Best unpacking AV???

Discussion in 'other anti-virus software' started by Alite, Jul 2, 2005.

Thread Status:
Not open for further replies.
  1. Alite

    Alite Guest

    Which AV has the Best detection against running time packer? Can they be detected with an AV that has better heuristics or better unpacker? And how do top name brand AV compare in real time memory scanning?
     
  2. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    It is hard to say.. but if AV has a great, strong and sophisticated heuristic engine it should be good 'cause then is AV able to detect malware in potentially unknown runtime packers. But there is no so big amount of antivirus programs with so advanced heuristic so they really need good unpacker.
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Kaspersky probably has the best unpacker going. ;)
     
  4. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Yeah, this may be the truth. But for example, NOD32 can "unpack" runtime packers with its heuristic engine..
     
  5. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I will take definations over hueristics for now
     
  6. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Best to have both.
     
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I definatly do use both ;) with eTrust R 7.1 corporate antivirus
     

    Attached Files:

  8. derway

    derway Registered Member

    Joined:
    Jun 29, 2005
    Posts:
    15
    For instance, I have a bunch of old mozilla mail archives. Several have old virus and trojans like joke.exe..

    KAV finds every single one, first time every time.

    NOD says it is searching the file. Spends a long time at it, and says it is clean. Yes, this is with max heuristics.
     
  9. edition

    edition Guest

    which is better
    KAV or EDIWO against running time packer?
     
  10. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    Now you are trying to compare an antitrojan against an antivirus. These are completely different programs.
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Among AVs, I agree that KAV probably has the best unpacker. BitDefender might be second. :)
     
  12. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    VBA32 has a very powerful generic unpacker.
     
  13. .?.-.?.

    .?.-.?. Guest

    1.
    Kaspersky & clones: best static unpacking engine.

    Pro: supports MANY packers/compressors/crypters/protectors.

    Con: can be easily fooled by minor variations of the unpacking stub.

    2.
    NOD32, Ewido: generic unpacking engine (emulation).

    Pro (in theory): no exact signatures of unpacking stub are required in order to determine the packer and apply the matching static unpacking routine. By contrast, it is sufficient that the emulation detects that the target is compressed/crypted etc. Consequently, it is not possible to "fool" an emulation by a minor modification of the unpacking stub of a well-known compressor like UPX.

    Con: emulation does not handle as many packers as Kaspersky's static unpacking engine. Tobias Graf (from Ewido) will speak at VB2005 about the concept of a generic unpacking engine ( http://www.virusbtn.com/conference/vb2005/abstracts/tobiasgraf_andreasrudykTechFri1400.xml ). Hopefully, he will also tell the people how an emulation can handle:

    - loops (which exploit the speed disadvantage of an emulation)
    - anti-emulation code (which stops the execution of a target if it detects that it is executed in a virtual environment)
    - and much more ...

    3.
    In addition to the use of a static or generic unpacking engine scanners may use heuristics (in order to detect suspicious modifications of a compressed target etc.) or signatures from uncompressed parts of a target (e.g., the resource section). You may also try to pick additional signatures from compressed targets if you do not have an unpacking engine at all ... ;-) And, of course, you may use a memory scanner.
     
  14. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Runtime packers and mail archives are two very different things.
     
  15. Nika

    Nika Registered Member

    Joined:
    Apr 20, 2005
    Posts:
    27
    me agree this, NOD32 won find viruses in Mozilla Mail Archives!

    as for. KAV best unpack, BitDefender second best. avast! seem good unpack too
     
  16. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I don't think avast! is too good in unpacking compared to KAV or BD,but they are certanly the best of free ones. And constantly improving (latest additions were FSG and MEW+few others) and new version coming in week or two is again promissing better packers support.

    I also agree that KAV has the best unpacker engine.
     
  17. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Ok, but if you use IMON for scanning POP3, there cannot be any viruses in Mozilla Mail Archives...
     
  18. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    KAV has a pretty weak detection of stubs, that is true but that
    is not necessarily a disadvantage for every static unpacker.
    Interesting enough, KAV fails to detect ASProtect and Armadillo
    reliable even if it's able to unpack that variant of the protector
    (unmodified samples).

