Hi all,

This is a newbie's question. :)

I've read so many threads at Wildder that mention about AV's enpacking engine it makes me know that Kaspersky ( KAV ) has a great enpacking engine no other AVs can't beat KAV.

But the question is,

- What is enpacking engine ?
- Why it so important for AV to detecting malware such as trojans, backdoors ?
- Why an AV that has poor enpacking engine can't detect trojan when it executes/installs or can't detect when trojan already install ?

These seem to be a stupid questions here but please, I can't find another place to make it clear. Now I've tried AVG 7 and I like it very much it very light on my machine, what about AVG in trojan detection?

Thanks

{QUOTE-> quoting: Tan link=board=24;threadid=19755;start=0#msg120833 date=1074355731]
- What is enpacking engine ? <-QUOTE}

An unpacking engine is part of the scan engine which allows av software to scan files that are packed with runtime packers or crypters.

{QUOTE-> - Why it so important for AV to detecting malware such as trojans, backdoors ? <-QUOTE}

To detect malicious files av software looks for a certain part in the file that is unique as a signature - much like fingerprints to identify criminals. Using runtime packers or crypters will change the file structure and therefore it changes the part that was used before as a signature. This means a malicious file gets undetected.

Having an unpacking feature the av software unpacks the file to the original structure and can identify the malware correctly.

{QUOTE-> - Why an AV that has poor enpacking engine can't detect trojan when it executes/installs or can't detect when trojan already install ? <-QUOTE}

Because the signature av software is looking for is changed in the file. Therefore it fails detection.

{QUOTE-> Now I've tried AVG 7 and I like it very much it very light on my machine, what about AVG in trojan detection? <-QUOTE}

With AVG you need at least a seperate antitrojan software. In terms of unpacking AVG is rather poor.

wizard

One other item. A file packed with a runtime packer can be executed from its packed state unlike a zipped file. To complicate things even more, there are a LOT of runtime packers available for the kiddies to use now a days.

Hi Tan,

I'm also new to computer security, I'm also studying what unpacking engine is. These are the urls I bookmarked.

- What is enpacking engine ?(What is RunTime Packer?)

http://www.dslreports.com/forum/remark,7234694~root=security,1~mode=flat

- Why it so important for AV to detecting malware such as trojans, backdoors ?

http://home.arcor.de/scheinsicherheit/example.htm
The above url may answer your question a little.
(Thank you Nautilus I've studied a lot from your site.)

- Why an AV that has poor enpacking engine can't detect trojan when it executes/installs or can't detect when trojan already install ?

http://www.security-forums.com/forum/viewtopic.php?t=8298&sid=fb214bc36c6c46cc19c23f7772da0fd1
I think the above tutorial is very good to find unknown backdoors.

If you are completely new to trojan scene, the below paper also worth reading.
http://neworder.box.sk/newsread.php?newsid=6298

I hope those urls also help you. :)
Best Regards.

WOW !!!!! :D

All your answers are what I've been searching for, thanks for all responses.

I have an additional questions :

- How/Where can I know about the unpacking engine ability of each AV, Is there any comparative test out there?

- Does AV's on-access scanner use the same unpacking engine ability as its on-demand scanner ?

Please correct me if I'm wrong, I assume that any AVs that they have an extra-fast on-access/on-demand scanner than a normal manner this may be a clue about their poor unpacking engine. Is this right?

Thanks

{QUOTE-> quoting: Tan link=board=24;threadid=19755;start=0#msg121448 date=1074482515]- How/Where can I know about the unpacking engine ability of each AV, Is there any comparative test out there? <-QUOTE}

Look at the tests at http://www.rokop-security.de and on the "Scheinsicherheit" site (see link in Sumire's posting)

{QUOTE-> - Does AV's on-access scanner use the same unpacking engine ability as its on-demand scanner ? <-QUOTE}

Normally yes.

{QUOTE-> Please correct me if I'm wrong, I assume that any AVs that they have an extra-fast on-access/on-demand scanner than a normal manner this may be a clue about their poor unpacking engine. Is this right? <-QUOTE}

Unpacking takes some time but there are other examples like NOD32 which uses unpacking and is still faster as some products that don't use unpacking at all. So I won't count just on the speed argument.

wizard