================================================= File 6FW98.TXT Detailed results of File and Macro Virus related on-demand scanner tests under Windows 98: ================================================= (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE (as far as applicable), both in full "zoo" virus collection and for viral ITW testbed. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Index of tables: ---------------- W98.F1: "FileVirus 1": Results of "full" Zoo test for file viruses W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses W98.F3: "Packed File Viruses": Results of Detection of Packed Zoo File Viruses W98.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" W98.F5 "File Malware": Results of "full" Zoo test for File-related malware W98.M1: "MacroVirus 1": Results of "full" test for macro viruses W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses W98.M3: "Packed Macro Viruses": Results of Detection of Packed Zoo macro Viruses W98.M4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware Table W98.F1: "FileVirus 1": Results of "full" zoo test for file viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 13993 100.0% % % 112038 100.0% ----------------------------------------------------------- ANT51301 12778 91.3 1092 7.8 1059 7.6 101751 90.8 AVK803 13940 99.6 474 3.4 28 0.2 111869 99.8 AVP30 13981 99.9 451 3.2 9 0.1 112013 100.0 AVS770 13516 96.6 608 4.3 92 0.7 109241 97.5 DSS785u 13986 99.9 377 2.7 3 0.0 111862 99.8 FSE401a 13964 99.8 1766 12.6 16 0.1 111983 100.0 IBM30 12984 92.8 231 1.7 84 0.6 107226 95.7 INO50410 13081 93.5 456 3.3 153 1.1 106375 94.9 IRS2210 13528 96.7 490 3.5 221 1.6 109066 97.3 NVC452 13102 93.6 266 1.9 377 2.7 106542 95.1 PAV30 13766 98.4 410 2.9 65 0.5 111548 99.6 RAV603 11883 84.9 1284 9.2 593 4.2 96347 86.0 SCN318 12079 86.6 834 6.0 377 2.7 99842 89.2 SWP311 13766 98.4 718 5.1 128 0.9 110563 98.7 TBA807 12957 92.6 351 2.5 437 3.1 105261 94.0 ----------------------------------------------------------- Table W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 122 100.0% % % 3591 100.0% ---------------------------------------------------------- ANT51301 119 97.5 13 10.7 4 3.3 3554 99.0 ANY300 115 94.3 102 83.6 8 6.6 3350 93.3 AVK803 122 100.0 10 8.2 0 0.0 3591 100.0 AVP30 122 100.0 10 8.2 0 0.0 3591 100.0 AVS770 121 99.2 14 11.5 4 3.3 3571 99.4 DSS785u 122 100.0 10 8.2 0 0.0 3591 100.0 FSE401a 122 100.0 13 10.7 0 0.0 3591 100.0 IBM30 121 99.2 9 7.4 0 0.0 3585 99.8 INO50410 121 99.2 13 10.7 4 3.3 3571 99.4 IRS2210 122 100.0 13 10.7 3 2.5 3579 99.7 NAV408 121 99.2 12 9.8 3 2.5 3574 99.5 NVC452 122 100.0 4 3.3 4 3.3 3581 99.7 PAV30 122 100.0 8 6.6 2 1.6 3589 99.9 RAV603 118 96.7 12 9.8 9 7.4 3530 98.3 SCN318 120 98.4 20 16.4 3 2.5 3571 99.4 SWP311 122 100.0 17 13.9 3 2.5 3587 99.9 TBA807 121 99.2 4 3.3 5 4.1 3576 99.6 VBS530 81 66.4 0 0.0 81 66.4 81 2.3 ---------------------------------------------------------- Table W98.F3: "Packed File Viruses": Results of Detection of Packed Zoo File Viruses under Windows 98: =========================================================== This includes ---------- Viruses detected per Packer --------------- Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 13993 100.0 13993 100.0 13993 100.0 13993 100.0 ---------------------------------------------------------------- ANT51301 455 3.3 503 3.6 506 3.6 762 5.4 ANY300 1350 9.6 1 0.0 1 0.0 1 0.0 AVK803 13744 98.2 13723 98.1 13745 98.2 13748 98.2 AVP30 13915 99.4 13894 99.3 13917 99.5 13918 99.5 AVS770 458 3.3 529 3.8 533 3.8 770 5.5 DSS785u 13924 99.5 13921 99.5 13923 99.5 0 0.0 FSE401a 13967 99.8 13950 99.7 13966 99.8 13944 99.6 IBM30 12908 92.2 447 3.2 451 3.2 706 5.0 INO50410 0 0.0 15 0.1 0 0.0 30 0.2 IRS2210 0 0.0 445 3.2 0 0.0 716 5.1 NVC452 32 0.2 9 0.1 12946 92.5 49 0.4 PAV30 13696 97.9 13676 97.7 13698 97.9 13699 97.9 RAV603 778 5.6 947 6.8 778 5.6 12297 87.9 SCN318 0 0.0 17 0.1 10 0.1 22 0.2 SWP311 43 0.3 39 0.3 23 0.2 45 0.3 ---------------------------------------------------------------- Remark: table lists only those scanners where at least one packed viral object was detected for at least one packing method. Table W98.