================================================ File 6GWNT.TXT Detailed results of File and Macro Virus related on-demand scanner tests under Windows NT: ================================================ (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE (as far as applicable), both in full "zoo" virus collection and for viral ITW testbed. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Index of tables: ---------------- WNT.F1: "FileVirus 1": Results of "full" Zoo test for file viruses WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses WNT.F3: "Packed File Viruses": Results of Detection of Packed Zoo File Viruses WNT.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" WNT.F5 "File Malware": Results of "full" Zoo test for File-related malware WNT.M1: "MacroVirus 1": Results of "full" test for macro viruses WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses WNT.M3: "Packed Macro Viruses": Results of Detection of Packed Zoo macro Viruses WNT.M4: "False Positive" detection: Results of "full" zoo test for non-viral (clean) macro objects detected as as "false positives" WNT.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware Table WNT.F1: "FileVirus 1": Results of "full" test for file viruses under Windows NT: =================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 13993 100.0% % % 112038 100.0% ----------------------------------------------------------- ANT51301 12778 91.3 1092 7.8 1059 7.6 101751 90.8 ANY300 9753 69.7 344 2.5 1710 12.2 74975 66.9 AVK803 13932 99.6 471 3.4 41 0.3 111819 99.8 AVP30 11714 83.7 262 1.9 9 0.1 87990 78.5 AVS770 13516 96.6 608 4.3 93 0.7 109240 97.5 DSS785U 13985 99.9 377 2.7 3 0.0 111861 99.8 FSE401 13964 99.8 1766 12.6 16 0.1 111983 100.0 IBM30 10800 77.2 186 1.3 68 0.5 83669 74.7 NAV408 -------------------- (1) -------------------- NVC452 13101 93.6 261 1.9 375 2.7 106541 95.1 PAV30 13766 98.4 410 2.9 65 0.5 111548 99.6 RAV603 11883 84.9 1284 9.2 593 4.2 96347 86.0 SCN318 9992 71.4 611 4.4 295 2.1 77317 69.0 SWP311 13771 98.4 741 5.3 123 0.9 110578 98.7 TBA807 12957 92.6 351 2.5 437 3.1 105263 94.0 ----------------------------------------------------------- Remark (1): scanner protocol could not be processed. Table WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows NT: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 122 100.0% % % 3591 100.0% ---------------------------------------------------------- ANT51301 119 97.5 13 10.7 4 3.3 3554 99.0 ANY300 110 90.2 6 4.9 39 32.0 3066 85.4 AVK803 122 100.0 10 8.2 0 0.0 3591 100.0 AVP30 122 100.0 10 8.2 0 0.0 3591 100.0 AVS770 121 99.2 14 11.5 4 3.3 3571 99.4 DSS785U 122 100.0 10 8.2 0 0.0 3591 100.0 FSE401 122 100.0 13 10.7 0 0.0 3591 100.0 IBM30 120 98.4 9 7.4 0 0.0 3551 98.9 NAV408 120 98.4 12 9.8 3 2.5 3540 98.6 NVC452 122 100.0 4 3.3 4 3.3 3581 99.7 PAV30 122 100.0 8 6.6 2 1.6 3589 99.9 RAV603 118 96.7 12 9.8 9 7.4 3530 98.3 scn318 121 99.2 21 17.2 1 0.8 3584 99.8 swp311 122 100.0 17 13.9 3 2.5 3587 99.9 TBA807 121 99.2 4 3.3 5 4.1 3576 99.6 ---------------------------------------------------------- Table WNT.F3: "Packed File Viruses": Results of Detection of Packed Zoo File Viruses under Windows NT: ========================================================== This includes ---------- Viruses detected per Packer --------------- Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 13993 100.0 13993 100.0 13993 100.0 13993 100.0 ---------------------------------------------------------------- ANT51301 455 3.3 503 3.6 506 3.6 762 5.4 ANY300 1335 9.5 26 0.2 29 0.2 50 0.4 AVK803 13742 98.2 13721 98.1 13743 98.2 13746 98.2 AVP30 13915 99.4 13894 99.3 13917 99.5 13918 99.5 AVS770 462 3.3 532 3.8 537 3.8 775 5.5 DSS785U 13922 99.5 13919 99.5 13921 99.5 0 0.0 IBM30 12908 92.2 447 3.2 451 3.2 706 5.0 NVC452 12945 92.5 9 0.1 12944 92.5 48 0.3 PAV30 13695 97.9 13675 97.7 13697 97.9 13698 97.9 RAV603 669 4.8 752 5.4 669 4.8 10257 73.3 SCN318 0 0.0 412 2.9 251 1.8 528 3.8 SWP311 44 0.3 41 0.3 25 0.2 52 0.4 ---------------------------------------------------------------- Remark: table lists only those scanners where at least one packed viral object was detected for at least one packing method. Table WNT.