================================================== File 6BDOSMAC.TXT DOS.III: Detailed results of Macro Virus Detection of on-demand scanner tests under DOS: ================================================== (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE (as far as applicable), both in full "zoo" virus collection and for macro- viral ITW testbed. Moreover, results for detection of macro viruses compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" detection of selected files which were definitively clean of macro viruses. For discussion of results, see 6asumov.txt and 7eval.txt. Index of tables: ---------------- FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses FDOS.M3: "Packed Macro Viruses": Results of Detection of Packed Zoo Macro Viruses FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" FDOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related malware Table FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses under DOS: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2159 100.0% % % 9033 100.0% ---------------------------------------------------------- ANT417 1221 56.6 33 1.5 4 0.2 4969 55.0 AVG50 1762 81.6 37 1.7 21 1.0 7423 82.2 AVK80 2153 99.7 48 2.2 0 0.0 9019 99.8 AVP30120 2159 100.0 46 2.1 4 0.2 9029 100.0 AVS77018 2099 97.2 16 0.7 5 0.2 8870 98.2 DRW401 2143 99.3 49 2.3 1 0.0 8991 99.5 DSS785u 2159 100.0 10 0.5 0 0.0 9033 100.0 FPR301 2154 99.8 5 0.2 2 0.1 9021 99.9 FSE30119 1946 90.1 40 1.9 3 0.1 8272 91.6 FWN437 1851 85.7 17 0.8 2 0.1 8044 89.1 HMV260 2137 99.0 8 0.4 4 0.2 8972 99.3 INO50 2056 95.2 30 1.4 4 0.2 8584 95.0 ITM401a 1647 76.3 208 9.6 55 2.5 6655 73.7 NAV40 2155 99.8 32 1.5 1 0.0 9019 99.8 NVC450 1961 90.8 22 1.0 9 0.4 8378 92.7 RAV566 2149 99.5 8 0.4 16 0.7 8980 99.4 SCN318 2129 98.6 28 1.3 1 0.0 8954 99.1 SWP311 2129 98.6 26 1.2 3 0.1 8971 99.3 TBA807 2132 98.7 22 1.0 7 0.3 8968 99.3 TSC (1) 367 17.0 17 0.8 14 0.6 1430 15.8 VET98 2105 97.5 54 2.5 1 0.0 8902 98.5 ---------------------------------------------------------- Remark (1): TScan crashed on DOS clients but completed in DOS-box under Win-98 or NT (given result) Table FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under DOS: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 75 100.0% % % 710 100.0% ---------------------------------------------------------- ANT417 54 72.0 0 0.0 0 0.0 551 77.6 AVG50 75 100.0 4 5.3 1 1.3 709 99.9 AVK80 75 100.0 3 4.0 0 0.0 710 100.0 AVP30120 75 100.0 2 2.7 0 0.0 710 100.0 AVS77018 75 100.0 1 1.3 0 0.0 710 100.0 DRW401 75 100.0 3 4.0 0 0.0 710 100.0 DSS785u 75 100.0 0 0.0 0 0.0 710 100.0 FPR301 75 100.0 1 1.3 0 0.0 710 100.0 FSE30119 75 100.0 2 2.7 0 0.0 710 100.0 FWN437 65 86.7 1 1.3 0 0.0 650 91.5 HMV260 75 100.0 2 2.7 1 1.3 709 99.9 INO50 75 100.0 3 4.0 0 0.0 710 100.0 ITM401a 73 97.3 18 24.0 3 4.0 680 95.8 NAV40 75 100.0 1 1.3 0 0.0 710 100.0 NVC450 75 100.0 1 1.3 0 0.0 710 100.0 RAV566 75 100.0 0 0.0 1 1.3 709 99.9 SCN318 75 100.0 2 2.7 0 0.0 710 100.0 SWP311 75 100.0 4 5.3 0 0.0 710 100.0 TBA807 75 100.0 0 0.0 2 2.7 707 99.6 TSC140 (1) 68 90.7 16 21.3 3 4.0 658 92.7 VET98 75 100.0 3 4.0 0 0.0 710 100.0 ---------------------------------------------------------- Remark (1): TScan crashed on DOS clients but completed in DOS-box under Win-98 or NT (given result) Table FDOS.M3: "Packed Macro Viruses": Results of Detection of Packed Zoo Macro Viruses under