Which AT's unpack, & which do NOT?

Discussion in 'other anti-trojan software' started by bellgamin, Apr 13, 2003.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    *Brainwashing is NOT the problem. Ignorance & apathy are. This leads me to wonder...

    Question- In evaluating one's needs for security software, which is worse -- ignorance or apathy?

    Answer- "I don't know & I don't care!" :D
    ~~~~~~
    But seriously, folks, I ran across THIS Jan 2003 AV test -- probably in one of Technodrome's excellent posts.

    I have 3 questions...
    #1- Am I correct in thinking that the test is an evaluation of AV's with respect to their unpacking proficiency?

    #2- If so, does anybody have a theory as to why such tests usually assess the proficiency of AV's versus trojans, but RARELY assess the proficiency of AT's versus trojanso_O

    #3- If the table I have linked to was likened to a horse race, would I be *wrong* in saying, that, "As the AV's round the club-house turn, RAV is under the whip & is definitely closing the gap on the leaders?" :cool:

    peace unto all.......bellgamin
     
  2. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    it outdated but perty good post wonder what it look like now with gav up in there in its curent beta stage i bet it surprise you lol
     
  3. I have experienced, many times, Dr. Web finding and blocking viruses *upon unpacking* that were packed with compression routines that were unknown to Dr. Web, and that were passed as "clean" by Dr. Web on demand scanner.

    Likewise, NAV (Norton) will detect and block a compressed virus *upon unpacking*, before it is executed, as will most other good AVs.

    Yes, an *on demand scanner* can be detection-fooled by a compressor, but the *unpacked* virus's *payload* is nevertheless blocked, so the benefit or not of unpacking by an AV is debatable. In my opinion it is marketing hype, i.e. "brainwashing".

    dbg
     
  4. In that case you must take no notice of me, and use GAV. You are the famous MR. BLAZE, while I am only a lowly regarded (but highly paid) peasant charged with overlooking the security of 12,000+ computers by my government, so it is clear that you are much smarter than me. :)
     
  5. xor

    xor Guest

    I am VERY GLAD that you do not protect my government[/b] :D
    You do not even know about what we are speaking here or how else do you explain my screenshot here ?
    This is the example Firewar.exe - its detected by NAV uncompressed.
    Then pack it with UPX or ASPack or what ever and start it - see the result in the screenshot :D
    This could also be a trojan with a "NAV Shutdown Feature" :D

    But go on, protect the whole world with your knownledge :D :D :D
     

    Attached Files:

    • yeah.jpg
      yeah.jpg
      File size:
      29.1 KB
      Views:
      1,155
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    die blau ganz,
    > Likewise, NAV (Norton) will detect and block a compressed
    > virus *upon unpacking*, before it is executed
    I'm not going to get into a debate with you, but the technique you describe can only be performed when the user tries to execute the file. Unpack engines allow the scanner to scan 'inside' the packed file without executing it, which is a lot safer than executing the file to see if it's dangerous. There's no reason NOT to have this advantage, so I find your argument flawed.
     
  7. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :D Ok Andreas :eek:oh sorry i mean ummmmm die blau ganz lol sorry mixed umm you two up

    Its ok ganz blaze pat you on the shoulder lol your trying and thats all that count around here

    me famous wow that cool you want my autograpgh lol it no bigy how about a shot of me with you and my big wooden spoon doing what i do best lol.

    Any how i wish your goverment and you all the luck and at least you have money that good

    im hapy for you and yes not all can read at a 4th grade level yet still with the handy cap of blindness and poor gramer out smart you but im BLAZE LOL

    :D thank you lo thank you huggggggggggggg
     
  8. anvil

    anvil Guest

    @die blau ganz

    As xor already presumed, you obviously don't really know what we are talking about:
    our topic are not archives like Zip, Rar,... (which are indeed no problem for on-access scanners), but runtime packers, which are unpacked directly into RAM upon execution, so that on-access scanners without unpack engine have no chance to scan the file in its "original", unpacked form.

    If you speak german, you can get more info, including special AV/AT tests, here:
    http://return.to/scheinsicherheit
     
  9. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    Kinky shirt you got there Mr Blaze

    GOT GAY :eek:
     
  10. adiel

    adiel Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    37
    To xor
    this firewar.exe is a dumb thing...maybe it worked with older versions of firewalls...it does'nt do anything now...i was running zonealarm 3.1...i downloaded this file from a website..ran it and it showed me msg "zone alarm not running"
    i checked..and zonealarm was running fine...i checked it with steve gibson leak test utilitie...so this firewar.exe is nothing.

    secondly...you should speak a little bit more polite to someone who is only giving his idea..not attacking you personally..if die blau ganz...is doing a job which he mentioned..do you think he is just crazy and know nothing about these security thingso_O
    even if you don't agree....unless he is attcking you personally...you should'nt be saying things like this that "I am VERY GLAD that you do not protect my government"

    it sounds as you are degrading him,that he does'nt deserve this job....thats not a good thing to do.
     
  11. Vampirefo

    Vampirefo Guest

    Hi die blau ganz,
    Seeing you are in charge of your companies, computers, you need to learn the difference between, a compressed file, and a packed file, most AVP's can decompress, compressed files, not all can unpack, packed files, NAV for one can't.
     
  12. Vampirefo

    Vampirefo Guest

    Hi adiel,
    firewar.exe was just a safe file I chose to post, a packed version, and a unpacked version, so people could see if their AVP, could unpack it, NAV can't, that's why xor, is showing the pic of it.

    He ran the packed version, an NAV did nothing to stop it, had it been a real Trojan with AVKiller technology, eg, programmed to kill NAV, NAV would have died without being able to detect the Trojan.
     
  13. adiel

    adiel Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    37
    actually i downloaded it a bout 2 months ago from another website..the author claimed it will kill all firewalls..and it did nothing..thats why i said it does nothing.
    i downloaded those 2 files that you posted but did'nt ran these 2..just checked with my AVP...and both were detected.
     
  14. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol what no no it got gav lol got gav not got gay lol right click on picture do properts check right click on box and select all

    right click algain select cop now paste url into your browser go or search lol see got gav
     
  15. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    here lol looky click here http://thequintessentialq.freeservers.com/Blaze/gotgav2.jpg
     
  16. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    :) I know Mr Blaze lol Its cool

    Its a mixed up shook up world lol lola :rolleyes:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.