Scan of executable and Macro Virus

[Dirkuschka]

Hello,

now I have a problem with english so I try it first in german.

Entdeckt Avast4 laufzeitkomprimierte Malware, wenn Sie im Arbeitsspeicher entpackt wird?

Now I try to explane the same in english.

There is malware they are packed like zip but they aren`t zip they are executables. They don`t start directly in the moment when you double klick them. First they are going to the RAM and there they will unpack. Now they are starting with the destruction of the PC. When I read AV-Tests than the wrote that avast only found less then a few (<20%) of this kind of malware.  I´m not sure if the tests are right, because they scan the harddisk and not the RAM.

My question is: Found Avast4 this kind of malware in the RAM?

Another question is about Macros. At another "test" Avast is not able to find all Macro Virus (nearly 50%) wich are enbedded in OLE documents like a Excel sheet in a Word dokument. But here they are scanning the harddisk with an inactive malware. Found Avast this kind of malware when I open an infected document?
And the next question about this is, if I´m secure if I use OpenOffice.org or another office solution than MS Office? (Without an Antivirus software aginst this kind of malware?)

Thanks and best regards

Dirk

You can find an example "test" at http://www.rokop-security.de/main/article.php?sid=499
and s**** I lost the link of the other test.

[raman]

Okay, we speak german! Even if VLK do not like it!;)

Der Test von Rokop ist ja schon relativ alt. Er hatte noc die 4.0 getestet, inzwischen gibt es schon die 4.1, die in gewissem masse solche Dateien entpacken kann(ASpack, UPX >0.7x, peprotect(?)) Wie gut die Erkennung von Malware im Speicher ist, kann ich nicht beurteilen, nur wid es die Malware, die es als "Generic" bezeichnet wohl nicht im Speicher finden. Aber das ist ein Problem, was so ziemlich alle AV-Programme haben, auch Kaspersky.
Aber es ist ja auch Sinn eines Scanners die infizierten Dateien vorher zu finden.

In Sachen Macroviren muessteest du wohl weiter ausholen. AVASTs Macrovirenerkennung ist nicht schlecht,in wie weit es durch die komplette OLE Struktur inclusive eingebetteter Exedateien und anderer eingebetteter OLE Objekte  kommt, muesste man mal testen. Denn OLE ist Microsoft und Microsoft ist kompliziert und unlogisch!;)
Wichtig ist, das du die "scan level" auf Thorough setzt.

But i think IGOR is able to answer your questions ask in english, too.

[igor]

I would put it this way: if you find the virus in RAM, then it's too late. It means that the virus is already active and may have caused damage. So, it's important to detect the virus before it actually unpacks to memory and starts.

There are many executable packers that make it possible to compress executable files as described. To detect malware in a packed executable file, the antivirus has to
1. be able to unpack this kind of packer, i.e. "see" inside of the archive
or
2. have the signature of the packed file in its virus database.

Recently (in avast! 4.1), the most common packers - mainly UPX and AsPack - are supported. It means that avast! is able to look inside the archives. Therefore, it should be able to detect malware packed this way.
However, to keep even the older versions of avast! updated, even the signatures of the packed versions are added to the virus database - if they really spread in this form. So, avast! should be able to detect In-The-Wild variants of malware, no matter what it's packed with (and no matter if you have scanning of archives switched on or off).

From this point of view, the mentioned test is questionable - you can pack a virus file with a rare packer and get a file that the antivirus won't be able to detect. However, this is "your variant" of the malware - not the one present in the wild and threatening the people (unless you spread your new variant to public, of course). Sure, the support for various packer makes it possible to detect new "variants" of older malware earlier, before the virus database is updated with the newly packed ones.

If I should return to the original question - whether avast! would detect the malware in RAM (when it does't find it in files) - I must say I don't know. Btw, most of the antiviruses today don't scan RAM at all - they say they are scanning memory, but they are actually scanning the corresponding files instead. You can make avast! scan the real memory (by creating a special new task from the Enhanced User Interface and selecting "Memory" as the area to scan) - and avast! may be able to detect the unpacked variants - but as I said, it's too late in fact.

As for the OLE objects - the problem is quite similar. There is no difference between scanning the files "on demand" and scanning them when the document is opened. In both times, the file is scanned - before the Office application is allowed access. If you would wait until the document is loaded into the application - it's too late again.

[Dirkuschka]

Hello,

many thanks for the detailed information.

Best regards

Dirk

[Lisandro]

Actually, avast! can handle the following packers:

ACE, ARC, ARJ, AsPack, BZIP, BZIP2, CAB, DOS executables and Win32 executables (UPX, GZIP archives, LHx, MAPI files (*.pst), MIME, NTFS stream, PEProtect), PEShield, RAR, self-extracting, TAR, UPX, ZIP, ZOO

Hope this help in anyway. Thanks Igor for your good explanation...