Unpacking Engine?

Discussion in 'other anti-virus software' started by eb_tide, Jul 21, 2003.

Thread Status:
Not open for further replies.
  1. eb_tide

    eb_tide Guest

    Someone help me out here please? I keep hearing about unpackers like that of KAV, Rav, McAfee, etc.? How important is it to have a good unpacking engine in an AV? Is it necessary in an AV if you have a good AT like BOClean, TDS-3 or TrojanHunter?
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Best unpacker is KAV, then McAfee. RAV is history since it was sold to M$.
    It's always best to use and AV and an AT, but even with TDS for Trojans, it is still great to have KAVs unpackers, huge data base and excellent heuristics.
    Some people don't put a lot of interest in an AVs unpacking ability because a good AV should catch a bad guy after it got unpacked. I say why wait? get it as soon as I can.
    Kind of a personal choice sort of thing. People tend to look for different things in AV and ATs, so there's always a lot of different opinions.
    I think you will get more answers here. I have had good luck with KAV and TDS, so those are my mainstays.
     
  3. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Attention! (The 'old' misunderstanding... ;) ): This _only_ applies to archived malware, and not to packed/crypted malware, because the latter is unpacked directly into RAM.
    And when talking about "unpackers" lately, people do actually refer to packed/crypted malware... ;)

    That's why an unpacking engine is not just a "gimmick", but quite important for security (especially for trojans.) :)
    Some kind of (weaker) alternative would be a memory scanner - but currently there is no AV, which has one (only some ATs...)
     
  4. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
  5. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    I'm _pretty_ (not absolutely) sure, that Dr.Web's memory scanner only scans the _files_ on HD, which are at that time active as processes in RAM. At least this is, what several AVs do. Unfortunately, it doesn't help against packed/crypted files.
    (Dr.Web has a useful unpacking engine, though...)

    "Real" memory scanners do really scan the (unpacked) _processes_ in RAM - so they will detect nasties in memory, which were originally (as files) packed/crypted. :)
     
  6. jdong

    jdong Registered Member

    Joined:
    Jul 21, 2003
    Posts:
    13
    Location:
    At DSLReports...
    No, Dr. Web's memory scanner is 'real'. KAV's is not...

    Dr. Web's scanner actually unpages all active processes and scans through the RAM...
     
  7. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    @jdong

    Does the mem-scanner detect packed/crypted malware, which isn't detected by the file-scanner? I am not sure about this... have you tested it?
     
  8. jdong

    jdong Registered Member

    Joined:
    Jul 21, 2003
    Posts:
    13
    Location:
    At DSLReports...
    Anvil, never tested that... In theory, yes... but I am in no mood to pack and unleash malware onto my systems... ;) (and too lazy to start up a VM, too. LOL)
     
Loading...
Thread Status:
Not open for further replies.