Will you ever stop making a fool of yourself? Facts: 1) You cannot type an email address correctly 2) You failed to find the updated signatures.pdf (hint: it's well hidden in CVSROOT/docs/signatures.pdf) which would have answered all your sig related questions. 3) You didn't understand that reporting how to bypass an antivirus, on a public mailing list is not very responsible, expecially considering that you "produce" and AV toolkit as well and someone may do the same to you one day. 4) You build an AV without bothering writing signatures for it or not even checking malware trends. If you would have done that you'd probably know that unpacking is not rocket science but rather a best effort approach (hacked UPX is more popular than plain UPX, did you know?). Additionally, you'd know that the crappy and easily bypassed UPX code is worth 5-10% detection in your ClamWin. Having said that (since you seem unaware of that), the good way to act is opening a bug report and providing a patch to make UPX handling more robust. Since up to day you failed to do that, you can well kiss my arse. 5) LOL, I really felt on the floor at this one. You want to implement a generic unpacker which *executes* malicious code in order to dump it from memory! Do you feel smart? Don't you wonder why all other windows AV's invest money and resources into writing emulators (or even sandboxes)? They must be all crazy don't they? All you have to do is dumping and rebuilding à la procdump, right? If you were old enough and if you knew what you were doing you'd probably recall about someone else, back in the dos age, who was feeling very smart. And you'd also remember about a virus which was only spreading when scanned by the smart guy's AV.
May Eugene protect your users, -aCaB _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html