All depends on the scope of your testing, what you're testing, etc. The more details you can provide, the more helpful we can be.
You could run a vulnerability scan using OpenVAS. If you have credentials to provide, this could also show you many client-side vulnerabilities to take advantage of. You could be watching network traffic. You could be manipulating network traffic. The anti-virus could be detecting your uploaded payload and deleting it, this is likely happening based on what you've said. Maybe you can use hardware keyloggers. Reboot a system to a bootable environment. Again, all depends on the scope of testing and what you can do.