================================================= File 6EW95.TXT Detailed results of File and Macro Virus related on-demand scanner tests under Windows 95: ================================================= (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE (as far as applicable), both in full "zoo" virus collection and for viral ITW testbeds. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Index of tables: ---------------- W95.F1: "FileVirus 1": Results of "full" Zoo test for file viruses W95.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses W95.F3: "Packed File Viruses": Results of Detection of Packed Zoo File Viruses W95.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" W95.F5 "File Malware": Results of "full" Zoo test for File-related malware W95.M1: "MacroVirus 1": Results of "full" test for macro viruses W95.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses W95.M3: "Packed Macro Viruses": Results of Detection of Packed Zoo macro Viruses W95.M4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" W95.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware Table W95.F1: "FileVirus 1": Results of "full" Zoo test for file viruses under Windows 95: ===================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 13993 100.0% % % 112038 100.0% ----------------------------------------------------------- ANT51301 12778 91.3 1092 7.8 1059 7.6 101751 90.8 AVK803 13940 99.6 474 3.4 28 0.2 111869 99.8 AVP30 13981 99.9 451 3.2 9 0.1 112013 100.0 AVS770 13516 96.6 608 4.3 92 0.7 109241 97.5 DSS785u 13986 99.9 377 2.7 3 0.0 111862 99.8 IBM30 12984 92.8 231 1.7 84 0.6 107226 95.7 INO50410 12925 92.4 443 3.2 147 1.1 104960 93.7 IRS2210 13528 96.7 490 3.5 221 1.6 109066 97.3 NAV408 -------------------(1)------------------------- NVC452 13103 93.6 262 1.9 378 2.7 106542 95.1 PAV30 13766 98.4 410 2.9 65 0.5 111548 99.6 RAV603 11883 84.9 1284 9.2 593 4.2 96351 86.0 SCN318 12286 87.8 917 6.6 351 2.5 102384 91.4 SWP311 13766 98.4 718 5.1 129 0.9 110560 98.7 TBA807 12957 92.6 351 2.5 437 3.1 105261 94.0 ----------------------------------------------------------- Remark (1): scanner protocol could not be processed. Table W95.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows 95: ===================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 122 100.0% % % 3591 100.0% ---------------------------------------------------------- ANT51301 119 97.5 13 10.7 4 3.3 3554 99.0 any300 115 94.3 102 83.6 8 6.6 3350 93.3 AVK803 122 100.0 10 8.2 0 0.0 3591 100.0 AVP30 122 100.0 10 8.2 0 0.0 3591 100.0 AVS770 121 99.2 14 11.5 4 3.3 3571 99.4 DSS785u 122 100.0 7 5.7 0 0.0 3591 100.0 FSE401a 122 100.0 13 10.7 0 0.0 3591 100.0 ibm30 121 99.2 9 7.4 0 0.0 3585 99.8 INO50410 121 99.2 13 10.7 3 2.5 3545 98.7 irs2210 122 100.0 13 10.7 3 2.5 3579 99.7 NAV408 121 99.2 12 9.8 3 2.5 3574 99.5 NVC452 122 100.0 4 3.3 4 3.3 3581 99.7 pav30 122 100.0 8 6.6 2 1.6 3589 99.9 RAV603 118 96.7 12 9.8 9 7.4 3530 98.3 SCN318 120 98.4 22 18.0 1 0.8 3578 99.6 SWP311 122 100.0 16 13.1 6 4.9 3584 