Malicious programs are frequently compressed – or packed – using a variety of methods combined with file encryption in order to prevent reverse engineering of the program and to hinder analysis of program behaviour with proactive and heuristic methods. Antivirus programs detect the results of the actions of suspicious packers, i.e. packed items.

There are ways to prevent packed files from being unpacked: for example, the packer may not decipher the code fully, only to the extent that it is executed; or it may fully decrypt and launch a malicious program only on a certain day of the week.

The main features that differentiate behaviours in the Suspicious Packers subclass are the type and number of packers used in the file compression process.

This malware subclass includes the following behaviours: