================================================== File 6DDOSMAC.TXT DOS.III: Detailed results of Macro Virus Detection of on-demand scanner tests under DOS: ================================================== (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Moreover, results for detection of macro viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6asumov.txt and 7eval.txt. Index of tables: ---------------- FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses FDOS.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" FDOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related malware Table FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses under DOS: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2875 100.0% % % 7765 100.0% ---------------------------------------------------------- AVA 2757 95.9 23 0.8 7 0.2 7504 96.6 AVG 2371 82.5 9 0.3 15 0.5 6390 82.3 AVK 2863 99.6 51 1.8 0 0.0 7747 99.8 AVP 2869 99.8 52 1.8 0 0.0 7758 99.9 DRW 2825 98.3 45 1.6 5 0.2 7674 98.8 DSS 2874 100.0 9 0.3 0 0.0 7765 100.0 FPR 2868 99.8 3 0.1 2 0.1 7743 99.7 FSE 2863 99.6 51 1.8 0 0.0 7747 99.8 HMV 2860 99.5 28 1.0 10 0.3 7726 99.5 INO 2867 99.8 47 1.6 2 0.1 7745 99.7 IRS 2560 89.1 27 0.9 36 1.3 6816 87.8 ITM 2038 70.9 139 4.8 59 2.1 5314 68.4 NAV 2865 99.7 0 0.0 4 0.1 7741 99.7 NOD 2869 99.8 32 1.1 4 0.1 7750 99.8 PAV 2859 99.5 51 1.8 0 0.0 7743 99.7 PRO 2341 81.5 42 1.5 60 2.1 6495 83.6 RAV 2851 99.2 66 2.3 1 0.0 7724 99.5 SCN 2874 100.0 73 2.5 0 0.0 7765 100.0 TSC 2200 76.5 121 4.2 39 1.4 6058 78.0 VET 2804 97.6 61 2.1 4 0.1 7629 98.2 ---------------------------------------------------------- Table FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under DOS: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 83 100.0 1 1.2 0 0.0 675 100.0 AVG 83 100.0 1 1.2 3 3.6 670 99.3 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 3 3.6 0 0.0 675 100.0 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 FPR 83 100.0 0 0.0 0 0.0 675 100.0 FSE 83 100.0 3 3.6 0 0.0 675 100.0 HMV 83 100.0 2 2.4 3 3.6 670 99.3 INO 83 100.0 4 4.8 1 1.2 674 99.9 IRS 77 92.8 1 1.2 3 3.6 643 95.3 ITM 82 98.8 17 20.5 6 7.2 656 97.2 NAV 83 100.0 0 0.0 0 0.0 675 100.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PRO 76 91.6 10 12.0 7 8.4 634 93.9 RAV 83 100.0 1 1.2 1 1.2 674 99.9 SCN 83 100.0 0 0.0 0 0.0 675 100.0 TSC 74 89.2 21 25.3 3 3.6 622 92.1 VET 83 100.0 4 4.8 0 0.0 675 100.0 ----------------------------------------------------------- FDOS.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR =========================================================== This includes Viruses detected per Packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 83 100.0 83 100.0 83 100.0 83 100.0 ---------------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 83 100.0 0 0.0 83 100.0 0 0.0 AVP 83 100.0 83 100.0 83 100.0 83 100.0 DRW 83 100.0 83 100.0 83 100.0 0 0.0 DSS 81 97.6 81 97.6 81 97.6 0 0.0 FPR 83 100.0 0 0.0 83 100.0 0 0.0 FSE 83 100.0 0 0.0 83 100.0 0 0.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 0 0.0 0 0.0 0 0.0 NOD 83 100.0 0 0.0 83 100.0 83 100.0 PAV 83 100.0 0 0.0 83 100.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 83 100.0 83 100.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 83 100.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------------- Table FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows NT: ====================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 3 3.6 0 0.0 675 100.0 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 81 97.6 0 0.0 0 0.0 657 97.3 FPR 83 100.0 0 0.0 0 0.0 675 100.0 FSE 83 100.0 3 3.6 0 0.0 675 100.