Discussion in 'NOD32 version 2 Forum' started by gberns, Apr 23, 2005.
I scan them but have no clue what they are. Could someone please tell me?
Runtime Packers are self-extracting executable compression algorithms.
Most common are UPX,PE_Compact,PKLite,ASPack etc...
Executables compressed with such runtime packers act exactly (ok almost exactly) as non-compressed executables. Main difference is only in final filesize which is much smaller in the packers case.
Also many ppls mess packers with archives. They are clearly two different things. Archives are ZIP(Deflate),ACE,RAR,7z etc, while packers are those mentioned above.
Thanks for the answer. I now have the technical names for that which I did not know. But if you asked me to explain them........
At least I know I am protected from anything hidden in them and I guess that is what really matters to me.
If you want to know more about how they can be used..this might be of interest.
More About Scanning Trojans
Yeah,if antivirus can unpack such runtime packers it can use same signature for all same malware.
If malware (let say MyDoom-A) is packed with UPX,and another same malware with ASPack and third one with PE_Compact. If antivirus suppport all 3 packer types it can detect same malware with only 1 signature.
If antivirus supports only UPX and not ASPack and PE_Compact it requires 1 signature for UPX and another 2 for unsupported packer types.
Thats 3 signatures in total.
This means more work for AV developer and much higher chance of missing certain malware just because it's compressed with different packer.
AH is able to scan many many types of runtime packers independet of the unpacke engine of NOD32. In other words, NOD32 has a generic unpacker.
Now, now...lets not forget the famous unpack engine of KAV and BD!
There is no such thing as generic unpacker. You can unpack all packers only at runtime point(when it's already in memory in unpacked form). But that may be very difficult to do.
You can emulate a lot of the packers. Some of them still need special unpack plugins (ASPack, ASProtect, Armadillo etc).
UPX, FSG and the like having static unpack routines mainly for speed reasons.
Emulating stuff is always slower than unpacking it with a dedicated unpacking
function which is optimized for the used algo's (LZ, APLIB etc) , section handling, Bitin & Bitoutput Reading/Writing. With dedicated unpacking plugins you can also better handle the memory usage, cause you can unpack blockwise.
Separate names with a comma.