Disabling Symantec AV for pentesting

Endpoint security tools can be a real pain when trying to get accurate vulnerability scans. Some tools go so far as to kill off a generic Nessus scan. Each has it’s own bypass mechanism.

For example, I’m running Kali in a VM on my work laptop running SEP. SEP dutifully pops up and eats any network traffic containing potentially malicious traffic, which makes the assessment difficult. So…kill it.

Symantec HOWTO101767 describes all of the different options which can be used, but these seem to save me the most time:

“C:Program Files (x86)SymantecSymantec Endpoint Protectionsmc.exe” -disable -ntp

This command will disable the IPS component, which blocks most of the traffic from NMAP, Nessus, etc. You may need to run this command every few minutes depending on how SEM is configured. Even with this component disabled, the other features of SEP will remain active and could interfere with your scanning.

Best bet is to go bare metal Kali just to be sure.

Leave a Reply