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "false positives" under Windows NT: ============================================================== Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ---------------------------------------------------------- Testbed 30 100.0% % % 3300 100.0% ---------------------------------------------------------- ANT51301 2 6.7 0 0.0 2 6.7 2 0.1 ANY300 5 16.7 0 0.0 5 16.7 5 0.2 AVK803 0 0.0 0 0.0 0 0.0 0 0.0 AVP30 0 0.0 0 0.0 0 0.0 0 0.0 AVS770 1 3.3 0 0.0 1 3.3 1 0.0 DSS785U 0 0.0 0 0.0 0 0.0 0 0.0 FSE401 0 0.0 0 0.0 0 0.0 0 0.0 IBM30 1 3.3 0 0.0 1 3.3 1 0.0 NAV408 -------------------- (1) ------------------ NVC452 0 0.0 0 0.0 0 0.0 0 0.0 PAV30 0 0.0 0 0.0 0 0.0 0 0.0 RAV603 0 0.0 0 0.0 0 0.0 0 0.0 scn318 0 0.0 0 0.0 0 0.0 0 0.0 swp311 0 0.0 0 0.0 0 0.0 0 0.0 TBA807 4 13.3 0 0.0 4 13.3 5 0.2 ---------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Remark (1): scanner protocol could not be processed. Table WNT.F5 "File Malware": Results of "full" zoo test for File-related malware under Windows NT: ======================================================== Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists Only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 3321 100.0% % % 7989 100.0% ---------------------------------------------------------- ANT51301 2869 86.4 318 9.6 85 2.6 6683 83.7 ANY300 359 10.8 1 0.0 79 2.4 824 10.3 AVK803 3093 93.1 122 3.7 20 0.6 7660 95.9 AVP30 3137 94.5 122 3.7 16 0.5 7718 96.6 AVS770 2672 80.5 83 2.5 22 0.7 6834 85.5 DSS785U 3267 98.4 24 0.7 10 0.3 7834 98.1 FSE401 3105 93.5 146 4.4 17 0.5 7678 96.1 IBM30 **** **** *** *** ** *** **** **** PAV30 3030 91.2 111 3.3 20 0.6 7569 94.7 RAV603 2116 63.7 70 2.1 87 2.6 5219 65.3 scn318 **** **** *** *** ** *** **** **** swp311 **** **** *** *** ** *** **** **** TBA807 2443 73.6 40 1.2 68 2.0 6024 75.4 ---------------------------------------------------------- Table WNT.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2159 100.0% % % 9033 100.0% ---------------------------------------------------------- ANT51301 1850 85.7 140 6.5 5 0.2 8107 89.7 ANY300 1522 70.5 11 0.5 130 6.0 6431 71.2 AVK803 2151 99.6 48 2.2 0 0.0 9014 99.8 AVP30 2159 100.0 46 2.1 0 0.0 9033 100.0 AVS770 2099 97.2 16 0.7 5 0.2 8870 98.2 DSS785U 2159 100.0 10 0.5 0 0.0 9033 100.0 fma110 2154 99.8 2 0.1 2 0.1 9021 99.9 fwn111n 2151 99.6 18 0.8 1 0.0 9008 99.7 HMV260 2137 99.0 8 0.4 4 0.2 8972 99.3 IBM30 2129 98.6 20 0.9 1 0.0 8944 99.0 IVB 2004 92.8 0 0.0 69 3.2 8429 93.3 NAV408 2157 99.9 32 1.5 1 0.0 9026 99.9 PAV30 2148 99.5 48 2.2 0 0.0 9011 99.8 RAV603 2149 99.5 8 0.4 16 0.7 8980 99.4 scn318 2109 97.7 28 1.3 1 0.0 8892 98.4 swp311 2105 97.5 23 1.1 8 0.4 8897 98.5 TBA807 2132 98.7 22 1.0 7 0.3 8968 99.3 TNT25 958 44.4 1 0.0 13 0.6 3898 43.2 ---------------------------------------------------------- Table WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 75 100.0% % % 710 100.0% ---------------------------------------------------------- ANT51301 72 96.0 4 5.3 0 0.0 693 97.6 ANY300 75 100.0 4 5.3 12 16.0 697 98.2 AVK803 75 100.0 3 4.0 0 0.0 710 100.0 AVP30 75 100.0 2 2.7 0 0.0 710 100.0 