    The main disadvantage is the speed and the only reason Ewido is fast is that they are using assembler and only work on x86 32 bit Intel platforms. An emulation with the same speed on 64 bit SPARC Solaris would impress me much more. ;-)
    Ewido fails to unpack almost every anti-debugging protector I tested (PE-Shield, telock, PE-Lock32, UPC, Krypton, YodaProt and so on. The problem is not code that detects emulation, actually no one is doing that. The problem is to 100% mirror the OS structures/behaviour like SEH, PEB, KERNEL32.DLL. And you can easily increase the difficulty. Try to emulate Armadillo, SVKP or Molebox.
    The malware authors seem to have noticed this, in the last few weeks and months you could notice a slow increase in usage of the mentioned protectors. Which will basically makes emulation useless at some point if the trend continues. The AV scan engines are loosing the race already I fear.
     
  19. .?.-.?.

    .?.-.?. Guest

    @Skeeve

    This is a rare event. It seems that we more or less agree with each other ;-)

    Your last comment ( "The AV scan engines are loosing the race already I fear." ) is interesting. What do you recommend to do?

    Will AntiVir support memory scanning? Should AV scanners support this technique at all? Does it make sense to use an IDS (like a2 does)?
     
  20. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Get some AV/AT products which have: good static unpackers, good emulation, good heuristics and a good behaviour blocker.

    Memory scanning has advantages and disadvantages. Rootkits are evolving too fast into a state where memory detection is too much a pain. It would be better to prevent the "installation" of malware (rootkits) instead of trying to detect them in memory when they already have full control on the system (that's why I don't think Blacklight is a good idea).
    A behaviour blocker is a good idea, especially to counter Armadillo/SVKP/... packed malware. The idea of A² IDS is good, the implementation is bad (usermode, rules etc.). Behaviour Blocking is a client side feature and considered too hard to handle for normal users by many AV companies, that's why there aren't more products with a good behaviour blocker - yet. The increasing number of malware which cannot be unpacked/emulated (fast enough) will maybe change their mind.
     
  21. .?.-.?.

    .?.-.?. Guest

    @Skeeve

    Just a few more comments:

    1.
    I am still not convinced that KAV can unpack ANY new Armadillo versions at all. I would guess that they partly rely on signatures taken from the resource section so that it *seems* that Armadillo can be unpacked. Have you ever seen an unpacked Armadillo samples in KAV's temp folder? This would be the proof ...

    2.
    "Rootkits are evolving too fast into a state where memory detection is too much a pain. It would be better to prevent the "installation" of malware (rootkits) instead of trying to detect them in memory"

    I think that a memory scanner does not need to detect rootkits. Instead the system firewall needs to prevent the installation of rootkits. A mem scanner is still a good idea to detect "normal" compressed/crypted trojans.

    3.
    The idea of A² IDS is good, the implementation is bad (usermode, rules etc.).

    I am not so sure whether it is necessary to use a kernel mode IDS. Again: The protection of the IDS, the scanner, the firewall etc. is the responsibility of the system firewall. Why not using ProcessGuard in order to protect an AV like Kaspersky or NOD32, an AT like Ewido, a firewall and the a2 IDS? It does not make sense if each application goes kernel-mode. This will only increase conflicts.
     
  22. Inf

    Inf Guest

    Yes, that's my opinion too ^^
     
  23. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    You are right, speed is one of the disadvantages of generic unpacking using emulation. It was a real problem until we improved performance quite a lot by adding dynamic code translation, but scanning performance on packed samples is still slower than when using static unpacking. But generic unpacking is much more versatile, for example there is a good chance that newer versions of executable packers or protectors can be unpacked correctly with no changes at all while static unpacking would require to add new decompression routines.

    About SPARC and Solaris. After Apple decided to switch to Intel, looks like x86 (amd64) will remain a dominating architecture in the forseeable future :)

    Actually, SEH is not a big problem. We are unpacking a lot of protectors from your list using emulation and generic unpacking (except PE-Shield and latest versions of YodaProt, but they should be supported soon). Molebox is not too hard to unpack too (but we tested only trial versions, maybe full version has more antidebugging tricks). SVKP is a real problem as it uses drivers and also it requires quite a lot of lime to unpack when run on a real processor not to mention emulation.

    Well, emulation has proven to be very efficient for unpacking ordinary packers (designed only to reduce executable size) and low to middle level protectors. Heavyweight protectors like SVKP or XPROTECTOR are a real problem. But they are very inconvenient for the users too (use drivers - sometimes cause bluescreens, also they only work for the users with administrator privileges). Any program protected with such monsters is a potential malware so maybe antivirus can issue some alert in this case and let the user decide what to do.
     
  24. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    it has

    me personally thinks that bitdefenders unpacking engine is overrated. many times the unpacked sample is not detected, even if the packed one is.....
     
  25. BlackHawk1

    BlackHawk1 Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    Kaspersky!
     
Loading...
Thread Status:
Not open for further replies.