Best unpacking AV???

Which AV has the Best detection against running time packer? Can they be detected with an AV that has better heuristics or better unpacker? And how do top name brand AV compare in real time memory scanning?

 

It is hard to say.. but if AV has a great, strong and sophisticated heuristic engine it should be good 'cause then is AV able to detect malware in potentially unknown runtime packers. But there is no so big amount of antivirus programs with so advanced heuristic so they really need good unpacker.

 

Kaspersky probably has the best unpacker going.

 

Yeah, this may be the truth. But for example, NOD32 can "unpack" runtime packers with its heuristic engine..

 

I will take definations over hueristics for now

 

Best to have both.

 

I definatly do use both with eTrust R 7.1 corporate antivirus

 

For instance, I have a bunch of old mozilla mail archives. Several have old virus and trojans like joke.exe..

KAV finds every single one, first time every time.

NOD says it is searching the file. Spends a long time at it, and says it is clean. Yes, this is with max heuristics.

 

which is better
KAV or EDIWO against running time packer?

 

Now you are trying to compare an antitrojan against an antivirus. These are completely different programs.

 

Among AVs, I agree that KAV probably has the best unpacker. BitDefender might be second.

 

VBA32 has a very powerful generic unpacker.

 

1.
Kaspersky & clones: best static unpacking engine.

Pro: supports MANY packers/compressors/crypters/protectors.

Con: can be easily fooled by minor variations of the unpacking stub.

2.
NOD32, Ewido: generic unpacking engine (emulation).

Pro (in theory): no exact signatures of unpacking stub are required in order to determine the packer and apply the matching static unpacking routine. By contrast, it is sufficient that the emulation detects that the target is compressed/crypted etc. Consequently, it is not possible to "fool" an emulation by a minor modification of the unpacking stub of a well-known compressor like UPX.

Con: emulation does not handle as many packers as Kaspersky's static unpacking engine. Tobias Graf (from Ewido) will speak at VB2005 about the concept of a generic unpacking engine ( http://www.virusbtn.com/conference/vb2005/abstracts/tobiasgraf_andreasrudykTechFri1400.xml ). Hopefully, he will also tell the people how an emulation can handle:

- loops (which exploit the speed disadvantage of an emulation)
- anti-emulation code (which stops the execution of a target if it detects that it is executed in a virtual environment)
- and much more ...

3.
In addition to the use of a static or generic unpacking engine scanners may use heuristics (in order to detect suspicious modifications of a compressed target etc.) or signatures from uncompressed parts of a target (e.g., the resource section). You may also try to pick additional signatures from compressed targets if you do not have an unpacking engine at all ... ;-) And, of course, you may use a memory scanner.

 

Runtime packers and mail archives are two very different things.

 

me agree this, NOD32 won find viruses in Mozilla Mail Archives!

as for. KAV best unpack, BitDefender second best. avast! seem good unpack too

 

I don't think avast! is too good in unpacking compared to KAV or BD,but they are certanly the best of free ones. And constantly improving (latest additions were FSG and MEW+few others) and new version coming in week or two is again promissing better packers support.

I also agree that KAV has the best unpacker engine.

 

Ok, but if you use IMON for scanning POP3, there cannot be any viruses in Mozilla Mail Archives...

 

KAV has a pretty weak detection of stubs, that is true but that
is not necessarily a disadvantage for every static unpacker.
Interesting enough, KAV fails to detect ASProtect and Armadillo
reliable even if it's able to unpack that variant of the protector
(unmodified samples).

The main disadvantage is the speed and the only reason Ewido is fast is that they are using assembler and only work on x86 32 bit Intel platforms. An emulation with the same speed on 64 bit SPARC Solaris would impress me much more. ;-)
Ewido fails to unpack almost every anti-debugging protector I tested (PE-Shield, telock, PE-Lock32, UPC, Krypton, YodaProt and so on. The problem is not code that detects emulation, actually no one is doing that. The problem is to 100% mirror the OS structures/behaviour like SEH, PEB, KERNEL32.DLL. And you can easily increase the difficulty. Try to emulate Armadillo, SVKP or Molebox.
The malware authors seem to have noticed this, in the last few weeks and months you could notice a slow increase in usage of the mentioned protectors. Which will basically makes emulation useless at some point if the trend continues. The AV scan engines are loosing the race already I fear.