AVS770 75 100.0 1 1.3 0 0.0 710 100.0 DSS785U 75 100.0 0 0.0 0 0.0 710 100.0 fma110 75 100.0 0 0.0 0 0.0 710 100.0 fse401 75 100.0 0 0.0 0 0.0 710 100.0 fwn111 75 100.0 1 1.3 0 0.0 710 100.0 HMV260 75 100.0 2 2.7 1 1.3 709 99.9 IBM30 75 100.0 3 4.0 0 0.0 710 100.0 NAV408 75 100.0 1 1.3 0 0.0 710 100.0 NVC452 75 100.0 1 1.3 0 0.0 710 100.0 PAV30 75 100.0 3 4.0 0 0.0 710 100.0 RAV603 75 100.0 0 0.0 1 1.3 709 99.9 scn318 75 100.0 1 1.3 0 0.0 710 100.0 swp311 75 100.0 4 5.3 0 0.0 710 100.0 TBA807 75 100.0 0 0.0 2 2.7 707 99.6 ---------------------------------------------------------- Table WNT.M3: "Packed Macro Viruses": Results of Detection of Packed Zoo Macro Viruses under Windows NT: ============================================================ This includes ---------- Viruses detected per Packer --------------- Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 2159 100.0 1840 100.0 2159 100.0 2159 100.0 ---------------------------------------------------------------- ANY300 1471 68.1 0 0.0 0 0.0 0 0.0 AVK803 2706 125.3 2261 122.9 2706 125.3 2706 125.3 AVP30 2159 100.0 1815 98.6 2159 100.0 2159 100.0 DSS785U 2158 100.0 1839 99.9 2158 100.0 0 0.0 IBM30 2041 94.5 0 0.0 0 0.0 0 0.0 PAV30 2146 99.4 1805 98.1 2146 99.4 2146 99.4 RAV603 0 0.0 0 0.0 0 0.0 425 19.7 ---------------------------------------------------------------- Remark: table lists only those scanners where at least one packed viral object was detected for at least one packing method. Table WNT.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows NT: ================================================================== Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ---------------------------------------------------------- Testbed 25 100.0% % % 362 100.0% ---------------------------------------------------------- ANT51301 4 16.0 0 0.0 4 16.0 6 1.7 ANY300 1 4.0 0 0.0 1 4.0 3 0.8 AVK803 5 20.0 0 0.0 5 20.0 5 1.4 AVP30 6 24.0 0 0.0 6 24.0 10 2.8 AVS770 0 0.0 0 0.0 0 0.0 0 0.0 DSS785U 0 0.0 0 0.0 0 0.0 0 0.0 fma110 0 0.0 0 0.0 0 0.0 0 0.0 fwn111n 0 0.0 0 0.0 0 0.0 0 0.0 HMV260 24 96.0 0 0.0 24 96.0 135 37.3 IBM30 0 0.0 0 0.0 0 0.0 0 0.0 IVB 24 96.0 0 0.0 24 96.0 178 49.2 NAV408 6 24.0 0 0.0 6 24.0 11 3.0 PAV30 2 8.0 0 0.0 2 8.0 4 1.1 RAV603 24 96.0 0 0.0 24 96.0 168 46.4 scn318 7 28.0 0 0.0 7 28.0 10 2.8 swp311 1 4.0 0 0.0 1 4.0 1 0.3 TBA807 0 0.0 0 0.0 0 0.0 0 0.0 TNT25 10 40.0 0 0.0 10 40.0 54 14.9 ---------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.M5: "Macro-Malware": Results of "full" test for Macro-related malware under Windows NT: ========================================================= Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists Only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 111 100.0% % % 191 100.0% ---------------------------------------------------------- acu100 108 97.3 2 1.8 0 0.0 188 98.4 ANT51301 97 87.4 0 0.0 1 0.9 171 89.5 ANY300 51 45.9 0 0.0 1 0.9 104 54.5 AVK803 107 96.4 0 0.0 1 0.9 186 97.4 AVP30 107 96.4 0 0.0 1 0.9 186 97.4 AVS770 104 93.7 2 1.8 2 1.8 180 94.2 DSS785U 111 100.0 1 0.9 0 0.0 191 100.0 fma110 *** **** *** *** ** *** **** **** FSE401 111 100.0 1 0.9 0 0.0 191 100.0 fwn111n 107 96.4 1 0.9 0 0.0 185 96.9 HMV260 99 89.2 1 0.9 2 1.8 176 92.1 IBM30 *** **** *** *** ** *** **** **** IVB 95 85.6 0 0.0 3 2.7 164 85.9 NAV408 *** **** *** *** ** *** **** **** NVC452 96 86.5 3 2.7 0 0.0 171 89.5 PAV30 107 96.4 0 0.0 1 0.9 186 97.4 RAV603 107 96.4 2 1.8 4 3.6 183 95.8 scn318 *** **** *** *** ** *** **** **** swp311 *** **** *** *** ** *** **** **** TBA807 102 91.9 0 0.0 2 1.8 179 93.7 TNT25 73 65.8 0 0.0 1 0.9 133 69.6 ----------------------------------------------------------