How does scanning obfuscated files work?

Hello,

I'm not a technic or developer, but time to time it was interesting for me too;

What about obfuscated files, packers, cryptors, protectors and another ways, which created troubles for classical and traditional methods in anti-viruses:

 - DeepGuard - it's one of "layer", which added certainly because happened increasing that "ways"; More obfuscated files start be - need something new and powerful, than casual methods. Need pro-active in high-stage; DeepGuard - one of them.

More good to say - DeepGuard already not just a simply layer. It's a great complex and include various technologies and variants of pro-active technologies (as NHIPS and another; include cloud, reputation and etc.);

 Probably - against obfuscated files (and same troubles as "packers") - just something like F-Secure DeepGuard can totally help and fight.

Another  - it's all or "hard to user" (just because need specific knowledge or create work in machine with "a lot of" usability-break-moments); or simply can't to help;

 - Just because now virusmakers often can be "high-skilled" - DeepGuard can't protect in all situations, but probably in most part of them (which close to totally protect in ordinary meaning); DeepGuard - not just application control; It's more like header-part of all protect-methods-technologies; It's include correct work with Firewall-addons and another;

It's mean - if we talk about DeepGuard - we talk about DeepGuard in all stages/layers and technologies in F-Secure (except traditional signature-based scanning; but it's work together with DeepGuard too);

--------------------

But, of course, except pro-active and "step before" for protect - F-Secure (like all another companies) have technologies for work against obfuscated/packed and another same kind of files; Most part of that - comes by operation system functionality; But anyway - unique technologies here need too.

Unpacked-modules work probably like all another things - it's nothing to something new (but it's can to understand - just if you developer - or work with that; I'm not - because it - can't something to tell about it);

For that using points like:

 - emulation for launch code (like and include virtual-methods); Just for understanding - "what currently part of code to do" here. Also "decompressors" and all etc. Which can be default "system" things.

 - analysis for that facts and results.

 - also include static and dynamic analysis.

 - all like always was with debuggers, disassemblers, dumpers and etc (just because - need not just one kind of analysis - but static and dynamic together like part of all multi-layer-based for protection);

It's can be module with databases about behavior and technologies for analysis behaviors. It's mean, for example, in F-Secure - Gemini module help to DeepGuard and not just that.

----------

If you just ask about how to do "obfuscated files" - probably I hard to say.

Have a some variants, which all kind of different a little. And if it's known - F-Secure can to try protect against it and detect if it's malware by all things (and not just it) in top-area text;

Probably F-Secure known about all common, simply, complex and another packers - and create "descriptions" for behavior in that situations for modules and technologies. Need to known algorithms, principes and etc.

In common situation - can be situation like "if it's obfuscated - it's a suspicious".

But... of course... with encrypted files - a trouble. If it's encrypted - it's hard to scan. But during "encrypted"-status it's close to "safe"; same as "archive" or another.

If it's possible - can be detect during archive/encrypted too (but encrypted - it's encrypted); And also alert/detection during action. Action - it's already behavior, which F-Secure must to detect in all situations. If it's not detected - it's mean "a trouble" (which can be - just because -  you meet something new and high-skilled);

Sorry if I answered not totally about your question. But maybe some part of my answer include information, which you asked. Also it's really will be good if someone from F-Secure answered here too. Just because - if about that theme talk specialist - it's more good, than my answer about that theme.