Basic heuristics for Standard Shield?

I know that avast! cannot perform heuristic analysis on files yet,but detecting non-standard packers could be first step into this area.

This won’t be a full heuristic solution,but majority of viruses/worms use modified packers. You’d get warning about potentialy dangerous file and you could then send it to Chest or to Alwil.

I got this idea when i was playing with some trojan sample that was using modified UPX packer…

Erm… how do you define a non-standard packer?

The one which is modified/hacked.

How can you tell that a file was modified if you don’t know its original state?

If UPX compressor/decompressor program can detect this,then i’m pretty sure avast! can also. Along with other packer methods.

It depends on how “well” the modification is done; heavily modified programs aren’t detected by UPX as UPX at all. Additionally, even “legal” programs are (for some reason completely unknown to me) packed by UPX scramblers occasionally.

Well, in general it’s an interesting idea… but a real implementation wouldn’t be easy, and I’m not sure about the results.