99.8 TBA807 121 99.2 4 3.3 5 4.1 3576 99.6 ---------------------------------------------------------- Table W95.F3: "Packed File Viruses": Results of Detection of Packed Zoo File Viruses under Windows 95: ============================================================ This includes ---------- Viruses detected per Packer --------------- Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 13993 100.0 13993 100.0 13993 100.0 13993 100.0 ---------------------------------------------------------------- ANT51301 12341 88.2 12341 88.2 12341 88.2 762 5.4 ANY300 3 0.0 0 0.0 0 0.0 0 0.0 AVK803 13744 98.2 13723 98.1 13745 98.2 13748 98.2 AVP30 13915 99.4 13894 99.3 13917 99.5 13918 99.5 AVS770 458 3.3 529 3.8 533 3.8 770 5.5 DSS785u 13924 99.5 13921 99.5 13923 99.5 0 0.0 IBM30 12908 92.2 447 3.2 451 3.2 706 5.0 INO50410 0 0.0 15 0.1 0 0.0 30 0.2 IRS2210 0 0.0 445 3.2 0 0.0 716 5.1 NVC452 12947 92.5 12909 92.3 12946 92.5 48 0.3 PAV30 13696 97.9 13676 97.7 13698 97.9 13699 97.9 RAV603 685 4.9 851 6.1 685 4.9 11329 81.0 SCN318 12135 86.7 12077 86.3 252 1.8 532 3.8 SWP311 43 0.3 39 0.3 23 0.2 45 0.3 ---------------------------------------------------------------- Remark: table lists only those scanners where at least one packed viral object was detected for at least one packing method. Table W95.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) File samples detected as "False positives" under Windows 95: ============================================================== Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ---------------------------------------------------------- Testbed 30 100.0% % % 3300 100.0% ---------------------------------------------------------- ANT51301 2 6.7 0 0.0 2 6.7 2 0.1 AVK803 0 0.0 0 0.0 0 0.0 0 0.0 AVP30 0 0.0 0 0.0 0 0.0 0 0.0 AVS770 1 3.3 0 0.0 1 3.3 1 0.0 DSS785u 0 0.0 0 0.0 0 0.0 0 0.0 ibm30 1 3.3 0 0.0 1 3.3 1 0.0 INO50410 2 6.7 0 0.0 2 6.7 4 0.1 irs2210 2 6.7 0 0.0 2 6.7 5 0.2 NAV408 ------------------- (1) ------------------- NVC452 0 0.0 0 0.0 0 0.0 0 0.0 pav30 0 0.0 0 0.0 0 0.0 0 0.0 RAV603 0 0.0 0 0.0 0 0.0 0 0.0 SCN318 1 3.3 0 0.0 1 3.3 1 0.0 SWP311 0 0.0 0 0.0 0 0.0 0 0.0 TBA807 4 13.3 0 0.0 4 13.3 5 0.2 ---------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Remark (1): scanner protocol could not be processed. Table W95.F5 "File Malware": Results of "full" Zoo test for File-related malware under Windows 95: ======================================================== Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 3321 100.0% % % 7989 100.0% ---------------------------------------------------------- ANT51301 2869 86.4 318 9.6 85 2.6 6683 83.7 any300 1851 55.7 226 6.8 53 1.6 4357 54.5 AVK803 3093 93.1 122 3.7 20 0.6 7660 95.9 AVP30 3137 94.5 122 3.7 16 0.5 7718 96.6 AVS770 2622 79.0 81 2.4 22 0.7 6738 84.3 DSS785u 3255 98.0 26 0.8 11 0.3 7803 97.7 FSE401a 3108 93.6 146 4.4 17 0.5 7683 96.2 ibm30 **** **** *** *** ** *** **** **** INO50410 2579 77.7 97 2.9 24 0.7 6306 78.9 irs2210 2968 89.4 100 3.0 68 2.0 7277 91.1 NVC452 2406 72.4 29 0.9 56 1.7 6455 80.8 