=============================================== File 6BDOSFIL.TXT DOS.I: Detailed results of File Virus Detection of on-demand scanner tests under DOS: =============================================== (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning FILE viruses as well as selected FILE MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (4*10,000) viruses in a testbed with generations of 4 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Index of tables: ---------------- FDOS.F1: "FileVirus 1": Results of "full" Zoo test for file viruses FDOS.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses FDOS.FA: "Polyfile-Test": Results of Polymorphic test FDOS.FB: "VKIT Test": Results of VKIT file virus test FDOS.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR FDOS.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP FDOS.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA FDOS.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ FDOS.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR FDOS.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "False Positives" FDOS.F5: "File Malware": Results of "full" Zoo test for File-related malware Table FDOS.F1: "FileVirus 1": Results of "full" Zoo test for file viruses under DOS: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 17148 100.0% % % 128534 100.0% ----------------------------------------------------------- AVA 16739 97.6 682 4.0 135 0.8 125823 97.9 AVG 14942 87.1 543 3.2 297 1.7 115759 90.1 AVK 12856 75.0 324 1.9 4 0.0 100188 77.9 AVP 17089 99.7 377 2.2 55 0.3 128000 99.6 DRW 16837 98.2 483 2.8 182 1.1 126776 98.6 DSS 17109 99.8 560 3.3 26 0.2 128187 99.7 FPR 16928 98.7 65 0.4 58 0.3 127962 99.6 FSE 16729 97.6 396 2.3 46 0.3 124741 97.0 INO 16822 98.1 534 3.1 116 0.7 126064 98.1 IRS 8850 51.6 36 0.2 523 3.0 72613 56.5 ITM 11011 64.2 408 2.4 622 3.6 78024 60.7 NAV 13230 77.2 0 0.0 254 1.5 104276 81.1 NOD 16612 96.9 1803 10.5 227 1.3 125436 97.6 NVC 16741 97.6 1116 6.5 277 1.6 126097 98.1 PAV 12632 73.7 313 1.8 40 0.2 97899 76.2 PRO 6091 35.5 176 1.0 764 4.5 49629 38.6 SCN 17113 99.8 654 3.8 40 0.2 128101 99.7 TSC 6772 39.5 312 1.8 428 2.5 53697 41.8 VET 11202 65.3 254 1.5 609 3.6 87520 68.1 VSP 12289 71.7 2396 14.0 1133 6.6 84489 65.7 ----------------------------------------------------------- Table FDOS.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under DOS: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 87 100.0 14 16.1 3 3.4 2857 99.7 AVG 87 100.0 19 21.8 0 0.0 2867 100.0 AVK 69 79.3 4 4.6 0 0.0 2262 78.9 AVP 87 100.0 5 5.7 0 0.0 2867 100.0 DRW 87 100.0 5 5.7 2 2.3 2865 99.9 DSS 87 100.0 9 10.3 0 0.0 2867 100.0 FPR 87 100.0 0 0.0 1 1.1 2866 100.0 FSE 87 100.0 4 4.6 0 0.0 2867 100.0 INO 87 100.0 10 11.5 0 0.0 2867 100.0 IRS 72 82.8 3 3.4 3 3.4 2400 83.7 ITM 84 96.6 7 8.0 13 14.9 2378 82.9 NAV 80 92.0 0 0.0 1 1.1 2737 95.5 NOD 87 100.0 18 20.7 3 3.4 2864 99.9 NVC 87 100.0 6 6.9 1 1.1 2866 100.0 PAV 68 78.2 2 2.3 1 1.1 2250 78.5 PRO 59 67.8 3 3.4 19 21.8 1765 61.6 SCN 87 100.0 5 5.7 0 0.0 2867 100.0 TSC 70 80.5 6 6.9 11 12.6 2384 83.2 VET 81 93.1 3 3.4 6 6.9 2762 96.3 VSP 69 79.3 15 17.2 8 9.2 2281 79.6 ----------------------------------------------------------- Table FDOS.FA: "Polyfile-Test": Results of Polymorphic test: ============================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 400 100.0% % % 40000 100.0% ---------------------------------------------------------- AVA 400 100.0 104 26.0 1 0.3 39999 100.0 AVG 400 100.0 0 0.0 0 0.0 40000 