The best unpacker ever?

Discussion in 'other anti-virus software' started by Firefighter, Mar 8, 2003.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Hi everyone!

    Is F-Secure the best unpacker ever when it has F-Prot engine too? In the Rokop av-test, we can see that the only packer (packer 11) that KAV couldn't unpack was that the only what F-Prot could unpack 2/6?

    See the link below.

    http://www.rokop-security.de/main/article.php?sid=494

    When F-Secure has Kaspersky, F-Prot and Orion engines, someone could think about that it is the best unpacker ever! :D

    "The truth is out there, but it hurts!"

    Best Regards,
    Firefighter!
     
  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    I don't think that FP-Win could unpack these two files. For me it looks like they already added additional signatures for these packed variants.
    Therefore F-Secure does not have better a better unpacking result than KAV.

    Also the test of Rokop had one limitation. I think the result of DrWeb would have been better if the malware had been executed due to the fact that DrWeb scans the process memory. Scanning process memory is another way to deal with packed malware. Mostly current anti-trojan programs like TrojanHunter or TDS-3 do this instead of using unpacking-engines.

    wizard
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I used F-Secure for about six months last year(the last version, not the current one).
    One day I decided to download and check all of the packed eicar test versions. I think there were 5 or six packed and just the plain eicar test file.
    When I scanned the folder they were in with F-Secure, it missed two of the packed versions. Don't ask I don't remember.
    I was upset with that result, so I reinstalled my AVP 3.5, and it caught every one.
    Scientific? No, it's just what happened on my machine.
    I remember asking the people here how that could be, and no one ever came up with a good answer, other than someone said F-Secure did not use all of the same unpacking engines of AVP.
    I firmly believe that due to the nature of Windows and different hardware/software configurations that no one can make a statement about how well a program will perform on every machine out there with 100% accuracy.
    I therefore keep an eye on as many tests as I can, and try to find the programs that consistantly do well on many tests as opposed to which one scores at the top of one or two tests.
    KAV, RAV, DrWeb, Sophos, NAV, and even McAfee almost always do well. NOD32 is not widely tested.
    F-Secure and a couple of others also perform well on many tests, but not so good on others.
    I'm not trying to sell anybody on anything. I'm not interested in everyone believing in my methods of making choices.
    I'm just adding my experience to the pot. FWIW. :D
     
Loading...
Thread Status:
Not open for further replies.