AVs and unpack engines

Years ago, right here on wilders I remember there used to be heavy discussion about file type recognition and scanning of runtime compressed files of various AVs (and archives, too). I also remember there used to be several tests by evangelists that would try to look at which AV had the best unpack engine (some had generic emulation, etc.)

The last time I remember seeing such a test was 2005 and at that time Kaspersky, Dr.Web and BitDefender were the leaders (if my memory serves me well).

This type of test has disappeared completely these days. Is it a non-issue now? Do *all* AVs today have the same level of unpack ability and file type recognition?

 

I would suspect those companies to still be the best for that but I don't think that the threats today are the same as they were then. I think rather than pack malware these days they just try to get out new variants as fast as possible to try to beat signature updates.

 

http://blogs.cisco.com/security/malware_validation_techniques/

http://blogs.cisco.com/security/a_brief_history_of_malware_obfuscation_part_2_of_2/

But maybe threat landscape and detection methods and capabilities have changed more recently?

 

I was basing that on what I have encountered, which, really, has been almost nothing.

 

That's a very good subject. I'll try to make some tests if I get some spare time, which I don't actually have :-s

 

hi

Sorry, i am not an evagelist, but i've done private such tests: instead of looking for the highest detection rate result, i was more inrersted in looking for the the highedts score in evasion/bypass tests resistance (attack angle).
Tests done with 5 popular malwares and thousands variants (packers, crypters, junk file insertion, sequence modification, etc), inside various archives...
And Firecat list is not far from my own: Bitdefender, Kav, Avira, DrWeb, Panda, Nod32 for the more significative results.

Eric Filiol regurlalrly publish this kind of tests in Misc Mag (here an example with DrWeb: http://www.ed-diamond.com/feuille_misc38/index.html ).

I've recently published a kind of advisory (just for fun!) to point out that most av on t he market do not support recent archive type file:
https://www.wilderssecurity.com/showthread.php?t=317582

As AVs Devs can't follow such trivial evasion methods, how can they be up to date with the high number of amoring tools released each day?

Rgds

 

For products that have a good real-time behavioral engine like Norton SONAR, I think unpacking capability is irrelevant. They dont need to do any unpacking, rather just wait and watch for suspicious behaviors.