Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: RejZoR on August 25, 2004, 06:26:23 PM

Title: Basic heuristics for Standard Shield?
Post by: RejZoR on August 25, 2004, 06:26:23 PM

I know that avast! cannot perform heuristic analysis on files yet,but detecting non-standard packers could be first step into this area.

This won't be a full heuristic solution,but majority of viruses/worms use modified packers. You'd get warning about potentialy dangerous file and you could then send it to Chest or to Alwil.

I got this idea when i was playing with some trojan sample that was using modified UPX packer...

Title: Re:Basic heuristics for Standard Shield?
Post by: igor on August 25, 2004, 07:27:59 PM

Erm... how do you define a non-standard packer?

Title: Re:Basic heuristics for Standard Shield?
Post by: RejZoR on August 25, 2004, 07:45:49 PM

The one which is modified/hacked.

Title: Re:Basic heuristics for Standard Shield?
Post by: igor on August 25, 2004, 08:18:14 PM

How can you tell that a file was modified if you don't know its original state?

Title: Re:Basic heuristics for Standard Shield?
Post by: RejZoR on August 25, 2004, 08:20:06 PM

If UPX compressor/decompressor program can detect this,then i'm pretty sure avast! can also. Along with other packer methods.

Title: Re:Basic heuristics for Standard Shield?
Post by: igor on August 25, 2004, 08:32:02 PM

It depends on how "well" the modification is done; heavily modified programs aren't detected by UPX as UPX at all. Additionally, even "legal" programs are (for some reason completely unknown to me) packed by UPX scramblers occasionally.

Well, in general it's an interesting idea... but a real implementation wouldn't be easy, and I'm not sure about the results.