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "false positives" under Windows 98: ================================================================ Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ---------------------------------------------------------- Testbed 30 100.0% % % 3300 100.0% ---------------------------------------------------------- ANT51301 2 6.7 0 0.0 2 6.7 2 0.1 AVK803 0 0.0 0 0.0 0 0.0 0 0.0 AVP30 0 0.0 0 0.0 0 0.0 0 0.0 AVS770 1 3.3 0 0.0 1 3.3 1 0.0 DSS785u 0 0.0 0 0.0 0 0.0 0 0.0 FSE401a 0 0.0 0 0.0 0 0.0 0 0.0 ibm30 1 3.3 0 0.0 1 3.3 1 0.0 INO50410 2 6.7 0 0.0 2 6.7 4 0.1 irs2210 2 6.7 0 0.0 2 6.7 5 0.2 NVC452 0 0.0 0 0.0 0 0.0 0 0.0 pav30 0 0.0 0 0.0 0 0.0 0 0.0 RAV603 0 0.0 0 0.0 0 0.0 0 0.0 SCN318 0 0.0 0 0.0 0 0.0 0 0.0 SWP311 0 0.0 0 0.0 0 0.0 0 0.0 TBA807 4 13.3 0 0.0 4 13.3 5 0.2 ---------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.F5 "File Malware": Results of "full" zoo test for File-related malware under Windows 98: ======================================================== Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists Only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 3321 100.0% % % 7989 100.0% ---------------------------------------------------------- ANT51301 2869 86.4 318 9.6 85 2.6 6683 83.7 ANY300 1851 55.7 226 6.8 53 1.6 4357 54.5 AVK803 3093 93.1 122 3.7 20 0.6 7660 95.9 AVP30 3137 94.5 122 3.7 16 0.5 7718 96.6 AVS770 2622 79.0 81 2.4 22 0.7 6738 84.3 DSS785u 3267 98.4 24 0.7 10 0.3 7834 98.1 FSE401a 3108 93.6 146 4.4 17 0.5 7683 96.2 IBM30 **** **** *** *** ** *** **** **** INO50410 2579 77.7 97 2.9 24 0.7 6306 78.9 IRS2210 2968 89.4 100 3.0 68 2.0 7277 91.1 NVC452 2405 72.4 29 0.9 55 1.7 6452 80.8 PAV30 3042 91.6 116 3.5 20 0.6 7605 95.2 RAV603 2116 63.7 70 2.1 87 2.6 5219 65.3 SCN318 **** **** *** *** ** *** **** **** SWP311 **** **** *** *** ** *** **** **** TBA807 2443 73.6 40 1.2 68 2.0 6018 75.3 VBS530 576 17.3 0 0.0 384 11.6 862 10.8 ---------------------------------------------------------- Table W98.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2159 100.0% % % 9033 100.0% ---------------------------------------------------------- ANT51301 1819 84.3 140 6.5 12 0.6 7979 88.3 any300 1527 70.7 571 26.4 17 0.8 6511 72.1 AVK803 2151 99.6 48 2.2 0 0.0 9014 99.8 AVP30 2159 100.0 46 2.1 0 0.0 9033 100.0 AVS770 2088 96.7 16 0.7 5 0.2 8840 97.9 DSS785u 2159 100.0 10 0.5 0 0.0 9033 100.0 fma110 1995 92.4 1 0.0 3 0.1 8484 93.9 FSE401a 2159 100.0 4 0.2 1 0.0 9031 100.0 FWN111 2151 99.6 18 0.8 1 0.0 9008 99.7 ibm30 2041 94.5 18 0.8 2 0.1 8587 95.1 INO50410 1901 88.1 15 0.7 3 0.1 8054 89.2 irs2210 2137 99.0 32 1.5 6 0.3 8956 99.1 ivb 2004 92.8 0 0.0 69 3.2 8429 93.3 NAV408 2058 95.3 31 1.4 2 0.1 8713 96.5 pav30 2148 99.5 48 2.2 0 0.0 9011 99.8 RAV603 1990 92.2 7 0.3 16 0.7 8445 93.5 scn318 2109 97.7 30 1.4 3 0.1 8890 98.4 SWP311 2129 98.6 26 1.2 3 0.1 8971 99.3 TBA807 2132 98.7 22 1.0 7 0.3 8968 99.3 VBS530 897 41.5 0 0.0 3 0.1 3751 41.5 ---------------------------------------------------------- Table W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows 98: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 75 100.0% % % 710 100.0% ---------------------------------------------------------- ANT51301 72 96.0 4 5.3 0 0.0 693 97.6 ANY300 0 0.0 0 0.0 0 0.0 0 0.0 AVK803 75 100.0 3 4.0 0 0.0 710 100.0 AVP30 75 100.0 2 2.7 0 0.0 710 100.0 AVS770 75 100.0 1 1.3 0 