tag:blogger.com,1999:blog-7347279.post1292893937546929267..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: polypack isn't quite as bad as i had thoughtkurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-7347279.post-8265911471991242292009-08-19T10:20:41.174-04:002009-08-19T10:20:41.174-04:00@jon oberheide:
fair enough - if i understand your...@jon oberheide:<br />fair enough - if i understand your implication correctly then some packers do a piss-poor job of obfuscating the eicar file. <br /><br />i wonder if that holds true for all the modifications one can make to the eicar file while still conforming to the specification for that file (the specification states what the file must start with but literally anything can be appended at the end). then again, your statement about variance in av efficacy could apply there as some may do a piss-poor job of detecting the eicar file with a jpeg (for example) appended to the end.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-15949566362668381452009-08-19T10:12:52.746-04:002009-08-19T10:12:52.746-04:00Kurt,
The reason we didn't just pack the EICA...Kurt,<br /><br />The reason we didn't just pack the EICAR test file is the same reason<br />we originally did the research: both the antivirus engines and the<br />packer tools have great diversity in their capabilities and efficacy.<br /><br />Our results show that even though an advanced packer like Themida is<br />the single best packer overall, it's not the best on every binary,<br />every time (over 40% of the time). Therefore, a system like PolyPack<br />allows you to automatically select the best packer for your specific<br />binary.<br /><br />Anywho, I'd recommend looking over the materials. I've posted the paper<br />and the presentation I gave this week at WOOT:<br /><br />[urls removed]<br /><br />Regards,<br />Jon OberheideJon Oberheidenoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-27068510690924652902009-08-19T10:10:49.947-04:002009-08-19T10:10:49.947-04:00the following comment will be me pasting a comment...the following comment will be me pasting a comment i received in. i don't feel comfortable publishing the comment as is because of the included urls combined with my past statement of intent with regards to <a href="http://anti-virus-rants.blogspot.com/2006/04/anti-malware-linking-policy.html" rel="nofollow">linking to malware friendly domains</a>. as such i'm reposting a copy of the comment with the urls removed.<br /><br />it's not that i outright distrust this person, but there is a clear philosophical difference on the matter of malware creation and i don't know what one might expect to see on that domain in the future.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.com