Thanks for the info. There are so many packers that you can't provide for all of them, and some of the antivirus programs ignore all but a few. Is any of the code you guys are working on adaptable to detecting other packers as well?

Regards,

Very interesting. Although I'm not a programmer, I got the gist of it. I wonder, however, just how far you need to go. If something isn't really going to hurt you, then you don't really need to unpack it. The example he gave of needing to know what the snake ate, for instance. You might not really need to know exactly what the snake ate. What you are really concerned with is: can what he ate hurt you and/or will he eat you at some point.

1)If you can tell the kind of snake you're dealing with, that will tell you his general diet. 2)Failing that, you might get some information from the size of the snake. If he is considerably smaller than you, there is a good chance that he's not going to eat you at least. 3)Failing that, if you can tell where the snake hangs out, that might also give you some information about what he eats. If you can get the information pertaining to two of these items, you might be able to make a reasonable decision as to whether what he has eaten can hurt you and/or if he will eat you at some point--without cutting him open.

Of course, Paul gave several caveats that might be use to give you an idea as to whether or not there is malware involved without really going through the whole procedure. Of course, the automated tools available can minimize your effort if you perform the unpacking.

Eh?

Regards,

l don't know how far you got with unpacking code--hopefully far enough to take care of a few of the most commonly used packers in some cases. For unrecognized packers, could you just let the code run and set breakpoints to check for signatures/partial signatures. If it started to look like a virus signature (say more than 50% of a current signature), you could flag it for the user to look at.

Regards,