Thursday, May 5, 2011

Why is Metasploit flagged by the AVs?

Nice article from Scriptjunkie that explains why the Metasploit binaries are being flagged by the AVs.

As I understand,  a Metasploit binary is an executable that creates a RWX memory area, loads the encoded shellcode onto it and then it transfers the execution. Therefore, the AVs are not analyzing the encoded shellcode for the detection, but the executable being used to load the shellcode.

A possible solution would be patching another binary of your choosing, but the AVs may flag it as well because it is creating a RWX memory area and then pointing the IP there, which is really suspicious.

No comments:

Post a Comment