The difference between packed and archives scanning?

Discussion in 'other anti-virus software' started by Firefighter, Mar 7, 2003.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Can someone tell me what is the difference between packed and archives scanning?

    In the Rokop av-test 2/2003 McAfee 7.0 could scan 66/100 packed and Avast 4 only one test later only 11/100, but Avast 4 could find some 98 000 files from my PC when McAfee 7.0 only some a little bit over 40 000? :eek:

    "The truth is out there, butn it hurts!"

    Best Regards,
    Firefighter!
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, as you know, an archive is a container holding maybe one or maybe hundreds of files, which together are treated as a single file, the container, providing for easy handling and transmission. An archive may or may not be compressed. The most common tool for handling archives on Windows systems is probably WinZIP. Scanning for malware in an archive file involves being able to access all the files within it.

    A packed file is different. You hear a lot about "packed executable files", especially when you look at AV/AT products. Executable files can be packed by a vast number of different packers, using different methods and algorithms. Packing is generally done to reduce the physical size of the file. But, packing can also be used in an attempt to mask what's in an executable file from a malware scanner. That's why you see so much talk about different unpackers and the power of unpackers within various AV/AT products. A good unpacker can make a huge difference in how well a scanner detects malware inside a packed file.

    The interesting thing about packed executables is that they remain executable in that packed form. They can still be run directly, unlike a file contained in an archive, which must first be extracted in order to gain access to it.

    In many of the posts you've made recently, talking about the AV tests you've run on your system, you've mentioned the "number of files" scanned and how some scanners "find" many more files than others. I believe this is because you've got a number of archives on your system and depending upon whether or not the scanner can access archives, and "how deep" it can access into an archive, you see a difference in the total number of files scanned. While this feature is of some importance, it is not the end all in detecting today's malware, but unpacking may be!

    If you do have packed executables on your system, some malware within them might not be detected if the scanner you are using does not unpack the specific method they have been packed with. The file itself is still seen by the scanner, most likely, but it doesn't understand what's in it if it doesn't know that format.

    Here's one common packer reference site: UPX

    Edit: Firefighter - I'd be interesting is hearing how many files get scanned on your system when running the Panda Online AV Scanner (see link to it from our Free Services page). For me, this one scans the most files on my system.

    Best Wishes,
    LowWaterMark
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To LowWaterMark from Firefighter!

    I have just finished the scan with all best possible settings using Kaspersky 4.05.37, DrWeb 4.29b and Panda Online Scan.

    Kaspersky detected 162 192 files from my PC and the scanning time was 1 h 12 min and 41 sec, DrWeb 106 586 files and the time was 1 h 5 min and 32 sec and finally Panda Online Scan 110 942 files but the time was not measured. :D

    So Panda Online Scan is a little bit better archives scanner than DrWeb and somewhat equal as Avast 4 Pro which was some 5-10 percent better than DrWeb in my former scannings! :rolleyes:


    "The truth is out there, but it hurts!"


    Best Regards,
    Firefighter!
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Thanks Firefighter! I was interested in seeing just how many files the Panda online scanner could access compared to the other products you've been testing. It's not too bad for just an online scanner. :cool:
     
Loading...
Thread Status:
Not open for further replies.