When think talk about anti-virus evasion, we mostly do so in the context of a penetration test: If the "bad guys" can evade AV solutions because they write custom payloads, then a penetration tester must do the same to simulate an attack. However, AV evasion is also critical to vulnerability validation. While a full-scale penetration test looks for any way into the network, vulnerability validation surgically examines one vulnerability on a specific host and tests if it is exploitable. Security professionals do vulnerability validation because it enables them to determine if a vulnerability is "real" so they can prioritize it; many also use the validation to demonstrate the security exposure to their peers in IT operations to get quick buy-in to patch or mitigate the risk. Metasploit Pro integrates with Rapid7 Nexpose Enterprise to pull reported vulnerabilities for validation and pushing both validated vulnerabilities and vulnerability exceptions back into Nexpose for reporting and future testing, a process we call "closed-loop" vulnerability management.

When you validate a vulnerability, you use the exploit associated to the vulnerability to test if it can be used on the machine. The idea is not only to rule out false positives but also to test if mitigating controls can stop an attack. For example, you may have closed a port on the host, shut down a service, or made adjustments on your firewall to protect the system from an attack. While anti-virus solutions are also considered security controls, they are mostly effective against mass malware attacks, not targeted attacks by a skilled attacker. When validating a vulnerability, you should therefore use anti-virus evasion that mimics these types of attackers to get a realistic picture on whether a certain vulnerability leaves a system open to attacks. If you don't, you may create an exception and accept the risk as mitigated while you're actually still vulnerable to an attack, giving you a false sense of security that could result in a breach.

In the recent 4.9 release of Metasploit Pro, we have improved our anti-virus evasion and baked it into all processes that use payloads, including vulnerability validation. That means that simply by leveraging Metasploit Pro for vulnerability validation, you're already using anti-virus evasion to mimic a real-world attacker. AV evasion is not included in of Metasploit Framework, Community or Express, so we recommend that you use Metasploit Pro for vulnerability validations to get clean, realistic results. In fact, the classic Metasploit Framework payloads get flagged by most AV companies because they are readily available as open source, leading to false negatives in your vulnerability validation program.

If you don't have a copy of Metasploit Pro but would like to give it a go, simply sign up for the free Metasploit Pro trial from rapid7.com.