100.0 AVK 400 100.0 0 0.0 0 0.0 40000 100.0 AVP 400 100.0 0 0.0 0 0.0 40000 100.0 DRW 400 100.0 0 0.0 0 0.0 40000 100.0 DSS 400 100.0 102 25.5 1 0.3 39997 100.0 FPR 400 100.0 0 0.0 0 0.0 40000 100.0 FSE 400 100.0 0 0.0 0 0.0 40000 100.0 INO 400 100.0 1 0.3 0 0.0 40000 100.0 IRS 400 100.0 0 0.0 0 0.0 40000 100.0 ITM 400 100.0 210 52.5 46 11.5 39943 99.9 NAV 400 100.0 0 0.0 0 0.0 40000 100.0 NOD 400 100.0 0 0.0 0 0.0 40000 100.0 NVC 400 100.0 100 25.0 0 0.0 40000 100.0 PAV 400 100.0 0 0.0 0 0.0 40000 100.0 PRO 150 37.5 0 0.0 0 0.0 15000 37.5 SCN 400 100.0 100 25.0 3 0.8 39997 100.0 TSC 300 75.0 0 0.0 10 2.5 29393 73.5 VET 400 100.0 5 1.3 4 1.0 39996 100.0 VSP 400 100.0 192 48.0 3 0.8 39997 100.0 ---------------------------------------------------------- Remark: For 4 polymorphic viruses (Maltese Amoeba, MTE.Encroacher.B, NATAS and TREMOR), 10,000 generations were produced with VTCs dynamic polymorphic test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table FDOS.FB: "VKIT Test": Results of VKIT file virus test: ============================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 10706 100.0% % % 104640 100.0% ----------------------------------------------------------- AVA 10706 100.0 1638 15.3 27 0.3 104580 99.9 AVG 8886 83.0 796 7.4 114 1.1 88025 84.1 AVK 10704 100.0 1502 14.0 3 0.0 104634 100.0 AVP 10706 100.0 1198 11.2 0 0.0 104640 100.0 DRW 10704 100.0 1005 9.4 16 0.1 104572 99.9 DSS 10706 100.0 1310 12.2 0 0.0 104640 100.0 FPR 10704 100.0 205 1.9 7 0.1 104614 100.0 FSE 10704 100.0 1503 14.0 3 0.0 104634 100.0 INO 10703 100.0 1232 11.5 8 0.1 104578 99.9 IRS 10120 94.5 0 0.0 354 3.3 98487 94.1 ITM 8913 83.3 1407 13.1 121 1.1 90946 86.9 NAV 4796 44.8 0 0.0 5 0.0 45951 43.9 NOD 10505 98.1 2790 26.1 1141 10.7 99005 94.6 NVC 10704 100.0 6198 57.9 327 3.1 102041 97.5 PAV 10704 100.0 1503 14.0 3 0.0 104634 100.0 PRO 188 1.8 0 0.0 150 1.4 979 0.9 SCN 10706 100.0 1739 16.2 0 0.0 104640 100.0 TSC 10704 100.0 1261 11.8 3 0.0 104634 100.0 VET 9839 91.9 1168 10.9 596 5.6 93162 89.0 VSP 10638 99.4 5879 54.9 71 0.7 103416 98.8 ----------------------------------------------------------- Table FDOS.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per Packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 87 100.0 87 100.0 87 100.0 87 100.0 ---------------------------------------------------------------- AVA 3 3.4 2 2.3 2 2.3 4 4.6 AVK 87 100.0 0 0.0 87 100.0 0 0.0 AVP 87 100.0 87 100.0 87 100.0 87 100.0 DRW 81 93.1 81 93.1 81 93.1 0 0.0 DSS 87 100.0 87 100.0 87 100.0 0 0.0 FPR 87 100.0 0 0.0 87 100.0 0 0.0 FSE 81 93.1 0 0.0 81 93.1 0 0.0 INO 74 85.1 0 0.0 87 100.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 29 33.3 0 0.0 0 0.0 0 0.0 NOD 87 100.0 0 0.0 87 100.0 87 100.0 PAV 81 93.1 0 0.0 81 93.1 0 0.0 PRO 1 1.1 0 0.0 0 0.0 1 1.1 SCN 87 100.0 87 100.0 87 100.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 86 98.9 2 2.3 2 2.3 3 3.4 VSP 0 0.0 0 0.0 0 0.0 0 0.0 --------------------------------------------------------------- Table FDOS.