AntiVir首席技術指導Stefan Schiffert對脫殼的看法
Stefan Schiffert 的回覆:(原文)
Unpacking won't solve every problem. Keep in mind you easily cancombine several layers of packers so that neither NOD32, KAV, BD,Dr.Web or anyone else can unpack nor emulate them.
And what good is being able to unpack some modified variant of apacker, if the emulation takes more than 60 seconds? The scan speed ofNOD32 on malware collections with enabled adv. heuristic is horrible,like 100 times slower than AntiVir. Do you think it's really worth topay this price just to have "nicer" or more exact detection?
Besides, KAV, NOD32, BD and Dr.Web all also started to addpacker/crypter based detections, or are already doing so for a longwhile. Peed.Gen, Packer.Morphine, Packer.Win32.CryptExe,Win32.Pacex.Gen and so on and so on. Heck, tell me any antivirusprogram which is *not* doing this by now!
So again, it's good to have lots of unpacking and good emulation but itwon't solve all the detection problems. Malware authors still canbypass the detection if they want to and put enough work into it.
----------譯文----------
脫殼不能解決全部的問題。請記住你可以輕鬆的進行多層的加殼這樣不管nod32,kav,bd,dr.web或其他的軟體甚至是有模擬器功能的軟體都不可以對他們進行脫殼。(themida就是其中之一)
如果模擬器用了超過60秒鐘的時間來進行脫殼,有什麼好處嗎?(nod32永遠的痛)nod32在開啟高啟發之後在進行大量病毒掃描的時候速度十分的糟糕,甚至於100倍慢於antivir。你真的認為值得支付這樣的代價來取得更“好”或者準確的偵測嗎?
順便說一句,kav,nod32,bs和dr.web都開始在基礎偵測中加入報殼,或者已經使用了很久了。peed.gen(bitdefender的),packer.morphine(antivir的),packer.win32.cryptexe(kav的),win32.pacex.gen(nod32的)和其他很多很多。這樣吧,請告訴我哪個殺毒軟體現在“沒有”這樣做!
所以再次的,擁有大量的脫殼和好的模擬器是很好的,但是並不能解決偵測問題。病毒製造者一樣可以免殺,如果他們放入足夠的精力來做的話
沒錯不需要猜了,AntiVir確實會報殼,不過有部分說法我認同他的說法,只是我認為,報殼不能隨便報AntiVir亂報殼實在太過於過火,誤報實在太高,AntiVir解殼實力也過於太低了....未來還是要加強解殼部分...我也認為解毒能力也必須大大改善..... |
发表于 2007-5-24 19:39:56
不知道那几个坚持结构启发、高技术的高人还有什么其他说法没有。