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 39 47.0 2 2.4 4 4.8 281 41.6 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 1 1.2 0 0.0 675 100.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 0 0.0 0 0.0 675 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 83 100.0 4 4.8 0 0.0 675 100.0 ----------------------------------------------------------- Table FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows NT: =================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 83 100.0 3 3.6 0 0.0 675 100.0 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 81 97.6 0 0.0 0 0.0 657 97.3 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 0 0.0 0 0.0 675 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows NT: =================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 3 3.6 0 0.0 675 100.0 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 81 97.6 0 0.0 0 0.0 657 97.3 FPR 83 100.0 0 0.0 0 0.0 675 100.0 FSE 83 100.0 3 3.6 0 0.0 675 100.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 83 100.0 4 4.8 1 1.2 674 99.9 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 0 0.0 0 0.0 675 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 83 100.0 3 3.6 0 0.0 675 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" under DOS: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 25 100.0% % % 362 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 1 4.0 0 0.0 1 4.0 1 0.3 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 8.0 0 0.0 2 8.0 4 1.1 DRW 20 80.0 0 0.0 20 80.0 106 29.3 DSS 0 0.0 0 0.0 0 0.0 0 0.0 FPR 3 12.0 0 0.0 3 12.0 4 1.1 FSE 0 0.0 0 0.0 0 0.0 0 0.0 HMV 7 28.0 0 0.0 7 28.0 11 3.0 INO 16 64.0 0 0.0 16 64.0 35 9.7 IRS 16 64.0 0 0.0 16 64.0 31 8.6 ITM 6 24.0 0 0.0 6 24.0 10 2.8 NAV 5 20.0 0 0.0 5 20.0 5 1.4 NOD 7 28.0 0 0.0 7 28.0 12 3.3 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 23 92.0 0 0.0 23 92.0 151 41.7 RAV 23 92.0 0 0.0 23 92.0 122 33.7 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 14 56.0 0 0.0 14 56.0 26 7.2 VET 8 32.0 0 0.0 8 32.0 16 4.4 ----------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table FDOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related malware under DOS: ======================================================== Some manufacturers requested that their AV product should not be Tested against malware. The following table consequently lists Only those products which were not withdrawn from this test. This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 143 100.0% % % 200 100.0% ---------------------------------------------------------- AVA 130 91.5 2 1.4 1 0.7 185 92.5 AVG 98 69.0 1 0.7 2 1.4 146 73.0 AVK 136 95.8 1 0.7 1 0.7 193 96.5 AVP 136 95.8 0 0.0 1 0.7 193 96.5 DRW 116 81.7 1 0.7 2 1.4 168 84.0 DSS 140 98.6 0 0.0 0 0.0 198 99.0 FPR 139 97.9 1 0.7 0 0.0 197 98.5 FSE 136 95.8 1 0.7 1 0.7 193 96.5 HMV 137 96.5 0 0.0 1 0.7 194 97.0 INO 136 95.8 0 0.0 3 2.1 191 95.5 IRS 76 53.5 0 0.0 4 2.8 107 53.5 ITM 39 27.5 0 0.0 0 0.0 52 26.0 NAV 129 90.8 0 0.0 1 0.7 183 91.5 NOD 137 96.5 1 0.7 0 0.0 195 97.5 NVC 128 90.1 2 1.4 1 0.7 184 92.0 PAV 134 94.4 1 0.7 1 0.7 191 95.5 PRO 84 59.2 3 2.1 1 0.7 126 63.0 RAV 116 81.7 1 0.7 1 0.7 162 81.0 SCN 139 97.9 0 0.0 0 0.0 197 98.5 TSC 105 73.9 5 3.5 1 0.7 156 78.0 VET 127 89.4 3 2.1 1 0.7 183 91.5 ----------------------------------------------------------