Avast! and unpackers.

[Del]

This could well be a silly question but.....
does Avast give a warning when it scans a UPX file, or any packed file for that matter?
I'm sure I once downloaded a UPX packed file, scanned it with Avast and received a warning, but yesterday I downloaded the UPX packed Trojan simulator from www.misec.net/trojansimulator/ and nothing was shown.

BTW Neither Avast nor F-Prot detected it as suspicious but StartupMonitor from www.mlin.net asked me to confirm if I wanted it to run at the next boot. I highly recommend this little proggy; you wont even know it's on your computer.

I use Avast home edition.

Avast is THE anti-virus.

[Culpeper]

Yes.... http://www.avast.com/i_idt_1018.html

Thanks for the link to the other program!

[Del]

Thanks for the reply Culpeper. Did you mean: Yes, this is a silly question?

What I meant (but don't think I explained well enough) was: Do you get an on screen warning if any of these methods of packing are used?

Also, do legitimate programs use these forms of packing?

[Culpeper]

There is no such thing as a silly question.  

Avast:

Scanning inside packed executables*

* PKLite, Diet, UPX, AsPack, PeShield, PeProtect.

You should get a warning when an infected packed exe is scanned.

Packing is legitimate.  It's not exclusive to the bad guys only.

[pk]

does Avast give a warning when it scans a UPX file, or any packed file for that matter?
I'm sure I once downloaded a UPX packed file, scanned it with Avast and received a warning, but yesterday I downloaded the UPX packed Trojan simulator from www.misec.net/trojansimulator/ and nothing was shown.

What type of warning ?
If WinExec archive scanning was ON you can see which layers were decrypted (e.g. ...EXE\[UPX]\[AsPack]\[UPX]...) - some viruses or normal applications are encrypted in more envelopes.

At present, we're not able to unpack all hacked/modified variants of UPX.

[Del]

I've been using Avast (and loving it) since September '03 and my memory isn't what it should be; but I remember downloading a .zip file to my desktop and, as I always do, I right clicked it, scanned with 'Avast Quick Scanner' and in the 'Final Statistics For Last Scan' box had the name of the file followed by '[UPX]'

As I say this was a while ago but I believe that is what happened. I took it is a warning but perhaps it was given in a previous version of Avast simply for information. As both of you say packers are used for legitimate reasons then I guess I am worrying unnecessarily.

Thanks to both Culpeper and PK for your replies.

[pk]

Hm, I downloaded the latest TrojanSimulator and I got this result:

C:\zz\Debug>ashcmd /t=a /a /_ c:\a
c:\a\Readme.txt OK
c:\a\TrojanSimulator.exe        OK
c:\a\TSServ.exe\[UPX]   OK
c:\a\TSServ.exe OK

As you can see, TrojanSimulator.exe is not packed with UPX (it isn't, really) but TSServ.exe is.

We know, winexec compressors, are used in mostly trojans (mainly upx/aspack/...). We've improved AsPack unpacker (for unknown versions, more robust generally) and it'll be available (sometime) in v4.2. I hope I find time for UPX improve as well.

[Del]

Thanks for your answer pk.
I guess that your reply answers my question if only one file was packed.

Could I thank you and Culpeper for your help, it is much appreciated.

Keep working on those upgrades, Avast just gets better!

I've lurked here since I installed Avast and the help provided by these forums is excellent.

Del