This is a generic detection of unpacked (or uncompressed) W32/Lirva samples. It was added to the DATs to catch future, unknown variants of W32/Lirva.a@MM
. The 4241 DAT files detect all known variants of W32/Lirva.a@MM as W32/Lirva.gen@MM when scanning compressed files.
The scan engine used by McAfee products contains instructions for unpacking compressed executables in various formats. Such executables are created by various packer programs (UPX, ASPACK, etc). Packed executables extract only in memory when run, rather than being extracted to disk like an archive file (.zip, .rar, etc).
It is essential to keep the scan engine version up to date as new packer versions are released all the time and the decompression algorithms are stored in the engine.
When the compressed file scanning option is enabled, the engine unpacker will be triggered, allowing the W32/Lirva.gen@MM detection to trigger on identified samples.