There's been some great writing by metasploit contributors on how to avoid AV. This post attempts to collect those in a single place:
- http://schierlm.users.sourceforge.net/avevasion.html # clear cut writing on how and why AV is flagging vanilla metasploit binaries. This writeup gives instructions on the techniques of how to bypass AV, first with your own template, then documenting exactly how to build your own custom exes.
- http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasplo it-generates-exes/ # good background on how the exe is generated, and why it's heuristically flagged in many cases.
- http://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing .html # (not so) simple payload executer, haven't tested, but isn't in the framework, so it may have avoided AV flags. Picks up where mihi's (the first) article leaves off. Supports x64 . Nice followup content in the comments.
- http://www.scriptjunkie.us/2011/06/bypassing-dep-aslr-in-browser-exploits-with-m cafee-symantec/ # Related article on how AV loads non-aslr dlls into memory, and then he uses those to write a ROP chain with AV DLLS.