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under DOS: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 3 3.4 0 0.0 3 3.4 3 0.1 AVK 87 100.0 4 4.6 2 2.3 2819 98.3 AVP 87 100.0 5 5.7 1 1.1 2820 98.4 DRW 81 93.1 4 4.6 2 2.3 2766 96.5 DSS 87 100.0 9 10.3 0 0.0 2867 100.0 FPR 87 100.0 0 0.0 1 1.1 2866 100.0 FSE 81 93.1 4 4.6 1 1.1 2721 94.9 INO 74 85.1 7 8.0 21 24.1 2246 78.3 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 29 33.3 1 1.1 1 1.1 998 34.8 NOD 87 100.0 21 24.1 3 3.4 2864 99.9 PAV 81 93.1 3 3.4 2 2.3 2720 94.9 PRO 1 1.1 0 0.0 1 1.1 1 0.0 SCN 87 100.0 9 10.3 0 0.0 2867 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 74 85.1 1 1.1 9 10.3 2616 91.2 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 2 2.3 0 0.0 2 2.3 2 0.1 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 87 100.0 5 5.7 0 0.0 2867 100.0 DRW 81 93.1 4 4.6 2 2.3 2766 96.5 DSS 87 100.0 9 10.3 0 0.0 2867 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 87 100.0 9 10.3 0 0.0 2867 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 2 2.3 0 0.0 2 2.3 2 0.1 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 2 2.3 0 0.0 2 2.3 2 0.1 AVK 87 100.0 4 4.6 1 1.1 2866 100.0 AVP 87 100.0 5 5.7 0 0.0 2867 100.0 DRW 81 93.1 4 4.6 2 2.3 2766 96.5 DSS 87 100.0 9 10.3 0 0.0 2867 100.0 FPR 87 100.0 0 0.0 1 1.1 2866 100.0 FSE 81 93.1 4 4.6 0 0.0 2768 96.5 INO 87 100.0 10 11.5 0 0.0 2867 100.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 87 100.0 21 24.1 3 3.4 2864 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 87 100.0 9 10.3 0 0.0 2867 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 2 2.3 0 0.0 2 2.3 2 0.1 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 4 4.6 0 0.0 4 4.6 4 0.1 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 87 100.0 5 5.7 0 0.0 2867 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 87 100.0 21 24.1 3 3.4 2864 99.9 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 1 1.1 0 0.0 1 1.1 1 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 3 3.4 0 0.0 3 3.4 3 0.1 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "False Positives" under DOS: ============================================================ Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ----------------------------------------------------------- Testbed 30 100.0% % % 3300 100.0% ----------------------------------------------------------- AVA 1 3.3 0 0.0 1 3.3 1 0.0 AVG 1 3.3 0 0.0 1 3.3 1 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 DRW 11 36.7 0 0.0 11 36.7 12 0.4 DSS 1 3.3 0 0.0 1 3.3 1 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 2 6.7 0 0.0 2 6.7 4 0.1 IRS 1 3.3 0 0.0 1 3.3 3 0.1 ITM 1 3.3 0 0.0 1 3.3 1 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 2 6.7 0 0.0 2 6.7 2 0.1 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 1 3.3 0 0.0 1 3.3 1 0.0 VSP 6 20.0 0 0.0 6 20.0 6 0.2 ----------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table FDOS.F5 "File Malware": Results of "full" Zoo test for File-related malware under DOS: ======================================================== Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2485 100.0% % % 3853 100.0% ---------------------------------------------------------- AVA 1653 66.5 53 2.1 14 0.6 2528 65.6 AVG 1622 65.3 20 0.8 16 0.6 2242 58.2 AVK 2356 94.8 43 1.7 8 0.3 3547 92.1 AVP 2194 88.3 45 1.8 28 1.1 3217 83.5 DRW 1855 74.6 24 1.0 12 0.5 2775 72.0 DSS 2424 97.5 33 1.3 7 0.3 3769 97.8 FPR 2216 89.2 16 0.6 28 1.1 3403 88.3 FSE 2204 88.7 53 2.1 31 1.2 3216 83.5 INO 1870 75.3 28 1.1 17 0.7 2759 71.6 IRS 1081 43.5 2 0.1 20 0.8 1488 38.6 ITM 1113 44.8 11 0.4 49 2.0 1440 37.4 NAV 1909 76.8 0 0.0 40 1.6 2976 77.2 NOD 1575 63.4 53 2.1 21 0.8 2324 60.3 NVC 1725 69.4 49 2.0 37 1.5 2737 71.0 PAV 2356 94.8 43 1.7 8 0.3 3547 92.1 PRO 299 12.0 2 0.1 37 1.5 393 10.2 SCN 2416 97.2 46 1.9 4 0.2 3754 97.4 TSC 1421 57.2 25 1.0 27 1.1 1864 48.4 VET 1088 43.8 5 0.2 36 1.4 1533 39.8 VSP 1723 69.3 76 3.1 36 1.4 2292 59.5 ----------------------------------------------------------