Post Exploitation – Disable Firewall and Kill Antivirus

06 Apr

One of the most important parts while performing a penetration test is too able to work undetected.A firewall may block you and an antivirus software may detect your activities.If an antivirus detects your activities the penetration test will not look so professional in the eyes of your client.

So one of the first things that you may want to try when you have exploited the remote system is to disable any antivirus solution and firewall.For this article we will use the Windows Firewall and the AVG 2012 as an antivirus.

Lets say that we have exploited the remote machine which in this scenario is running Windows XP as an operating system.

Exploiting the target


We will instruct meterpreter to give us a shell to the remote system with the command shell.

Obtain a remote shell


Now we need to check if the remote system has the Firewall enabled.We will use the command: netsh firewall show opmode

Check if the Windows Firewall is enabled


As we can see the firewall is enabled.In order to disabled it we will use the command: netsh firewall set opmode mode=disable

Disable the Windows Firewall


We can check the remote system in order to see if the firewall has been disabled successfully.

Proof that the firewall has been disabled


The firewall has been disabled and now it is time to kill the antivirus.So we will return back to the meterpreter session and we will run the command killav.

Killav Meterpreter script


We can see that this script that meterpreter has it killed some services including the avgrsx.exe.We may assume that the AVG antivirus is now disabled but the reality is different.Lets have a look first at the source code of the killav script in order to understand what it actually does.

Sample of Source code of Killav script


As you can see there is a list with names of processes of well-known antivirus.So when we run the killav script it actually tried to match the existing processes on the list with the processes on the remote host in order to find the antivirus and kill it.Now lets try to investigate the processes on the remote target after we have executed the killav script.

Tasklist on the remote computer


As you can see from the next image there are still some avg processes that are running.So the meterpreter script it didn’t work as expected.

Processes of the remote system


Now we will try to categorize these processes in order to see in which service they belong.The command that we are going to use is the tasklist /svc

Categorize the services


We are interesting only for the avg services and their processes so we will use the command tasklist /svc | find /I “avg” in order to discover them.So in this way we have instruct the remote system to give us a result with the services that have image name that starts with avg.

Discovery of the AVG services


These are the processes that we need to kill it.However if we try to do we will notice that it will not have any affect because the services avgwd and AVGIDSAgent will restart these processes once they get killed.So lets try to examine these two services and their attributes.

Attributes of AVG services


As you can see from the image above these two services cannot be stopped and cannot be paused.So how you are supposed to disable an antivirus which have services that cannot be stopped or paused?The only solution valid solution is to try to disable the services so with the next reboot of the target these services will not start.We can achieve that by executing the following commands that you can see in the image below.

Disable the AVG Services


We will reboot the remote target through the meterpreter

Reboot the remote target


Now that the system has restarted it is time to examine if there are any avg processes that are still running.

Find the running processes of AVG after the reboot


We have notice from this output that there are 3 processes instead of 5 and the two processes that correspond to avgwd and AVGIDSAgent services are missing.This is because we have disable them before the reboot.So we can now kill these 3 processes safely.

Kill the remaining AVG processes


The antivirus is now disabled on the remote target and we can now continue our work without any fear of being interrupted and discovered by an antivirus or a firewall.

The last thing that we may want to try is to clear the system log files.We can run the command clearev in the meterpreter in order to delete all records from the event viewer.

Clear the log files


The next screenshot is the proof that the log files have been deleted and there are no records.

No records in the Event Viewer



Every penetration tester needs to know how to disable a firewall or an antivirus remotely.This is very essential for his penetration testing activities.However as we saw the meterpreter script didn’t manage to disable the antivirus.This is a proof that a penetration test is not an automatic process and it requires also the human factor.

Except of that the main disadvantage was that this method required to reboot the remote target in order to disable the antivirus so if someone was working at the system he would have noticed that something is going wrong besides the fact that it would have affection to his work.However in a system that nobody is working it is an effective method.


Posted by on April 6, 2012 in Post Exploitation


Tags: , , , ,

10 responses to “Post Exploitation – Disable Firewall and Kill Antivirus

  1. tatramaco

    April 7, 2012 at 2:04 pm

    So as a Pentester you are trying to be stealthy.
    As it is XP with the Firewall on you probably had to compromise the machine with some user interaction. Nobody, especially the user sat at the machine, would notice the reboot?
    Also how would you get a backdoor on the machine, without detection from the AV, to ensure you can connect back to the machine without further interaction?

  2. netbiosX

    April 7, 2012 at 2:29 pm

    You don’t need the user interaction in order to exploit a Windows XP machine that is running a firewall.In this article I have exploited the vulnerability in the netapi.

    If you read again the conclusion you will see that I have report that the reboot is a drawback in this method.

    Finally before you place your backdoor you have to encode it first to avoid the detection.For this specific tutorial I haven’t used a backdoor in order to connect back to the machine.After the reboot I just exploited again with the same exploit.

  3. iKlwa

    April 7, 2012 at 10:01 pm

    The reboot isn’t the end of the world, invoke a BSOD, nobody would suspect a thing🙂. It would be good to be able to tell Windows not to monitor the status of the Anti-virus and the Firewall, any idea how to do that prior to disabling the AV it so you don’t get that pop-up warning appearing in the System Tray?

  4. netbiosX

    April 8, 2012 at 3:27 am

    These notifications are controlled by the Windows Security Center so you need to find a way to stop the service wscsvc in order to avoid these pop-up messages.

  5. Ebubekir

    April 9, 2012 at 3:47 pm

    Good doc. Thanks.

  6. iKlwa

    April 9, 2012 at 9:32 pm

    Cool, so just a simple “sc config wscsvc start= disabled” at the point you are disabling the AVG services, thanks.

  7. phi

    April 16, 2012 at 9:49 am


    Thanks for sharing. It would be unwise to reboot a compromised system without first maintaining persistence. You are assuming that after reboot, the malicious payload will be executed again which is by a longshot.

    Your article will be more complete if you include a portion on how to maintain persistence.

  8. netbiosX

    April 16, 2012 at 1:13 pm

    You have a point phi but I was thinking that in systems that you have an antivirus you need to create an undetectable backdoor in order to maintain persistence because as you saw and from this article some of the antivirus services cannot be disabled without the reboot.Maintain persistence is a topic by itself which I will cover it separately.🙂

  9. akshay

    June 20, 2013 at 6:43 pm

    Now its not necessary to reboot the victim pc


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: