AVs and unpack engines

Discussion in 'other anti-virus software' started by Firecat, Feb 8, 2012.

Thread Status:
Not open for further replies.
  1. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Years ago, right here on wilders I remember there used to be heavy discussion about file type recognition and scanning of runtime compressed files of various AVs (and archives, too). I also remember there used to be several tests by evangelists that would try to look at which AV had the best unpack engine (some had generic emulation, etc.)

    The last time I remember seeing such a test was 2005 and at that time Kaspersky, Dr.Web and BitDefender were the leaders (if my memory serves me well).

    This type of test has disappeared completely these days. Is it a non-issue now? Do *all* AVs today have the same level of unpack ability and file type recognition?
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I would suspect those companies to still be the best for that but I don't think that the threats today are the same as they were then. I think rather than pack malware these days they just try to get out new variants as fast as possible to try to beat signature updates.
     
  3. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://blogs.cisco.com/security/malware_validation_techniques/

    http://blogs.cisco.com/security/a_brief_history_of_malware_obfuscation_part_2_of_2/

    But maybe threat landscape and detection methods and capabilities have changed more recently?
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I was basing that on what I have encountered, which, really, has been almost nothing. :doubt:
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    That's a very good subject. I'll try to make some tests if I get some spare time, which I don't actually have :-s
     
  6. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    Sorry, i am not an evagelist, but i've done private such tests: instead of looking for the highest detection rate result, i was more inrersted in looking for the the highedts score in evasion/bypass tests resistance (attack angle).
    Tests done with 5 popular malwares and thousands variants (packers, crypters, junk file insertion, sequence modification, etc), inside various archives...
    And Firecat list is not far from my own: Bitdefender, Kav, Avira, DrWeb, Panda, Nod32 for the more significative results.

    Eric Filiol regurlalrly publish this kind of tests in Misc Mag (here an example with DrWeb: http://www.ed-diamond.com/feuille_misc38/index.html ).

    I've recently published a kind of advisory (just for fun!) to point out that most av on t he market do not support recent archive type file:
    https://www.wilderssecurity.com/showthread.php?t=317582

    As AVs Devs can't follow such trivial evasion methods, how can they be up to date with the high number of amoring tools released each day?

    Rgds
     
  7. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    For products that have a good real-time behavioral engine like Norton SONAR, I think unpacking capability is irrelevant. They dont need to do any unpacking, rather just wait and watch for suspicious behaviors.
     
Loading...
Thread Status:
Not open for further replies.