Q. does anyone know which packers each AV support?

Q. does anyone know which packers each AV support?

ok, i did find a list from drweb regarding packer support.

however, it only mentions 'SOME of them' and i doubt the 4.44 updated packers are not even added either.

anyway, for information purposes only, here are the 'some of them'

------------------------------------
* AHPACK
* ALEXPACK
* ALEXPROTECT
* ALLOY
* APLIB
* ARM
* ASPACK
* ASPROTECT
* BITARTS
* BINARYRES
* BJFNT
* CEXE
* COM2EXE
* COMPACK
* CONVERT
* CryptCOM
* CryptEXE
* CPAV
* DEFILER
* DIET
* DXPACK
* ENCODED SCRIPT
* INSTALL
* ESSEN
* EXE32PACK
* EXECRYPTOR
* EXEPACK
* EXPRESSOR
* EZIP
* FAKENEO
* FSG
* F-XLOCK
* HDD IMAGE
* HOT SOUP
* HTMLZIP
* PECRYPT
* GENTEE
* INNO SETUP
* JDPACK
* KRYPTON
* KCUF
* LZEXE
* MEW
* MOLEBOX
* MORPHINE
* MS COMPRESS
* MSI
* MSFT
* NAKEDPACK
* NEOLITE
* NFO
* NME
* NOODLECRYPT
* NSANTI
* NSPACK
* NSIS
* OPTLINK
* PACKMAN
* PCPEC
* PCSHRINK
* PEBUNDLE
* PECOMPACT
* PECRYPT
* PENCRYPT
* PEDIMINISHER
* PELOCK
* PENINJA
* PEPACK
* PINGVIN
* PE-CRYPT32
* PESHIELD
* PESPIN
* PETITE
* PEX
* PGMPAK
* PGPROT
* PHANTASM
* PKLITE
* PKLITE32
* POLYCRYPT
* POLYENE
* PORNOPACK
* PROTECT
* RSFX
* SDPROTECTOR
* SEA
* SETUP FACTORY
* SHAOLIN
* SOFTCOMP
* SPLASHER
* SQR
* SVKP
* SOFTDEFENDER
* TARMA
* TELOCK
* TINYPROG
* UCEXE
* ULTRAPROTECT
* UPACK
* UPC
* UPX
* XOREXE
* VACCINE
* VCLZIP
* VECNAPACK
* VGCRYPT
* WWPACK
* WWPACK32
* WISE
* WINKRIPT
* XCR
* YODA
* ZLIB

------------------------------------

a very impressive outdated list, i wonder if drweb will update it for me?

 

Re: dr web 4.44 scan speed

i guess kav supports something between 600 and 1200 packers

 

i wonder if some of the staff will come in and let us know IBK

 

I'd think they would prefer to hold their cards pretty close to the vest.

 

im sure they do Hammer, but i bet they each know what each other support, so why the secrecy?

 

Probably for the same reason some don't reveal the size of their virus signature data bases I assume.

 

Who cares? Well since you asked, more people than you think. Some people either rightly or wrongly equate the number of packers supported with Av quality. The thinking being the greater the number supported the better. I've seen more than one post in several threads about various Av's refer to it. As for me I don't know. Just answering C.S.J's question thats all.

 

Maybe KAV,Drweb,Bitdefender,Nod32 is the top four, but from the view of detection, it is only make virus writer a little more work. Even the four I mentioned can not compare the contribution of packer support, Some high detection product really has poor packer support compare to KAV and Drweb, but they flag the suspicous using other technology.

 

Well were in a security forum so ya those are the people I'm speaking to. The vast majority of people haven't heard of security forums so I don't see how polling them regarding packers is revelant to the discussion here and security tends toward being a tunnel vision subject. If this becomes a "mine is best' thread then deal with it as per the policy. But so far no harm no foul as far as I can see. If your not interested in this thread then don't post.

 

When posting a list such that the one in the initial post, it's necessary to realize that:
- many packers have a (sometimes huge) number of variants; stating that packer XXX is supported doesn't really say whether all the particular variants are correctly unpacked, or if it's just one of them
- many of the packers are quite rare (e.g. because the files packed with them don't run on today's operating systems, or they are old DOS packers, ...) - so it's "nice" to support them (= to have them on the list), but mostly useless in reality

 

The Kaspersky Anti-Virus Engine supports roughly 3,000 archival and packing formats (as of March 2007)...
http://www.kaspersky.com/kaspersky_anti-virus_engine

 

Correct. Besides, most of the AV Engines with a emulator are able to deal with most of the trivial packers anyway, so it doesn't make sense to list every packer separately because your emulation would also support unknown/new packers if you're lucky. The real important ones (which you cannot do so easily via emulation) are missed in this lists anyway. For speed reasons your product should support at least some basic standard unpacking that you don't have to emulate every runtime packed file. (For example UPX and ASPack since they are widely used for clean files as well so speed counts there). Writing a (static) unpacker for those 2 packers is quite easy. (Maybe a bit tricky for ASPack 2.11 since you have some "polymorphic" versions there where you have to search for calls (0xE etc. but that's it.

Next problem is that many malware uses patched versions of packers. So having a standard static unpacker for some runtime packer version doesn't mean it's able to unpack the malware correctly. (for example you have a top layer of trash code) without emulating this and stripping it off the static unpacker will fail because the static unpack function assumes its not packed with what it's looking for. So best way to go is to emulate as much as possible with a combination of static (hard coded) unpack library functionality (LZMA etc) for speeding up the emulation.

 

Apart from VBA32, which other AVs have an emulator?

 

Almost all, the question remains how good did they implement unpacking support in the emulation. NOD32 has a pretty good (and fast) emulation which supports quite a lot of packers. There's anyway soon a runtime packer workshop in amsterdam for discussing detection of blacklisted packers etc. Gabor (from virusbuster) wrote in the last virusbulletin issue (october) a nice article about that. Basically everyone does it already (or is preparing to do that) to detect files based on suspicious packers with other suspicious malware "marks".

 

Oh yes and before you ask your next question, i'm not going to answer it. I'm not going to state who has better packer emulation because as you know i'm working in the av business so that would be highly unfair to "rate" other companies products.

 

Geez, just when I was halfway finished typing.

 

Your computer is to slow then. Prolly you should change antivirus?

 

Oh, that hurt. Err, you really think so.

 

255 more changes don't make a difference in your antivirus history

 

Oh, you are on a roll today. At my exspense.

 

*I believe* NOD32 and BitDefender are two others. *Maybe* ArcaVir too, but I don't have any proof to support that.