Original antivirus test

In this mini article, I will shed light on some of the features of antivirus work by signature, and also explain why the creators of the software need to carefully approach the issue of choosing packers if they do not want to soak the reputation of their and their program.

A couple of days ago, without planning for myself, I conducted an interesting antivirus test. It all started with the fact that, wandering through the lost folders of my drive, I came across a couple of trojans. Once upon a time (back in 2004) I already conducted an antivirus test . There you can look at the results of verification in my posts and posts of other users. Then I took a couple of trojans and several programs that modify the binary (various packers and other software, the full list is given at the end). So I got the idea to see: what was named after 7 years?

Unfortunately, I did not have the initial test. Only parts of it. But this turned out to be enough for the experiment and some conclusions. Tests were conducted at www.virtest.com . This should, in theory, guarantee the relevance of the results to date.

The first discovery was waiting for me when I checked the DTr Trojan in its original form. The original Trojan file is packaged by UPX. Scan result: out of 41 antiviruses, only 2 (eTrust and AVL) could not determine it . Then I checked the unpacked file of the same trojan (also supplied by the developer). This time, only 31 out of 41 caught him. A reasonable question arises: what then do antivirus laboratories add to samples, if you can get around them in such a simple way? For example, there are a bunch of UPX unpackers.

Then I tested the Pinch Trojan, processed by different packers and other programs of the same bearded 2004. The result is this (the number of antiviruses that have found the virus to the total number of antiviruses):

Having studied some of the reactions of antiviruses, I came to the conclusion that they cursed more at the use of packers than at the signature of the trojan. For example, here is the entry:
ClamWin Pinch_1.exe PUA.Packed.ASPack
or here:
Webroot Pinch.exe Sus/UnkPacker
I could not unpack it and swears.

I remembered that Pinch came with an fsg packer. I also remembered how at one of the seminars a VBA32 representative said that in some cases a packer is added to the database - if there is confidence that the packer is not widespread and is used specifically to hide the virus signature. According to the virus analyst, such packers are often written by virus writers themselves. Well, there is some truth. Especially if you remember how widespread various “crypto file providers” used to be.

My next experiment: take a harmless program and try to process it with various packers. As the “victim” I chose the ArpBuilder program that I wrote .

Result:
  1. on use PeCompact swore ClamWin.
  2. 24 antiviruses scolded on application of fsg .

In this regard, I recommend programmers to check their "brainchild" after processing by packers . Otherwise, it may tarnish the reputation of your software, and you will have to explain for a long time that "a misunderstanding has occurred." According to my observations, using UPX such problems do not arise.

For those who want to conduct their similar experiments, I list the programs used (some software on the sites was updated after 2004):
  1. Avx! AVSpoffer
  2. Dotfix fake signer
  3. fsg
  4. HidePE, StealthPE
  5. Pecompact
  6. pe-patcher

Also popular now: