To: Esteban who wrote (33658 ) 4/8/2003 1:30:49 PM From: mr.mark Read Replies (2) | Respond to "Have you considered that the virus that KAV found could have been a false positive?... I'm not saying that the Worm.KakWorm hasn't infected that email message. But it is a possibility if KAV is the only program that finds it." "Mr. Mark, I didn't realize that scanning inside zip files was not a routine process for all the virus scanners. Perhaps some are just better than others at this task. What I wonder now that you've pointed this out is whether this is a serious deficit with many of the AV programs." "yes kav is way ahead with unpackers then everything else. i believe normal antivirus scanners have support for something about 30 unpackers, kav is as i know somewhere at 700+ and adding daily." "Archive and compression utilities present considerable problems for modern computer virology. "This problem is one of the keys in the battle with new viruses. Virus authors have long known how to, without effort, outwit anti-virus software and thereby widely use compression and encryption methods. Specifically to respond to this we decided to find a different path to defend users against each specific virus modification by supporting utilities used for encryption and compression." "to the need for improving NAV's unpacker for longtime now, so far without success: but they have promised a liveupdate to improve the unpacker, which has yet to appear (still waiting)". dslreports.com dslreports.com ) about a Rokop Security article ( rokop-security.de ) and examine the testing they have conducted. note the relative position on the bar graph of KAV and NAV. and keep in mind that these tests were conducted from an unpacking perspective, as opposed to what an AV can or can't do with an infected file once it is unpacked...."Our test result shows that many software producers are light-years away from providing a software solution that is effectively detecting runtime packed and/ or encrypted malware. Programs on the basis of the Kaspersky engine that is unpacking over 600 different kinds of packing methods according to the software producers' instructions) but also McAfee, RAV and by far Bitdefender and Dr. Web are very auspicious." [- excerpted from the rokop tests]"Many malware, and even legitimate programs, use runtime-packed executables, the most familiar of which is UPX...(but there are many forms of packing besides UPX); in order to detect packed variants of the same malware, without having to add new signatures, an AV must have an unpacker capable of handling the packing format used. forex, Kaspersky has six or seven hundred packing and encryption formats it can recognize. Gladiator Antivirus (GAV) has a good unpacker, as does McAfee, AVK, and other commercial AVs. See Motumbo's thread for further info on AVs and unpackers: (linked above...'to cut to the chase')."
