Standards and policies on packer use

Samir Mody Sophos
Igor Muttik McAfee
Peter Ferrie Microsoft

  download slides (PDF)

Packers, whether third-party or bespoke, are still widely used by malware authors in an attempt to evade detection. Conficker, FakeAV, Bredolab and TDSS are but a few examples of malware which make extensive use of packing technology.

The wide variety of packers used for both legitimate and malicious purposes pose a challenge for the anti-virus industry. The anti-virus community has decided, within the framework of the Malware Working Group within the Industry Connections Working Group, to address the issue of packers with a common voice.

One of the fruits of the collaborative sessions involving representatives from across the anti-virus industry is a document describing various packer properties and standards for their use. This document is meant to provide a yardstick for the formulation of policy on how to treat different packers and a potential set of best practice guidelines for packer vendors.

It is hoped that the guidelines can be used to improve end-user security through the concerted efforts of the anti-virus industry when dealing with packers, and via cooperation and information exchange with packer vendors. Thus, it is expected to facilitate a more robust approach to the generic static flagging of suspicious packed files for the benefit of all (apart from the malware authors, of course).


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.