0.0 710 100.0 DSS785u 75 100.0 0 0.0 0 0.0 710 100.0 FMA110 75 100.0 0 0.0 0 0.0 710 100.0 FSE401a 75 100.0 0 0.0 0 0.0 710 100.0 FWN111 75 100.0 1 1.3 0 0.0 710 100.0 IBM30 75 100.0 3 4.0 0 0.0 710 100.0 INO50410 75 100.0 3 4.0 0 0.0 710 100.0 IRS2210 75 100.0 3 4.0 0 0.0 710 100.0 NAV408 75 100.0 1 1.3 0 0.0 710 100.0 NVC452 75 100.0 1 1.3 0 0.0 710 100.0 PAV30 75 100.0 3 4.0 0 0.0 710 100.0 RAV603 41 54.7 0 0.0 0 0.0 315 44.4 SCN318 75 100.0 2 2.7 0 0.0 710 100.0 SWP311 75 100.0 4 5.3 0 0.0 710 100.0 TBA807 75 100.0 0 0.0 2 2.7 707 99.6 VBS530 74 98.7 0 0.0 1 1.3 704 99.2 ---------------------------------------------------------- Table W98.M3: "Packed Macro Viruses": Results of Detection of Packed Zoo Macro Viruses under Windows 98: =========================================================== This includes ---------- Viruses detected per Packer --------------- Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 2159 100.0 1840 100.0 2159 100.0 2159 100.0 ---------------------------------------------------------------- ANY300 1509 69.9 0 0.0 0 0.0 0 0.0 AVK803 2145 99.4 1804 98.0 2145 99.4 2145 99.4 AVP30 2159 100.0 1815 98.6 2159 100.0 2159 100.0 DSS785u 2158 100.0 1839 99.9 2158 100.0 0 0.0 FSE401a 2159 100.0 1841 100.1 2159 100.0 2159 100.0 IBM30 2041 94.5 0 0.0 0 0.0 0 0.0 PAV30 2147 99.4 1806 98.2 2147 99.4 2147 99.4 RAV603 0 0.0 0 0.0 0 0.0 301 13.9 ---------------------------------------------------------------- Remark: table lists only those scanners where at least one packed viral object was detected for at least one packing method. Table W98.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows 98: ===================================================================== Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ---------------------------------------------------------- Testbed 25 100.0% % % 362 100.0% ---------------------------------------------------------- ANT51301 4 16.0 0 0.0 4 16.0 6 1.7 any300 1 4.0 0 0.0 1 4.0 3 0.8 AVK803 5 20.0 0 0.0 5 20.0 5 1.4 AVP30 6 24.0 0 0.0 6 24.0 10 2.8 AVS770 0 0.0 0 0.0 0 0.0 0 0.0 DSS785u 0 0.0 0 0.0 0 0.0 0 0.0 fma110 9 36.0 0 0.0 9 36.0 16 4.4 FSE401a 5 20.0 0 0.0 5 20.0 6 1.7 fwn111 0 0.0 0 0.0 0 0.0 0 0.0 ibm30 0 0.0 0 0.0 0 0.0 0 0.0 INO50410 2 8.0 0 0.0 2 8.0 4 1.1 irs2210 17 68.0 0 0.0 17 68.0 45 12.4 ivb 24 96.0 0 0.0 24 96.0 178 49.2 NAV408 4 16.0 0 0.0 4 16.0 4 1.1 pav30 2 8.0 0 0.0 2 8.0 4 1.1 RAV603 24 96.0 0 0.0 24 96.0 168 46.4 scn318 2109 97.7 30 1.4 3 0.1 8890 98.4 SWP311 2 8.0 0 0.0 2 8.0 4 1.1 TBA807 0 0.0 0 0.0 0 0.0 0 0.0 VBS530 9 36.0 0 0.0 9 36.0 61 16.9 ---------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware under Windows 98: =============================================================== Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists Only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 111 100.0% % % 191 100.0% ---------------------------------------------------------- ACU100 100 90.1 2 1.8 0 0.0 177 92.7 ANT51301 97 87.4 0 0.0 1 0.9 171 89.5 ANY300 52 46.8 6 5.4 1 0.9 105 55.0 AVK803 107 96.4 0 0.0 1 0.9 186 97.4 AVP30 107 96.4 0 0.0 1 0.9 186 97.4 AVS770 104 93.7 2 1.8 2 1.8 180 94.2 DSS785u 111 100.0 1 0.9 0 0.0 191 100.0 FMA110 109 98.2 1 0.9 0 0.0 189 99.0 FSE401a 111 100.0 1 0.9 0 0.0 191 100.0 FWN111 107 96.4 1 0.9 0 0.0 185 96.9 IBM30 *** **** *** *** ** *** **** **** INO50410 104 93.7 0 0.0 2 1.8 180 94.2 IRS2210 106 95.5 0 0.0 2 1.8 184 96.3 IVB 95 85.6 0 0.0 3 2.7 164 85.9 NVC452 96 86.5 3 2.7 0 0.0 171 89.5 PAV30 107 96.4 0 0.0 1 0.9 186 97.4 RAV197 107 96.4 2 1.8 4 3.6 183 95.8 SCN318 *** **** *** *** ** *** **** **** SWP311 *** **** *** *** ** *** **** **** TBA807 102 91.9 0 0.0 2 1.8 179 93.7 VBS530 89 80.2 0 0.0 3 2.7 160 83.8 ----------------------------------------------------------