 

@Skeeve

This is a rare event. It seems that we more or less agree with each other ;-)

Your last comment ( "The AV scan engines are loosing the race already I fear." ) is interesting. What do you recommend to do?

Will AntiVir support memory scanning? Should AV scanners support this technique at all? Does it make sense to use an IDS (like a2 does)?

 

Get some AV/AT products which have: good static unpackers, good emulation, good heuristics and a good behaviour blocker.

Memory scanning has advantages and disadvantages. Rootkits are evolving too fast into a state where memory detection is too much a pain. It would be better to prevent the "installation" of malware (rootkits) instead of trying to detect them in memory when they already have full control on the system (that's why I don't think Blacklight is a good idea).
A behaviour blocker is a good idea, especially to counter Armadillo/SVKP/... packed malware. The idea of A² IDS is good, the implementation is bad (usermode, rules etc.). Behaviour Blocking is a client side feature and considered too hard to handle for normal users by many AV companies, that's why there aren't more products with a good behaviour blocker - yet. The increasing number of malware which cannot be unpacked/emulated (fast enough) will maybe change their mind.

 

@Skeeve

Just a few more comments:

1.
I am still not convinced that KAV can unpack ANY new Armadillo versions at all. I would guess that they partly rely on signatures taken from the resource section so that it *seems* that Armadillo can be unpacked. Have you ever seen an unpacked Armadillo samples in KAV's temp folder? This would be the proof ...

2.
"Rootkits are evolving too fast into a state where memory detection is too much a pain. It would be better to prevent the "installation" of malware (rootkits) instead of trying to detect them in memory"

I think that a memory scanner does not need to detect rootkits. Instead the system firewall needs to prevent the installation of rootkits. A mem scanner is still a good idea to detect "normal" compressed/crypted trojans.

3.
The idea of A² IDS is good, the implementation is bad (usermode, rules etc.).

I am not so sure whether it is necessary to use a kernel mode IDS. Again: The protection of the IDS, the scanner, the firewall etc. is the responsibility of the system firewall. Why not using ProcessGuard in order to protect an AV like Kaspersky or NOD32, an AT like Ewido, a firewall and the a2 IDS? It does not make sense if each application goes kernel-mode. This will only increase conflicts.

 

Yes, that's my opinion too ^^

 

You are right, speed is one of the disadvantages of generic unpacking using emulation. It was a real problem until we improved performance quite a lot by adding dynamic code translation, but scanning performance on packed samples is still slower than when using static unpacking. But generic unpacking is much more versatile, for example there is a good chance that newer versions of executable packers or protectors can be unpacked correctly with no changes at all while static unpacking would require to add new decompression routines.

About SPARC and Solaris. After Apple decided to switch to Intel, looks like x86 (amd64) will remain a dominating architecture in the forseeable future

Actually, SEH is not a big problem. We are unpacking a lot of protectors from your list using emulation and generic unpacking (except PE-Shield and latest versions of YodaProt, but they should be supported soon). Molebox is not too hard to unpack too (but we tested only trial versions, maybe full version has more antidebugging tricks). SVKP is a real problem as it uses drivers and also it requires quite a lot of lime to unpack when run on a real processor not to mention emulation.

Well, emulation has proven to be very efficient for unpacking ordinary packers (designed only to reduce executable size) and low to middle level protectors. Heavyweight protectors like SVKP or XPROTECTOR are a real problem. But they are very inconvenient for the users too (use drivers - sometimes cause bluescreens, also they only work for the users with administrator privileges). Any program protected with such monsters is a potential malware so maybe antivirus can issue some alert in this case and let the user decide what to do.

 

it has

me personally thinks that bitdefenders unpacking engine is overrated. many times the unpacked sample is not detected, even if the packed one is.....

 

Kaspersky!