i have been uploaded around 800 viral files to avira, and i think i have to say something before the new antivir 8 series
the firest thing is antivir really need more unpack supports, im achinese user of antivir, and i think you guys should know the number ofvarious viruses in china, i saw some video on the internet about how tolet your trojans bypass the antivirus softwares, almost all of themwill encrypt the viral files, but antivir can't even unpack some massuse packers, such as Nspack, Nsanti(antivir detects every file packedby Nsanti as crypt.nsanti.gen, and detect every viral files packed byNspack as heur/crypted or PCK, what a "crap", sorry about my words),ithink avira should try to use virtual upack machine, just like whatESET NOD32 and Bitdefender has, or get some supports from kaspersky orDr.web(i know you guys have a good relationship with kaspersky),kav anddr.web are unpacking monsters, hope you guys can get rid oftr/crypted.****.gen these kind of detections in antivir 8 series.
second thing is self-protection, antivir 7 series can easily terminatedby windows task manager, i heard some people said you guys will makeself-protection in antivr8, just want to give u guys a clue, don't tryto stop tools stop your process(kaspersky on this thing is reallystupid, i can stop kaspersky by icesword), look at what nod32 does,rebuild your process after the process being terminated, just like whatthose viruses did, make a win32 service, scan the process is protected,if the process disappears, rebuild it, that's all, some virus will onlytry to stop the process ones, except the viruses stop your service, itcan never terminates your process
third thing is the signature, hope your guys can be more serious whenyou add a signature into the database, the false alarm is horrible,iuploded two files to avira, it detected the virual file asdownloader.aww.1,ok that's fine, but i uploaded two files, one is thefile i fixed already, you guy detected the clean file i fixed asdownloader.aww and the viral file as aww.1, what the hell, that cleanfile is called qqgame.exe, i uploaded it and hope you guys fix thefalse alarm, you guys just reported me back as a damaged file,omg, iknow this file can't run as individual, so i give you guys the downloadurl hope you guys can download and fix the false alarm, but you guysdidn't, this file is one of the most famous game platforms in china,our form received tons of reports about this after the update, the onlything i can do is tell them to do the exception,sigh..
so i really want a space to add the common at the uplading page, andyou guys should look at the common more seriously, last week antivirfalse detected our forum web pages as html/spy.agent.tre, i uploadedthe file on friday, you guys soon reported back as false positive, butdidn't move from the database that day, ok, i uploaded 5 times again onsaturday and sunday, got reply about false alarm five times, but stillin database, and on monday, i deleted something from the files so itchanged size and MD5 value, uploaded again, under analysis, and removedthat money's night, i wondering whether you guys really looked at thefile again on saturday and sunday, or just replied by the analysismachine, and this false alarm really hurt the users, even they use thefree products, this false alarm is unpardonable, so lots of them nowmoved to avast home, free as well, not too bad detection rate, wth lessfalse alarm,and this is how your guys lost the latent customs
fourth thing is the firewall, security suit's firewall is really crap(sorry about my words again), however i don't mind about it, because inever use firewall and hips, these things make me click on yes or notthe whole day and really make me sick, but what about the customs whobought the product? comodo firewall is free, but look at what scorethey got on the leak test
Eventually, im not trying to piss u off, please just think about thesethings,i know nothing can be perfect in this world, but at least yourguys should try, don't you? kaspersky is just like what it pronouncesin chinese, lag your computer and crash you machine and their emulatorin 7 series makes this even worse , nod32 because of the heuristic theyuse, they have to unpack every sample they got to get the signiture, ortheir detection will be funny if there is pack signature in theirdatabase, so the response time of their produce can be up to a month,bitdefender also slow down the computer and dr.web costs too many timeson unpacking the files and lag the computer as well...
im thinking whether i should only use symantec ghost right now 
hope you guys have a great day at last, thanx for reading my complaint 
原帖链接:http://forum.antivir.de/thread.php?threadid=22082
我觉得红伞的人惹怒了 mofunzone了,看看他们对于报壳的回复,简直就是之前给m回信的翻版!看来连解释报壳,红伞也懒的打字了,直接机器语言回复。
| Zitat: | Originally posted by Stefan Kurtzhals
Unpacking won't solve every problem. Keep in mind you easily cancombine several layers of packers so that neither NOD32, KAV, BD,Dr.Web or anyone else can unpack nor emulate them.
And what good is being able to unpack some modified variant of apacker, if the emulation takes more than 60 seconds? The scan speed ofNOD32 on malware collections with enabled adv. heuristic is horrible,like 100 times slower than AntiVir. Do you think it's really worth topay this price just to have "nicer" or more exact detection?
Besides, KAV, NOD32, BD and Dr.Web all also started to addpacker/crypter based detections, or are already doing so for a longwhile. Peed.Gen, Packer.Morphine, Packer.Win32.CryptExe,Win32.Pacex.Gen and so on and so on. Heck, tell me any antivirusprogram which is *not* doing this by now!
So again, it's good to have lots of unpacking and good emulation but itwon't solve all the detection problems. Malware authors still canbypass the detection if they want to and put enough work into it. |
ok
i kindly accept your opinion
but just as what you said, unpack can't solve everything, but at least antivir should have some basic ability to unpack files
just give you an example how i bypass antivir easily
antivir just got an engine update this morning and enhanced the polymorphic virus detection, but check this out, what a joke
the only tool i need is aspack
i pack this file two times, and antivir detects nothing
i just want to say, please please get some support from kaspersky, idon't care how many pack detections you guys added to the engine, butfile unpack is still the best way to solve the problem
original file download:
http://www.freewebtown.com/mofunzone/antivir/original.rar
packed file download:
http://www.freewebtown.com/mofunzone/antivir/packed.rar
i will post the detect result here, because i already been uploadedthis file to antivir, you guys will add the signature to the databasesoon, i know that
Starting the file scan:
Begin scan in 'C:\Documents and Settings\morgan\My Documents\packed.rar'
C:\Documents and Settings\morgan\My Documents\
packed.rar
[0] Archive type: RAR
--> 123.exe
Begin scan in 'C:\Documents and Settings\morgan\My Documents\original.rar'
C:\Documents and Settings\morgan\My Documents\
original.rar
[0] Archive type: RAR
--> 123.exe
[DETECTION] Contains code of the Windows virus W32/HLLW.Starfil
[WARNING] Infected files in archives cannot be repaired!
[WARNING] The file was ignored!
End of the scan: 2007年5月16日 21:58
Used time: 00:06 min
The scan has been done completely.
0 Scanning directories
4 Files were scanned
1 viruses and/or unwanted programs were found
0 classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
3 Files not concerned
2 Archives were scanned
2 Warnings
0 Notes
0 Hidden objects were found
老外有点自以为是,这看法和费尔的当年的看法一模一样…………
- Sorry if I am missing the point here, but packed malware poses no threat unless unpacked.
- If it can be detected upon unpacking then there is no problem. Detection of packed malware is just a bonus.
- Steve
[ 本帖最后由 buycard 于 2007-5-18 11:15 编辑 ] |
[复制链接]
发表于 2007-5-18 10:51:08
发表于 2007-5-18 11:04:38
楼主
