which is the best aginst Modified and masked trojans ?
ewido , kav ,panda , nod32 ?
also which is the best unpacking AV?

Anti-Trojans are always better for Trojan detection ;)

To my knowledge, KAV has the best unpack engine. And NOD32 has excellent heuristics which allow it to catch quite a few variants of Trojans quite well.....BitDefender also does well for Trojan variant detection. :)

{QUOTE-> Anti-Trojans are always better for Trojan detection ;) <-QUOTE}
Always?I don't think so!

{QUOTE-> To my knowledge, KAV has the best unpack engine. And NOD32 has excellent heuristics which allow it to catch quite a few variants of Trojans quite well.....BitDefender also does well for Trojan variant detection. :) <-QUOTE}I have never seen at here how good the new DrWeb 4.33 is in heuristics, ablosutely in the same category as NOD with AH but it is capable to do the scan also in real time protection against the whole hard disk as well!

Best regards,
Firefighter!

Yes, in the new version of Dr Web, background scanning has been added. So SpIDer Guard will now check files during system idle.

I do not know about actual improved trojan detection but there are more unpackers in version 4.33

{QUOTE-> which is the best aginst Modified and masked trojans ?
ewido , kav ,panda , nod32 ?
also which is the best unpacking AV? <-QUOTE}

KAV is the best for anti-trojan detection.
The lates test shows than KAV detect 99,78% of 36.234 samples (Look http://www.av-comparatives.org).

KAV detect viruses in over 900 archive and compressed file formats.

NOD32 has excellent AH, but smaller siganture database than KAV. NOD32 detect (a lot) trojans with AH. Great job ESET.

{QUOTE-> which is the best aginst Modified and masked trojans ?
ewido , kav ,panda , nod32 ? <-QUOTE}The best information on this would be the scan logs at the Scheinsicherheit Security Software (http://illusivesecurity.il.funpic.de/viewforum.php?f=4) forum though they are over a year old.

{QUOTE-> which is the best unpacking AV? <-QUOTE}
If you use the results over at Scheinsicherheit's, together with more recent data over at MyCity (http://av-test.mycity.co.yu/index_en.html) then;

1. The best unpackers appear to be KAV, KAV-engined AV's such as F-Secure, and McAfee, with BitDefender and Dr Web not far behind.

2. Whereas those with relatively little unpacking ability include; AVG, eTrust EZ AntiVirus, Norman and Sophos.

{QUOTE-> Always?I don't think so! <-QUOTE}
OK OK.....KAV may put some Anti-Trojans to shame every now and then ;)

{QUOTE-> 1. The best unpackers appear to be KAV, KAV-engined AV's such as F-Secure, and McAfee, with BitDefender and Dr Web not far behind.

2. Whereas those with relatively little unpacking ability include; AVG, eTrust EZ AntiVirus, Norman and Sophos. <-QUOTE}Just for fun (yeah, right...) I went through the Scheinsicherheit logs (if you're reading this ntl, could you pick an easier forum name to spell? ;)) to collate their results.

For those not familiar with their tests, please note the following: These date from June/July 2004 so most scanners will have improved (but then again, there are more techniques for malware to use to hide from scanners); The tests are of file scanners only - most AV/AT products include a memory scanner which will have higher detection rates. Memory scanners are harder to test though, since it does require actually running the malware (and then cleaning the system up fully after each test). BOClean is primarily a memory scanner so has been covered in a separate review (http://home.arcor.de/scheinsicherheit/boclean.htm); These can be considered "worst case" scenarios (or "real life" if you download files from questionable sources) - safe hex will greatly reduce the chance of users having to push their AV/AT scanners this far; These show the numbers of malware not detected so lower = better. :)
Those products marketed as anti-trojans are marked in blue:

McAfee: 35 missed out of 556
AVK: 97 missed out of 556
KAV: 98 missed out of 556
F-Secure: 100 missed out of 556
DrWeb: 181 missed out of 556
NOD32 (with AH): 199 missed out of 556
Ewido: 230 missed out of 556
TDS-3 (discontinued): 235 missed out of 556
BitDefender: 263 missed out of 556
TrojanHunter: 296 missed out of 556
AntiVir: 325 missed out of 556
MKS-Vir: 325 missed out of 556
Norton: 363 missed out of 556
AVG: 378 missed out of 556
Panda: 381 missed out of 556
Avast!: 415 missed out of 556
eTrust: 418 missed out of 556
Sophos: 430 missed out of 556
CommandAV: 441 missed out of 556
Trend: 452 missed out of 556
F-Prot: 456 missed out of 556
ClamWin AV: 463 missed out of 556
TheCleaner: 465 missed out of 556
Pest Patrol: 468 missed out of 556

Given the age of these tests, it would be unwise to make any statements about the current effectiveness of these products but the following points are worth noting: The results correspond closely with AV-Comparatives (and the MyCity tests) with KAV + derivatives (F-Secure, AVK) doing well. McAfee's top performance is also consistent with other tests. No definite conclusions can be drawn about anti-trojan products generally, since only 3 are listed above. However DCS' decision to withdraw TDS-3 does seem justified given the performance of the top-notch AVs. Whether or not to use an AT product to supplement an AV should therefore depend more on what features it offers over and above signature scanning (e.g. process/registry protection, activity monitoring, etc). AVs like Kaspersky are also moving in this direction though. There are too few tests like this - if Ntl is reading this rather than playing GuildWars, perhaps he would consider an update? ;)

A number of AV programs, for example Command/F-Prot and Dr Web have all improved their unpacking abilities since their test over at Scheinsicherheit's.

Thanks for taking the time to post that Paranoid2000 (member.php?u=13714). Good to know even if they are a bit out of date to compare how they are improving...or not. :)

{QUOTE-> Thanks for taking the time to post that... <-QUOTE}You're welcome, though the main kudos should go to Ntl for running those tests in the first place. I did find it rather surprising how many AVs came ahead of the AT's though - and how poorly one AT did... (doubtless a real cow of a product ;)).

Well I wouldn't know. But I would like the opinion of you learned geeks with regard to f-Secure's BlackLight beta. Seems great to me. mirimim/:lurking:

{QUOTE-> I did find it rather surprising how many AVs came ahead of the AT's though - and how poorly one AT did... (doubtless a real cow of a product ;)). <-QUOTE}

the reason for this: only filescanners were used.
there are very few packers that are good against real time memory scanning
i suppose that the result would've looked diffrent if the real time modules of some AT's were used

i personally in "my tests" have found DrWeb's and NOD32's heuristic engines very good against modified malware/new variants

Some time ago Nautilus did some interesting tests about code permutation (http://illusivesecurity.il.funpic.de/viewtopic.php?t=56) as well. The modified samples were scanned with BOClean, Dr. Web, Ewido, Kaspersky, NOD32 and TDS-3.

that test is really old, both nod and drweb have released new versions ever since