pav30 3042 91.6 116 3.5 20 0.6 7605 95.2 RAV603 941 28.3 38 1.1 38 1.1 1391 17.4 SCN318 **** **** *** *** ** *** **** **** SWP311 **** **** *** *** ** *** **** **** TBA807 2443 73.6 40 1.2 68 2.0 6018 75.3 VBS530 576 17.3 0 0.0 228 6.9 576 7.2 ---------------------------------------------------------- Table W95.M1: "MacroVirus 1": Results of "full" test for macro viruses under Windows 95: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2159 100.0% % % 9033 100.0% ---------------------------------------------------------- ANT51301 1850 85.7 140 6.5 5 0.2 8107 89.7 any300 1527 70.7 571 26.4 17 0.8 6511 72.1 AVK803 2151 99.6 48 2.2 0 0.0 9014 99.8 AVP30 2159 100.0 46 2.1 0 0.0 9033 100.0 AVS770 2088 96.7 16 0.7 5 0.2 8840 97.9 DSS785u 2159 100.0 10 0.5 0 0.0 9033 100.0 fma110 1995 92.4 1 0.0 3 0.1 8484 93.9 FSE401a 2159 100.0 4 0.2 0 0.0 9033 100.0 ibm30 2041 94.5 18 0.8 2 0.1 8587 95.1 INO50410 1901 88.1 15 0.7 3 0.1 8054 89.2 irs2210 2137 99.0 32 1.5 6 0.3 8956 99.1 ivb 2004 92.8 0 0.0 69 3.2 8429 93.3 NAV408 2058 95.3 31 1.4 2 0.1 8713 96.5 NVC452 ------------------ (2) ------------------- pav30 2148 99.5 48 2.2 0 0.0 9011 99.8 RAV603 301 13.9 1 0.0 1 0.0 960 10.6 SCN318 2129 98.6 28 1.3 3 0.1 8952 99.1 SWP311 2129 98.6 26 1.2 3 0.1 8971 99.3 TBA807 2132 98.7 22 1.0 7 0.3 8968 99.3 vbs530 1914 88.7 0 0.0 2 0.1 8255 91.4 VET98 ------------------ (3) ------------------- ---------------------------------------------------------- Remark (2): Scanner crashed in test. Remark (3): Only half report generated. Table W95.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows 95: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 75 100.0% % % 710 100.0% ---------------------------------------------------------- acu100 ------------------ (4) ------------------ ANT51301 72 96.0 4 5.3 0 0.0 693 97.6 any300 75 100.0 49 65.3 2 2.7 705 99.3 AVK803 75 100.0 3 4.0 0 0.0 710 100.0 AVP30 75 100.0 2 2.7 0 0.0 710 100.0 AVS770 75 100.0 1 1.3 0 0.0 710 100.0 DSS785u 75 100.0 0 0.0 0 0.0 710 100.0 fma110 75 100.0 0 0.0 0 0.0 710 100.0 FSE401a 75 100.0 0 0.0 0 0.0 710 100.0 fwn111 75 100.0 1 1.3 0 0.0 710 100.0 ibm30 75 100.0 3 4.0 0 0.0 710 100.0 INO50410 75 100.0 3 4.0 0 0.0 710 100.0 irs2210 75 100.0 3 4.0 0 0.0 710 100.0 ivb 70 93.3 0 0.0 5 6.7 668 94.1 NAV408 75 100.0 1 1.3 0 0.0 710 100.0 NVC452 75 100.0 1 1.3 0 0.0 710 100.0 pav30 75 100.0 3 4.0 0 0.0 710 100.0 SCN318 75 100.0 2 2.7 0 0.0 710 100.0 SWP311 75 100.0 4 5.3 0 0.0 710 100.0 TBA807 75 100.0 0 0.0 2 2.7 707 99.6 VET98 75 100.0 3 4.0 0 0.0 710 100.0 ---------------------------------------------------------- Remark (4): According to scanner, no OLE object found. Table W95.M3: "Packed Macro Viruses": Results of Detection of Packed Zoo Macro Viruses under Windows 95: ============================================================ This includes ---------- Viruses detected per Packer --------------- Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 2159 100.0 1840 100.0 2159 100.0 2159 100.0 ---------------------------------------------------------------- ANT51301 