This article provides information on VSAPI packer identification. This function was introduced in VSAPI version 9.77 and is also available in later versions.
The VSAPI packer is used to pack PE files in order to reduce their file size and protect the binaries. This technique can also be used by malware to evade anti-virus. There are lots of types of packers, such as UPX, Themida, ASPack, etc. Some are often used by companies and some may be mostly used by malwares.
To block the malware that leverages the packer, scan engine provides a Packer-Identification Policy Scan for enterprise customers. The detection name for packer policy is defined by the following formats:
- PACP_XXX.STD (standard packer types)
- PACP_XXX.CM (customized packer types)
The type of packer is included in XXX (e.g. “PACK_ASPACK_001.STD” or “PACK_ASPACK_002.CM” for “ASPACK” packer).
You can choose to enable this policy scan if you have knowledge of an attack by packed malwares. When the policy scan is enabled, any matched packer policy will be reported by default. Additionally, when you receive a detection report, you can select and add approved packer types to avoid any related policy detection.
Taking OfficeScan as an example, admins can configure packer handling behavior via the following steps:
- In the web console, go to Agents > Outbreak Prevention and specify the scope of the policy in the client tree.
- Tick the "Deny access to executable compressed files" checkbox and then click the link to edit details.
- Add the approved packer types to the righ column.
- Save and exit.
