New strong heuristics for updated Antivir PE !

You might be thinking of archive support (eg: zip, rar, etc). Unpacking is useful for malware that is runtime compressed (eg: UPX, ASPack, etc). The difference between the two is that runtime compressed files are directly loaded into memory upon execution. An AV with no unpacking will have no chance to catch this packed malware on execution. It might be able to AFTER its execution with a memory scanner, but most memory scanners are on demand, and by that time it might be already too late. And even then there is no guarantee that the memory scanner will pick it up. An AV with unpacking will be able to scan within the packed file without actually executing it.

 

Kobra, which trojan packer you are talking about?

If it's a PE EXE bundler that drops files to hard disk, the on-access guard will catch it.

Rebasing only affects the signature scanning, not the heuristics.

Oh, and all packing/crypting won't help against a memory heuristic.

 

THX for your reply, rerun2

 

To everyone from Firefighter!

Can someone tell me how I am able to scan my newest version of 1336 infected archived samples with AntiVir? Every time when I'm going to scan those files, AntiVir quits the scan when it had found Worm/Doomjuice.2 or something like that. I have not limited any report lists when I configured my AntiVir.

Best regards,
Firefighter!

 

some AV softwares have the option to quit the scan if an infected file is found in an archive. uncheck it if you have that option. if not then scan them after you've decompressed then. well turn off your realtime scan when you are decompressing. why didnn't you start a new thread?

 

I will PM you a link to the bad guy if you want to test, but this latest Antivir PE totally missed not only the packer, but the packed rebased baddies inside the packer. I'm told its a really nasty threat too. (at least the AV guys that have diagnosed said that to me)

I don't have the guts to "Unpack" it manually and see if it hits that, because if it doesn't, my machine is trashed. Honestly, I want a product that can pick things up with ondemand scan, or at the very least, the realtime monitor catching it. I don't like playing with fire by having to actually unpack it for detection, that just doesn't feel safe. =)

 

hello every body,
I just joined and I really HOPE you experts out there can solve my doubts, please. I use:
OS: W98SE
Antivirus: ANTIVIR Personal Edition Version 6.25.00.03
Firewall: ZONEALARM free
I also run since one year an FTP server using: BPFTPSERVER
(www.bpftpserver.com)

3 days ago I went to launch the SERVER as usual and to my immense shock my ANTIVIR PE popped up saying this:
"THE FILE G6FTPSRV.EXE CONTAINS SUSPICIOUS CODE (HEURISTIC/TROJAN.WIN32.PWS)"

A trojan inside a sofware I registered and paid for?
A trojan on my PC even using ANTIVIR and Firewall?
Is it dangerous? How can it be?
How do I get rid of it?

I even uninstalled BPFTPserver and downloaded it again brand new from ther site but problem still the same. I CANNOT LAUCH IT ANYMORE.

A friend told me that also in the latest FREE version of antivir PE the heuristics were included....and you can choose between 3 settings from low-medium-high. I'm not very techie person and I dont know what HEURISTICS are... ......I checked and heuristics are set to medium by default.

I tried LOW and the server launches OK no problem but if I revert it to
MEDIUM it's poppin up preventing the launch.

should i worry ??
Can you please please help as soon as possible?
Thank you for reading me and for your time.

all the best from Italy to u all
Claudio

 

Is it just me or AntiVir lacks Mail scaner? I tested it yesterday and i was quiet impressed about Active Monitor,but i couldn't fin any mail scanner heh

 

Boat Drinks
You could ask in the Antivir forum also.
http://www.free-av.com/index.htm

 

Hi Boat, please also look at my answer in your other thread [thread]35244[/thread]

 

hi Jooske
ok, thanks, i replied to you in the other thread...cheers..





bOATdRINKS

 

THANKS LOTS MadsenDK
I will check them out as well....
all the best to u


bOATdRINKS

 

You are very welcome. Good luck