I think that a memory scanner does not need to detect rootkits. It would be better to prevent the "installation" of malware (rootkits) instead of trying to detect them in memory" "Rootkits are evolving too fast into a state where memory detection is too much a pain. Have you ever seen an unpacked Armadillo samples in KAV's temp folder? This would be the proof. I would guess that they partly rely on signatures taken from the resource section so that it *seems* that Armadillo can be unpacked. I am still not convinced that KAV can unpack ANY new Armadillo versions at all. ) And, of course, you may use a memory a few more comments: You may also try to pick additional signatures from compressed targets if you do not have an unpacking engine at all. In addition to the use of a static or generic unpacking engine scanners may use heuristics (in order to detect suspicious modifications of a compressed target etc.) or signatures from uncompressed parts of a target (e.g., the resource section).
anti-emulation code (which stops the execution of a target if it detects that it is executed in a virtual environment) loops (which exploit the speed disadvantage of an emulation) Hopefully, he will also tell the people how an emulation can handle: Tobias Graf (from Ewido) will speak at VB2005 about the concept of a generic unpacking engine ( ). Consequently, it is not possible to "fool" an emulation by a minor modification of the unpacking stub of a well-known compressor like UPX.Ĭon: emulation does not handle as many packers as Kaspersky's static unpacking engine. By contrast, it is sufficient that the emulation detects that the target is compressed/crypted etc. Pro (in theory): no exact signatures of unpacking stub are required in order to determine the packer and apply the matching static unpacking routine. NOD32, Ewido: generic unpacking engine (emulation). Pro: supports MANY packers/compressors/crypters/protectors.Ĭon: can be easily fooled by minor variations of the unpacking stub. Kaspersky & clones: best static unpacking engine.