing part. If the payload hits the disk, it should get captured.
lets test this first; copy the payload manually to the endpoint to see if it gets detected. From there, lets take a look at your low-risk process policy, you may have a low-risk process that matches action being performed (java.exe etc)
x2 on this - AV mostly describes detecting an existing known bad thing. Vulnerability mitigation is something completely different (and as Tomz2 said, covered with HIPS).
Most endpoint security solutions offer a combination of technologies which you can pick and choose between - I agree this could be simpler but it's a legacy problem solved by using the recommended suite, not just picking one technology.
Yes, this is a bit odd when the customer ask is "protect me from cyberthreats", but that's the way this industry has grown up - new solutions like ENS10 take a step in the right direction to solve it though through simplification.
The payload gets detected when I copy it manually to the endpoint.
I have no special low-risk process policy, it's the mcafee default.
Hi David -
You're likely looking at two different scenarios here.
1) Metasploit payload file copied to an endpoint manually and being written to disk. VSE, if known (heuristics/DAT), will take action on the file as defined in your policy. In this case, the metasploit file is known to Intel Security, whether by heuristics or DAT and is being detected.
2) Your team that is using Metasploit to launch a remote "attack" is doing so over the network. VSE likely won't capture the payload in this scenario unless a part of the metasploit payload is to copy a file such as a malware dropper or something that might be known. You'd want HIPS in this scenario.
As mentioned by myself and SafeBoot, you really should be looking at a layered approach to covering things like a pen test. You want to use HIPS because it is monitoring the network traffic on the host and has signatures for many of the known vulnerabilities that tools like metasploit well...exploit. You want VSE on the systems as well to capture any sort of malware that may be loaded to an endpoint whether by an attacker or by a user of the system.