Someone help me out here please? I keep hearing about unpackers like that of KAV, Rav, McAfee, etc.? How important is it to have a good unpacking engine in an AV? Is it necessary in an AV if you have a good AT like BOClean, TDS-3 or TrojanHunter?

Best unpacker is KAV, then McAfee. RAV is history since it was sold to M$.
It's always best to use and AV and an AT, but even with TDS for Trojans, it is still great to have KAVs unpackers, huge data base and excellent heuristics.
Some people don't put a lot of interest in an AVs unpacking ability because a good AV should catch a bad guy after it got unpacked. I say why wait? get it as soon as I can.
Kind of a personal choice sort of thing. People tend to look for different things in AV and ATs, so there's always a lot of different opinions.
I think you will get more answers here. I have had good luck with KAV and TDS, so those are my mainstays.

{QUOTE-> [...] because a good AV should catch a bad guy after it got unpacked. <-QUOTE}

Attention! (The 'old' misunderstanding... ;) ): This _only_ applies to archived malware, and not to packed/crypted malware, because the latter is unpacked directly into RAM.
And when talking about "unpackers" lately, people do actually refer to packed/crypted malware... ;)

That's why an unpacking engine is not just a "gimmick", but quite important for security (especially for trojans.) :)
Some kind of (weaker) alternative would be a memory scanner - but currently there is no AV, which has one (only some ATs...)

Anvil,

Doesn't Dr Web have some sort of memory scanner?

http://www.dslreports.com/forum/remark,7051184~root=security,1~mode=flat




Added URL tags

{QUOTE-> Doesn't Dr Web have some sort of memory scanner? <-QUOTE}

I'm _pretty_ (not absolutely) sure, that Dr.Web's memory scanner only scans the _files_ on HD, which are at that time active as processes in RAM. At least this is, what several AVs do. Unfortunately, it doesn't help against packed/crypted files.
(Dr.Web has a useful unpacking engine, though...)

"Real" memory scanners do really scan the (unpacked) _processes_ in RAM - so they will detect nasties in memory, which were originally (as files) packed/crypted. :)

{QUOTE-> quoting: _anvil link=board=24;threadid=11574;start=0#msg75181 date=1058915755]
{QUOTE-> Doesn't Dr Web have some sort of memory scanner? <-QUOTE}

I'm _pretty_ (not absolutely) sure, that Dr.Web's memory scanner only scans the _files_ on HD, which are at that time active as processes in RAM. At least this is, what several AVs do. Unfortunately, it doesn't help against packed/crypted files.
(Dr.Web has a useful unpacking engine, though...)

"Real" memory scanners do really scan the (unpacked) _processes_ in RAM - so they will detect nasties in memory, which were originally (as files) packed/crypted. :)
<-QUOTE}

No, Dr. Web's memory scanner is 'real'. KAV's is not...

Dr. Web's scanner actually unpages all active processes and scans through the RAM...

@jdong

Does the mem-scanner detect packed/crypted malware, which isn't detected by the file-scanner? I am not sure about this... have you tested it?

Anvil, never tested that... In theory, yes... but I am in no mood to pack and unleash malware onto my systems... ;) (and too lazy to start up a VM, too. LOL)