Metasploit being reinitiliazed by Kaspersky

[MrUndead13]

Good evening, I just installed Kaspersky Internet Security on my MacBook Air M1 (Monterey 12.1) and after doing a scan it quarantined all Metasploit files. So I added /opt/metasploit-framework to exceptions and reinstalled Metasploit (after turning Kaspersky off and on after the installation). From now on, Metasploit works but every time I restart my MacBook, msfconsole is deleted from the path and when I run msfconsole from the /bin directory, it initialized it (database and data) just like if I was launching it for the first time.

Is there another folder to put into the exceptions to avoid that or another fix ?

Thanks in advance :)

[gwillcox-r7]

We generally recommend running Metasploit on a VM rather than your primary machine for reasons such as this one. If possible I would try to use a VM, however if this is not possible then what I would recommend is to see if dynamic behavioral scanning is taking place. This sometimes happens with Windows Defender whereby a file could be labeled as fine on disk, but when its executed in memory the dynamic behavioral analysis engine catches the file again and prevents it from executing or quarantines it.

I'd also recommend perhaps installing it all into one directory and then adding an exception for that directory. You could do this by cloning the Git repo using the instructions at https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment whilst disabling your AV, set an exception on the directory you cloned the Git repo into, and then reenable the AV. This won't stop any behavioral analysis from blocking things, but should prevent disk scans from picking up and removing your files.

Hope that helps :)

[gwillcox-r7]

Labeling this as a question since this isn't a bug in Metasploit Framework itself and is instead more of a question on how to install Metasploit Framework given the AV restrictions.

[MrUndead13]

Thank you very much for all this information ! VirtualBox and VMWare are not supported on M1 right now so I'll try looking for behavioral scanning ! Thank you !

[gwillcox-r7]

@MrUndead13 I think VMWare has a VMWare Fusion version that works for M1 Mac that is in Tech Preview right now? See https://blogs.vmware.com/teamfusion/2021/09/fusion-for-m1-public-tech-preview-now-available.html. The download link should be https://vmware.com/go/get-fusion-m1

Also no problem for the information, just some stuff I gathered whilst trying to do some AV bypasses a long time ago 😄

[MrUndead13]

Oh that's great ! That would help a lot on another project I have !! I'll look into that !

Thanks again for everything since this is life saving for me ^^

[h00die]

I have a hunch it's hitting on the postgres database file. Find out where it is, and whitelist that file/folder as well

[MrUndead13]

Do you know a command to do it please ? All the locations I found online are mentioning folders I haven't created...

[adfoster-r7]

The configuration for Metasploit exists in ~/.msf4

[MrUndead13]

@adfoster-r7 Thanks ! I previously added this folder to the exception list but I still have the same issue unfortunately...

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.