Hmm...
I think that is too broad an interpretation of "emulation." I would suspect
it does nothing more than what McAfee does by default, and that you can turn
off with the /NOCOMP switch.
Seeing as it apparently works with the Windows and Linux versions as well,
they would have to have a lot of faith in whatever method they use to
accomplish the emulation..
But, I've been wrong before.....
(Just don't tell my wife)
Jerry
----- Original Message -----
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 31, 2001 10:28 AM
Subject: Re: [Declude.Virus] F-Prot Stuff
>
> > > /PACKED is a very different beast. It will attempt to scan compressed
> > > .EXE's (such as PKLite or Neolite) by actually emulating the
decompression
> > > code. I personally wouldn't use this on a server, just in case someone
> > > figures out a way to bypass F-Prot's safety mechanisms when running the
> > > unknown code.
> >
> >Are you saying it actually tries to execute or interpret the code in the
.exe
> >it finds?
>
> That's my interpretation. They say that it "emulates the execution of the
> decompressor", and that it slows down the scanning significantly (which it
> doesn't say about /ARCHIVE). "emulates the execution of the decompressor"
> could mean just about anything, but "emulation" typically involves
> interpreting code and running it (such as the Apple ][+ emulators and such).
> -Scott
>
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". You can E-mail
> [EMAIL PROTECTED] for assistance. You can visit our web
> site at http://www.declude.com .
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
