Unpacking, an hybrid approach

Mario A. López, Frisk Software Intl., Iceland

Emulation based unpacking? Too slow.

Static unpacking? Too specific.

Why not both?

We present here an overview of the current F-PROTs AV engine's Win32 PE file format packers/protectors handling capabilities, that make use of both apporaches together to deal with the problem. In combination with a flexible data base driven AV engine architecture, it has become a very important element in F-PROT's technology to deal with the always increasing malware production volume. Let's take a look.