Self extracting archives and packed exe files

Discussion in 'other anti-virus software' started by mwb82, Mar 19, 2002.

Thread Status:
Not open for further replies.
  1. mwb82

    mwb82 Registered Member

    Joined:
    Mar 19, 2002
    Posts:
    3
    I spent the last couple of days evaluating several anti-virus programs and was surprised to see that only two of them were actually able to unpack and scan most self extracting archives and packed exe files.  Unfortunately, both programs use the same scan engine and are quite expensive.

    Is anybody aware of a DOS or Windows utility that can identify self extracting archives and packed exe files?

    Also, is there a tool to unpack packed exe files without actually executing them?

    Finally, is it possible to unpack Microsoft Installer files (*.msi) so that they can be scanned?

    Thanks.

    Regards,
    Martin
     
  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    F-Prot for DOS can scan some self extractors and some setup files. I am not sure if it also scans *.msi files but it is free so you can test it. :)

    http://www.complex.is

    When it comes to unpacking and scanning packed *.exe files Kaspersky Anti Virus seems to scan most  packer and setup types.

    wizard
     
  3. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I believe WinZip can do this.
     
  4. mwb82

    mwb82 Registered Member

    Joined:
    Mar 19, 2002
    Posts:
    3
    By reading the last response I get the impression that my initial posting wasn't clear enough.

    I understand that most packers like WinZip, PowerArchiver, WinRAR are able to convert self extracting *archives* to regular archives.

    The question was about compressed/encrypted *executables* which usually contain programs and not archives. See http://www.aspack.com/ as an example for a compressor (ASPack) and an encryptor (ASProtect). The point here is that the virus code is compressed/encrypted in the executable file and will therefore not be found by the on-demand AV scanner unless it gets somehow uncompressed/decrypted.
     
  5. mwb82

    mwb82 Registered Member

    Joined:
    Mar 19, 2002
    Posts:
    3
    Actually I'm using F-Prot for a couple of years now and like it. I've also managed to have the fp-def.zip and macrdef2.zip signature files updated automatically via AutoFTP.

    According to a test done by a German university http://www.av-test.org/sites/tests.php3?lang=en, F-Prot only supports 16-bit packed executables (DOS) but not 32-bit. (The test covers F-Prot for Windows but I assume that the scan engines is the same as in the DOS version).

    Another reason why I'm looking for a second AV program is that F-Prot for DOS only scans inside .ZIP and .ARJ files.  There's no support for .LZH and .RAR archives, as well as self-extracting archives. (This information can be found in the COMMAND.TXT file that comes with F-Prot, see /ARCHIVE option).

    Yes, I think that's true. Still I don't like KAV as it is kind of expensive and slow. The latest release, 4.0 Personal Pro, uses a lot of system resources so that they decided to put a warning on the download page to prevent existing 3.x users from upgrading ...
     
  6. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Sorry I got it wrong. :) Okay this time I have no good news for you. The best unpacking engine has without any doubt Kaspersky Anti Virus. Also very good (but also very slow) in unpacking compressed files is McAfee.

    I am sorry to hear that you have problems with the new Kaspersky release. It is a little bit slower than the old release but on my computer (Celeron 433/256 RAM) it performs acceptable for me.

    Only a very few packers have an unpacking feature. So downloading packers and unpack it of your own will fail mostly. At least KAV detects more than 120 types.

    KAV Personal Pro is very expensive. The Person version is much cheaper and will fit mostly all the needs for a home user. An alternative maybe EScan which uses the Kaspersky engine. More information you will find at http://www.mwti.net

    wizard
     
Loading...
Thread Status:
Not open for further replies.