detect packer/cryptor

is there good prog with updated DB 2 scan exe files 2 detect by wich the file is crypted or compressed

 

Hi sn4k3,

Suggesting a program is beyond my experience, but I received an education about your question from these two pages.
Have a look...

SearchSecurity

WorldHistory

Until your question is addressed directly, please let me know if you found this enlightening...

GF

 

Look for PeId at www.softpedia.com

 

thanx alot guys PeId is what i want

 

Oop's! Guess I was wrong interpreting your request ...
but now I know .

GF

 

Anyone can tell me if there is a prog can crypte or compress a file undetected by AVs?

 

Sorry sir,I can't find a place to ask here.

 

For what purpose are you wanting such an application?

 

Yes , it's trojan,just to joke with somebody. Not you,you seem maneating.

 

Blackspear? Nah, he's too friendly.
There are far better ways to use your energy. Besides, you ought to be careful how your joke might be taken .

GF

 

If this "somebody" is running Kaspersky, lets just say you will have a VERY difficult time making it undetected.

Even as a joke I would not recommend infecting others with a trojan. It is NOT very nice

 

This is off topic from the main thread.

This is also against Wilders Terms of Service, it would as well be a very dangerous joke, if it went beyond your friend and started to infect others, you would find yourself running from the law...

I would suggest climbing a tree with a water balloon, all that can happen there is you get stuck up the tree for a few days when your friend returns with their pit-bull to guard the tree

Cheers

 

From doing just a tiny bit of reading on the subject, it is not really that hard to make a trojan undetectable from Kaspersky. This is why I also use two different anti-trojan scanners in addition to Kaspersky. The anti-trojan scanners that I picked cover some of Kasperky's weaknesses.

Just about all Trojan scanners and Kaspersky can detect out of the box trojans that can be downloaded from the various websites that offer them. From the little I have read, though, any trojan can be modified to bypass the weaknesses of any scanner that can be chosen including Kaspersky.

Which is another reason not to let people know the exact security arrangement on your computer. All scanners can be beaten which is why other ways of securing the computer must be used including common sense.


Starrob

 

By Blackspear :

I agree. Seems it was over here, by sn4k3 :

Good time to lock this thread?
I did enjoy your addition though Starrob, but...

GF

 

I agree, but trust me KAV is not one of the easier AVs to fool either (in regards to detection). Any arrangement you formulate to defeat detection in KAV will probably work on 90% of other AV scanners. The unpacking engine in KAV is definitely one of the main reasons for this. But note that KAV also has a lot of very skilled analysts who understand a lot of how cryptors (and other tools and methods) are being used to bypass detection in scanners. There was an instance that a cryptor was released publicly and KAV had detection in 1-2 days. And not just for the public version but also for the modified versions of it when used in conjunction with each other.

If one is to look at it another way... any malware that is released in the wild is going to be detected sooner or later. The benefit that KAV has is that they do not have to depend on a new signature to detect malware that is runtime compressed or crypted. And if they do need a new signature they will probably be among the first, with updates that are now available hourly. I would say that KAV is one of the very few (among its competitors) that have both the resources and skilled personnel to do this. But I am sure you are probably already aware of the pros in KAV as you seem to use it as well

Sure there are cons to KAV as well. And there are probably quite a number of ways to bypass it. But like you mentioned any trojan can be modified enough to bypass any scanner. So the point there seems rather mute. But I do agree with you here

Perhaps you are simply pointing out that I exaggerated too much about KAV and emphasis needs to be placed in other areas as well?

 

It is pretty well known that there is one commercial runtime packing program that even Kaspersky admits they can not unpack which means that if you want full protection then what is needed is a strong memory scanner.

Memory scanners that can scan modules as well as processes are prefererred.

Another part of the solution in my opinion is Processguard in conjunction with a registry monitor (A Registry monitor in which you can choose what keys are monitored is preferred).

Processguard is necesarry because if I happen to click on something that a strong anti-virus like Kaspersky is unable to pick up and which is also able to get by the memory scanner because it is faster than the scanner...well, then it will have to get past the protection of Processguard which is quite difficult.....pretty near impossible for the average hacker and even difficult for a very knowlegable hacker.

Even with Processguard, PG V2 has vunerabilities. I read in one forum awhile ago that someone claimed to beat PG and install a trojan (I forget whether it was version 1 or version 2 that it claimed to beat). PG V3 will hopefully, remove the few vunerabilities left in that program. Hopefully, PG V3 which will be out soon and will make it as close to impossible as you can get for things like rootkits, DLL injecting trojans and keyloggers to operate.

I have a whole lot of layers....including common sense....maybe I am a bit paranoid but I also don't think I will be one of those people running around to different forums trying to get my Hijack this log read. I read too many people's miseries to let it happen to me.


Starrob

 

"Perhaps you are simply pointing out that I exaggerated too much about KAV and emphasis needs to be placed in other areas as well? "


Exactly.....emphasis in other areas....layered protection.



Starrob

 

PGv2 only has one known vulnerability (\device\physicalmemory), it was PGv1 which had a couple. The \device\physicalmemory attack isn't specific to Process Guard - many popular firewalls are also vulnerable for example, and it's also not a severe threat due to the complexity of the attack (the demo only worked under W2K), but nevertheless it was an attack that could be used so PGv3 which will be released later today fixes that.

Regards,
Wayne

 

Very nice, thank you for that information Wayne...

Cheers

 

Thanks for the correction. I will be among the first in line for version 3


Starrob

 

I just think this is a drowsy forum before,now I know there are many many divers here to watch everybody .

Thanks Starrob ,thanks all to give the good knowledge.

 

I see this is turning out to be a rather useful thread, which, I was hoping for.
Didn't mean to jump the gun.

Thanks to Starrob, Rerun, and Wayne for pointing out possibilities,
and pulling the topic along.....very interesting.

GF

 

Indeed, it has peaked my interest with Process Guard 3.

Cheers

 

I am definitely in agreement with you here, and am glad that is cleared up

Are you aware of any other scanner that can unpack this commercial packer?
A strong memory scanner is also quite difficult to find. Some are only on-demand. Some are not "true" memory scanners. Even BOClean is vulnerable in some ways http://scheinsicherheit.sc.funpic.de/boclean.htm . I guess that further emphasizes the point on having layered protection.

Can not argue the importance of having PG though