Q. does anyone know which packers each AV support?

Discussion in 'other anti-virus software' started by C.S.J, Oct 8, 2007.

Thread Status:
Not open for further replies.
  1. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Q. does anyone know which packers each AV support?

    ok, i did find a list from drweb regarding packer support.

    however, it only mentions 'SOME of them' and i doubt the 4.44 updated packers are not even added either.

    anyway, for information purposes only, here are the 'some of them'

    ------------------------------------
    * AHPACK
    * ALEXPACK
    * ALEXPROTECT
    * ALLOY
    * APLIB
    * ARM
    * ASPACK
    * ASPROTECT
    * BITARTS
    * BINARYRES
    * BJFNT
    * CEXE
    * COM2EXE
    * COMPACK
    * CONVERT
    * CryptCOM
    * CryptEXE
    * CPAV
    * DEFILER
    * DIET
    * DXPACK
    * ENCODED SCRIPT
    * INSTALL
    * ESSEN
    * EXE32PACK
    * EXECRYPTOR
    * EXEPACK
    * EXPRESSOR
    * EZIP
    * FAKENEO
    * FSG
    * F-XLOCK
    * HDD IMAGE
    * HOT SOUP
    * HTMLZIP
    * PECRYPT
    * GENTEE
    * INNO SETUP
    * JDPACK
    * KRYPTON
    * KCUF
    * LZEXE
    * MEW
    * MOLEBOX
    * MORPHINE
    * MS COMPRESS
    * MSI
    * MSFT
    * NAKEDPACK
    * NEOLITE
    * NFO
    * NME
    * NOODLECRYPT
    * NSANTI
    * NSPACK
    * NSIS
    * OPTLINK
    * PACKMAN
    * PCPEC
    * PCSHRINK
    * PEBUNDLE
    * PECOMPACT
    * PECRYPT
    * PENCRYPT
    * PEDIMINISHER
    * PELOCK
    * PENINJA
    * PEPACK
    * PINGVIN
    * PE-CRYPT32
    * PESHIELD
    * PESPIN
    * PETITE
    * PEX
    * PGMPAK
    * PGPROT
    * PHANTASM
    * PKLITE
    * PKLITE32
    * POLYCRYPT
    * POLYENE
    * PORNOPACK
    * PROTECT
    * RSFX
    * SDPROTECTOR
    * SEA
    * SETUP FACTORY
    * SHAOLIN
    * SOFTCOMP
    * SPLASHER
    * SQR
    * SVKP
    * SOFTDEFENDER
    * TARMA
    * TELOCK
    * TINYPROG
    * UCEXE
    * ULTRAPROTECT
    * UPACK
    * UPC
    * UPX
    * XOREXE
    * VACCINE
    * VCLZIP
    * VECNAPACK
    * VGCRYPT
    * WWPACK
    * WWPACK32
    * WISE
    * WINKRIPT
    * XCR
    * YODA
    * ZLIB

    ------------------------------------

    a very impressive outdated list, i wonder if drweb will update it for me? :D
     
  2. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    Re: dr web 4.44 scan speed

    i guess kav supports something between 600 and 1200 packers
     
  3. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i wonder if some of the staff will come in and let us know IBK :)
     
  4. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I'd think they would prefer to hold their cards pretty close to the vest.
     
  5. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    im sure they do Hammer, but i bet they each know what each other support, so why the secrecy?
     
  6. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Probably for the same reason some don't reveal the size of their virus signature data bases I assume.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    I have to ask.... Who really cares. All I want to know is the software does the job. This is about akin to going into a car dealership and asking how many bolts are used in the engine. Don't care as long as it runs right.
     
  8. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Who cares? Well since you asked, more people than you think. Some people either rightly or wrongly equate the number of packers supported with Av quality. The thinking being the greater the number supported the better. I've seen more than one post in several threads about various Av's refer to it. As for me I don't know. Just answering C.S.J's question thats all.
     
  9. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Maybe KAV,Drweb,Bitdefender,Nod32 is the top four, but from the view of detection, it is only make virus writer a little more work. Even the four I mentioned can not compare the contribution of packer support, Some high detection product really has poor packer support compare to KAV and Drweb, but they flag the suspicous using other technology.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    If you are talking about people that frequent AV sections of security sections I'd agree. But if you take the top AV's whoever they might be, and poll all the people that purchased in the last year, how many do you think would even know what a packer is. We tend to get tunnel vision in these forums, regardless of the subject.
     
  11. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Well were in a security forum so ya those are the people I'm speaking to. The vast majority of people haven't heard of security forums so I don't see how polling them regarding packers is revelant to the discussion here and security tends toward being a tunnel vision subject. If this becomes a "mine is best' thread then deal with it as per the policy. But so far no harm no foul as far as I can see. If your not interested in this thread then don't post.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Hi Hammer

    My post was from myself. Just challenging the thinking thats all.

    Pete
     
  13. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    When posting a list such that the one in the initial post, it's necessary to realize that:
    - many packers have a (sometimes huge) number of variants; stating that packer XXX is supported doesn't really say whether all the particular variants are correctly unpacked, or if it's just one of them
    - many of the packers are quite rare (e.g. because the files packed with them don't run on today's operating systems, or they are old DOS packers, ...) - so it's "nice" to support them (= to have them on the list), but mostly useless in reality
     
  14. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
  15. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Correct. Besides, most of the AV Engines with a emulator are able to deal with most of the trivial packers anyway, so it doesn't make sense to list every packer separately because your emulation would also support unknown/new packers if you're lucky. The real important ones (which you cannot do so easily via emulation) are missed in this lists anyway. For speed reasons your product should support at least some basic standard unpacking that you don't have to emulate every runtime packed file. (For example UPX and ASPack since they are widely used for clean files as well so speed counts there). Writing a (static) unpacker for those 2 packers is quite easy. (Maybe a bit tricky for ASPack 2.11 since you have some "polymorphic" versions there where you have to search for calls (0xE:cool: etc. but that's it.

    Next problem is that many malware uses patched versions of packers. So having a standard static unpacker for some runtime packer version doesn't mean it's able to unpack the malware correctly. (for example you have a top layer of trash code) without emulating this and stripping it off the static unpacker will fail because the static unpack function assumes its not packed with what it's looking for. So best way to go is to emulate as much as possible with a combination of static (hard coded) unpack library functionality (LZMA etc) for speeding up the emulation.
     
  16. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Apart from VBA32, which other AVs have an emulator?
     
  17. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Almost all, the question remains how good did they implement unpacking support in the emulation. NOD32 has a pretty good (and fast) emulation which supports quite a lot of packers. There's anyway soon a runtime packer workshop in amsterdam for discussing detection of blacklisted packers etc. Gabor (from virusbuster) wrote in the last virusbulletin issue (october) a nice article about that. Basically everyone does it already (or is preparing to do that) to detect files based on suspicious packers with other suspicious malware "marks".
     
  18. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Oh yes and before you ask your next question, i'm not going to answer it. :D I'm not going to state who has better packer emulation because as you know i'm working in the av business so that would be highly unfair to "rate" other companies products.
     
  19. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Geez, just when I was halfway finished typing.;)
     
  20. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Your computer is to slow then. Prolly you should change antivirus? :D
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Oh, that hurt.;) Err, you really think so.:blink: :)
     
  22. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    255 more changes don't make a difference in your antivirus history :D
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Oh, you are on a roll today. At my exspense.:rolleyes: :)
     
  24. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    *I believe* NOD32 and BitDefender are two others. *Maybe* ArcaVir too, but I don't have any proof to support that. :)
     
Loading...
Thread Status:
Not open for further replies.