1

Many malwares can be packed or encrypted and AVs will emulate their execution to allow them to unpack or decrypt themselves. Once they do, are AVs simply using the same hashing or pattern-matching techniques that they would use on a static binary or are they using different techniques altogether?

chillsauce
  • 345
  • 1
  • 7

1 Answers1

2

Disclosure: I work for an anti-malware vendor.

The answer is "it depends on malicious content".

If the malicious content is obfuscated or encrypted, but otherwise it is the same content which would be detected if not encrypted - the static analysis rules would be applied after the obfuscation/encryption layer is stripped down. The stripping in this case may involve proprietary decoders, emulators or other things. So for this case the answer would be "yes".

However if the malicious content is polymorphic/metamorphic, it cannot be stripped down to plain malicious content - there is nothing to unpack/decrypt. In this case the emulator or similar engine would be used to find out what exactly the malware is doing, and apply a different set of detection rules here. So for this case the answer would be "no".

George Y.
  • 3,504
  • 2
  • 10
  • 15