Jump to content

[Question] Symantec Endpoint Protection Bypass


Go to solution Solved by no42,

Recommended Posts

Posted

Apparently Semantec endpoint protection can block USB Rubber Ducky attacks, will changing the VID/PID number circumvent this blocking, or is a more creative solution required?

Posted
Apparently Semantec endpoint protection can block USB Rubber Ducky attacks, will changing the VID/PID number circumvent this blocking, or is a more creative solution required?

I was thinking the duck could be blocked by detecting keystroke speed

  • Solution
Posted

Yes, until these guys get wise!

Symantec, Sophos, and lumension (old versions)can be bypassed!

Lumension just released new version, that dictates what users are allowed USB. If you user isn't allowed USB, ducky will be blocked.

Windows 7+ GPO settings can also block the duck.

Other versions and products, block by vid&pid hence version2 firmware makes it easier for you to change these values without re flashing.

Go forth, and quack the system, my ducklings!

Posted (edited)

I just tried the VID/PID change on the Semantec endpoint protection, and I can verify that the change does work. Are there any other ways the antivirus companies can block us, so we can get ahead of the curve in preventing the antivirus companies from blocking us?

-If they take into account the speed at which we type the payloads, we can create bash scripts to randomize the delay values between commands or even letters. Could even modify the duck script language to do it automatically.

Edited by overwraith
Posted
I just tried the VID/PID change on the Semantec endpoint protection, and I can verify that the change does work. Are there any other ways the antivirus companies can block us, so we can get ahead of the curve in preventing the antivirus companies from blocking us?

-If they take into account the speed at which we type the payloads, we can create bash scripts to randomize the delay values between commands or even letters. Could even modify the duck script language to do it automatically.

If you do preemptive stuff to avert anti virus they find our tricks faster

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...