DOS: =========================================================== This includes ---------- Viruses detected per Packer --------------- Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 2159 100.0 1840 100.0 2159 100.0 2159 100.0 ---------------------------------------------------------------- AVK80 2152 99.7 1834 99.7 2152 99.7 2152 99.7 AVP30120 2159 100.0 1839 99.9 2159 100.0 2159 100.0 DRW401 1655 76.7 1481 80.5 1655 76.7 0 0.0 DSS785u 2158 100.0 1839 99.9 2158 100.0 0 0.0 FPR301 2157 99.9 0 0.0 2157 99.9 0 0.0 FSE30119 2159 100.0 1839 99.9 2159 100.0 2159 100.0 NAV40 87 4.0 0 0.0 0 0.0 0 0.0 NVC450 1956 90.6 0 0.0 1956 90.6 0 0.0 ---------------------------------------------------------------- Remark: table lists only those scanners where at least one packed viral object was detected for at least one packing method. Table FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" under DOS: ================================================================ Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected --------------------------------------------------------- Testbed 25 100.0 362 100.0 --------------------------------------------------------- ANT417 0 0.0 0 0.0 0 0.0 0 0.0 AVG50 1 4.0 0 0.0 1 4.0 1 0.3 AVK80 6 24.0 0 0.0 6 24.0 9 2.5 AVP30120 0 0.0 0 0.0 0 0.0 0 0.0 AVS77018 0 0.0 0 0.0 0 0.0 0 0.0 DRW401 20 80.0 0 0.0 20 80.0 107 29.6 DSS785u 0 0.0 0 0.0 0 0.0 0 0.0 FPR301 9 36.0 0 0.0 9 36.0 16 4.4 FSE30119 5 20.0 0 0.0 5 20.0 6 1.7 FWN437 2 8.0 0 0.0 2 8.0 2 0.6 HMV260 24 96.0 0 0.0 24 96.0 135 37.3 INO50 2 8.0 0 0.0 2 8.0 4 1.1 ITM401a 6 24.0 0 0.0 6 24.0 10 2.8 NAV40 6 24.0 0 0.0 6 24.0 11 3.0 NVC450 0 0.0 0 0.0 0 0.0 0 0.0 RAV566 0 0.0 0 0.0 0 0.0 0 0.0 SCN318 0 0.0 0 0.0 0 0.0 0 0.0 SWP311 2 8.0 0 0.0 2 8.0 4 1.1 TBA807 0 0.0 0 0.0 0 0.0 0 0.0 TSC140 (1) 15 60.0 0 0.0 15 60.0 30 8.3 VET98 9 36.0 0 0.0 9 36.0 17 4.7 --------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Remark (1): TScan crashed on DOS clients but completed in DOS-box under Win-98 or NT (given result) Table FDOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related malware under DOS: ======================================================== Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists Only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected --------------------------------------------------------- Testbed 111 100.0 191 100.0 --------------------------------------------------------- ANT417 26 23.4 0 0.0 0 0.0 55 28.8 AVG50 77 69.4 0 0.0 3 2.7 137 71.7 AVK80 107 96.4 0 0.0 1 0.9 186 97.4 AVP30120 107 96.4 0 0.0 1 0.9 186 97.4 AVS77018 104 93.7 2 1.8 2 1.8 180 94.2 DRW401 101 91.0 1 0.9 2 1.8 176 92.1 DSS785u 111 100.0 0 0.0 0 0.0 191 100.0 FPR301 *** ***** * *** * *** *** ***** FSE30119 107 96.4 0 0.0 1 0.9 186 97.4 fwn437 81 73.0 2 1.8 0 0.0 150 78.5 HMV260 99 89.2 1 0.9 2 1.8 176 92.1 INO50 104 93.7 0 0.0 2 1.8 180 94.2 ITM401a 35 31.5 0 0.0 0 0.0 54 28.3 NAV40 *** ***** * *** * *** *** ***** NVC450 98 88.3 0 0.0 4 3.6 168 88.0 RAV566 107 96.4 2 1.8 4 3.6 183 95.8 SCN318 *** ***** * *** * *** *** ***** SWP311 *** ***** * *** * *** *** ***** TBA807 102 91.9 0 0.0 2 1.8 179 93.7 TSC140 (1) 96 86.5 5 4.5 1 0.9 170 89.0 VET98 92 82.9 3 2.7 0 0.0 167 87.4 --------------------------------------------------------- Remark (1): TScan crashed on DOS clients but completed in DOS-box under Win-98 or NT (given result)