1846 85.5 1567 85.2 1846 85.5 0 0.0 ANY300 1509 69.9 0 0.0 0 0.0 0 0.0 AVK803 2145 99.4 1804 98.0 2145 99.4 2145 99.4 AVP30 2159 100.0 1815 98.6 2159 100.0 2159 100.0 DSS785u 2158 100.0 1839 99.9 2158 100.0 0 0.0 FSE401a 2159 100.0 1841 100.1 2159 100.0 2159 100.0 IBM30 2041 94.5 0 0.0 0 0.0 0 0.0 INO50410 2133 98.8 1815 98.6 2133 98.8 0 0.0 PAV30 2147 99.4 1806 98.2 2147 99.4 2147 99.4 RAV603 0 0.0 0 0.0 0 0.0 301 13.9 SCN318 2108 97.6 1801 97.9 0 0.0 0 0.0 ---------------------------------------------------------------- Remark: table lists only those scanners where at least one packed viral object was detected for at least one packing method. Table W95.M4: "False Positive" detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows 95: ================================================================== Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ---------------------------------------------------------- Testbed 25 100.0% % % 362 100.0% ---------------------------------------------------------- ANT51301 4 16.0 0 0.0 4 16.0 6 1.7 any300 1 4.0 0 0.0 1 4.0 3 0.8 AVK803 5 20.0 0 0.0 5 20.0 5 1.4 AVP30 5 20.0 0 0.0 5 20.0 6 1.7 AVS770 0 0.0 0 0.0 0 0.0 0 0.0 DSS785u 0 0.0 0 0.0 0 0.0 0 0.0 fma110 9 36.0 0 0.0 9 36.0 16 4.4 FSE401a 5 20.0 0 0.0 5 20.0 6 1.7 ibm30 0 0.0 0 0.0 0 0.0 0 0.0 INO50410 2 8.0 0 0.0 2 8.0 4 1.1 irs2210 17 68.0 0 0.0 17 68.0 45 12.4 ivb 24 96.0 0 0.0 24 96.0 178 49.2 NAV408 4 16.0 0 0.0 4 16.0 4 1.1 NVC452 0 0.0 0 0.0 0 0.0 0 0.0 pav30 2 8.0 0 0.0 2 8.0 4 1.1 RAV603 0 0.0 0 0.0 0 0.0 0 0.0 SCN318 0 0.0 0 0.0 0 0.0 0 0.0 SWP311 2 8.0 0 0.0 2 8.0 4 1.1 TBA807 0 0.0 0 0.0 0 0.0 0 0.0 VBS530 2 8.0 0 0.0 2 8.0 4 1.1 VET98 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W95.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware under Windows 95: ========================================================== Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists Only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 111 100.0% % % 191 100.0% ---------------------------------------------------------- acu100 ------------------ (4) ------------------ ANT51301 97 87.4 0 0.0 1 0.9 171 89.5 any300 52 46.8 8 7.2 1 0.9 105 55.0 AVK803 107 96.4 0 0.0 1 0.9 186 97.4 AVP30 107 96.4 0 0.0 1 0.9 186 97.4 AVS770 104 93.7 2 1.8 2 1.8 180 94.2 DSS785u 111 100.0 0 0.0 0 0.0 191 100.0 fma110 109 98.2 1 0.9 0 0.0 **** **** FSE401a 111 100.0 1 0.9 0 0.0 191 100.0 fwn111 107 96.4 1 0.9 0 0.0 185 96.9 ibm30 **** **** *** *** ** *** **** **** INO50410 104 93.7 0 0.0 2 1.8 180 94.2 irs2210 106 95.5 0 0.0 2 1.8 184 96.3 ivb 95 85.6 0 0.0 3 2.7 164 85.9 NAV408 **** **** *** *** ** *** **** **** NVC452 96 86.5 3 2.7 0 0.0 171 89.5 pav30 107 96.4 0 0.0 1 0.9 186 97.4 RAV603 36 32.4 1 0.9 1 0.9 56 29.3 SCN318 **** **** *** *** ** *** **** **** SWP311 **** **** *** *** ** *** **** **** TBA807 102 91.9 0 0.0 4 3.6 177 92.7 VET98 73 65.8 3 2.7 1 0.9 143 74.9 ----------------------------------------------------------- Remark (4): According to scanner, no OLE object found.