Question about AV's enpacking engine

Discussion in 'other anti-virus software' started by Tan, Jan 17, 2004.

Thread Status:
Not open for further replies.
  1. Tan

    Tan Guest

    Hi all,

    This is a newbie's question. :)

    I've read so many threads at Wildder that mention about AV's enpacking engine it makes me know that Kaspersky ( KAV ) has a great enpacking engine no other AVs can't beat KAV.

    But the question is,

    - What is enpacking engine ?
    - Why it so important for AV to detecting malware such as trojans, backdoors ?
    - Why an AV that has poor enpacking engine can't detect trojan when it executes/installs or can't detect when trojan already install ?

    These seem to be a stupid questions here but please, I can't find another place to make it clear. Now I've tried AVG 7 and I like it very much it very light on my machine, what about AVG in trojan detection?

    Thanks
     
  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    An unpacking engine is part of the scan engine which allows av software to scan files that are packed with runtime packers or crypters.

    To detect malicious files av software looks for a certain part in the file that is unique as a signature - much like fingerprints to identify criminals. Using runtime packers or crypters will change the file structure and therefore it changes the part that was used before as a signature. This means a malicious file gets undetected.

    Having an unpacking feature the av software unpacks the file to the original structure and can identify the malware correctly.

    Because the signature av software is looking for is changed in the file. Therefore it fails detection.

    With AVG you need at least a seperate antitrojan software. In terms of unpacking AVG is rather poor.

    wizard
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    One other item. A file packed with a runtime packer can be executed from its packed state unlike a zipped file. To complicate things even more, there are a LOT of runtime packers available for the kiddies to use now a days.
     
  4. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    Hi Tan,

    I'm also new to computer security, I'm also studying what unpacking engine is. These are the urls I bookmarked.

    - What is enpacking engine ?(What is RunTime Packer?)

    http://www.dslreports.com/forum/remark,7234694~root=security,1~mode=flat

    - Why it so important for AV to detecting malware such as trojans, backdoors ?

    http://home.arcor.de/scheinsicherheit/example.htm
    The above url may answer your question a little.
    (Thank you Nautilus I've studied a lot from your site.)

    - Why an AV that has poor enpacking engine can't detect trojan when it executes/installs or can't detect when trojan already install ?

    http://www.security-forums.com/forum/viewtopic.php?t=8298&sid=fb214bc36c6c46cc19c23f7772da0fd1
    I think the above tutorial is very good to find unknown backdoors.

    If you are completely new to trojan scene, the below paper also worth reading.
    http://neworder.box.sk/newsread.php?newsid=6298

    I hope those urls also help you. :)
    Best Regards.
     
  5. Tan

    Tan Guest

    WOW !!!!! :D

    All your answers are what I've been searching for, thanks for all responses.

    I have an additional questions :

    - How/Where can I know about the unpacking engine ability of each AV, Is there any comparative test out there?

    - Does AV's on-access scanner use the same unpacking engine ability as its on-demand scanner ?

    Please correct me if I'm wrong, I assume that any AVs that they have an extra-fast on-access/on-demand scanner than a normal manner this may be a clue about their poor unpacking engine. Is this right?

    Thanks
     
  6. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Look at the tests at http://www.rokop-security.de and on the "Scheinsicherheit" site (see link in Sumire's posting)

    Normally yes.

    Unpacking takes some time but there are other examples like NOD32 which uses unpacking and is still faster as some products that don't use unpacking at all. So I won't count just on the speed argument.

    wizard
     
Loading...
Thread Status:
Not open for further replies.