================================================ File 6GWNT.TXT: Detailed results of File and Macro Virus related on-demand scanner tests under Windows NT: ================================================ (Formatted with non-proportional font: Courier; 72 columns) The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (4*10,000) viruses in a testbed with generations of 6 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- WNT.F1: "FileVirus 1": Results of "full" Zoo test for file viruses WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses WNT.FA: "Polyfile-Test": Results of Polymorphic test WNT.FB: "VKIT Test": Results of VKIT file virus test WNT.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP WNT.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA WNT.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ WNT.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR WNT.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" WNT.F5 "File Malware": Results of "full" Zoo test for File-related malware WNT.M1: "MacroVirus 1": Results of "full" test for macro viruses WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR WNT.M4: "False Positive" detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" WNT.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware Table WNT.F1: "FileVirus 1": Results of "full" test for file viruses under Windows NT: =================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 17561 100.0% % % 132576 100.0% ----------------------------------------------------------- ANT 15310 87.2 690 3.9 1242 7.1 113426 85.6 AVA 17107 97.4 631 3.6 134 0.8 129634 97.8 AVG 15283 87.0 521 3.0 322 1.8 118702 89.5 AVK 17520 99.8 438 2.5 7 0.0 132514 100.0 AVP 17521 99.8 421 2.4 3 0.0 132520 100.0 AVX 13203 75.2 719 4.1 1159 6.6 96183 72.5 CMD 17280 98.4 62 0.4 37 0.2 131549 99.2 DWW 17261 98.3 474 2.7 185 1.1 130817 98.7 FPR 17458 99.4 16 0.1 8 0.0 132267 99.8 FPW 17423 99.2 10 0.1 10 0.1 132176 99.7 FSE 17537 99.9 152 0.9 6 0.0 132497 99.9 INO 17207 98.0 636 3.6 147 0.8 129905 98.0 MR2 10877 61.9 2281 13.0 835 4.8 77144 58.2 NAV 17131 97.6 1249 7.1 256 1.5 129968 98.0 NOD 17250 98.2 2069 11.8 257 1.5 130511 98.4 NVN 17389 99.0 1191 6.8 182 1.0 130922 98.8 PAV 17492 99.6 423 2.4 15 0.1 132411 99.9 PRO 7440 42.4 474 2.7 900 5.1 60479 45.6 SCN 17526 99.8 535 3.0 13 0.1 132222 99.7 SWP 17386 99.0 898 5.1 145 0.8 131675 99.3 VSP 12250 69.8 4421 25.2 902 5.1 83945 63.3 ----------------------------------------------------------- Table WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows NT: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 46 100.0% % % 1489 100.0% ----------------------------------------------------------- ANT 46 100.0 4 8.7 6 13.0 1452 97.5 AVA 46 100.0 6 13.0 3 6.5 1484 99.7 AVG 46 100.0 8 17.4 3 6.5 1484 99.7 AVK 46 100.0 2 4.3 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 AVX 40 87.0 1 2.2 7 15.2 1311 88.0 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DWW 46 100.0 3 6.5 1 2.2 1487 99.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FPW 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 3 6.5 1 2.2 1486 99.8 INO 46 100.0 4 8.7 3 6.5 1486 99.8 MR2 35 76.1 6 13.0 4 8.7 1267 85.1 NAV 46 100.0 3 6.5 4 8.7 1481 99.5 NOD 46 100.0 10 21.7 3 6.5 1486 99.8 PAV 46 100.0 2 4.3 1 2.2 1486 99.8 PRO 46 100.0 6 13.0 14 30.4 1394 93.6 SCN 46 100.0 6 13.0 0 0.0 1489 100.0 SWP 46 100.0 5 10.9 1 2.2 1488 99.9 VSP 33 71.7 11 23.9 5 10.9 1237 83.1 ----------------------------------------------------------- Table WNT.FA: "Polyfile-Test": Results of Polymorphic test: =========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 6 100.0% % % 60000 100.0% ----------------------------------------------------------- ANT 6 100.0 1 16.7 0 0.0 60000 100.0 AVA 6 100.0 2 33.3 1 16.7 59999 100.0 AVG 6 100.0 0 0.0 0 0.0 60000 100.0 AVK 6 100.0 0 0.0 0 0.0 60000 100.0 AVP 6 100.0 0 0.0 0 0.0 60000 100.0 AVX 5 83.3 0 0.0 2 33.3 49961 83.3 CMD 6 100.0 1 16.7 0 0.0 60000 100.0 DWW 6 100.0 0 0.0 0 0.0 60000 100.0 FPR 6 100.0 1 16.7 0 0.0 60000 100.0 FPW 6 100.0 1 16.7 0 0.0 60000 100.0 FSE 6 100.0 1 16.7 0 0.0 60000 100.0 INO 6 100.0 2 33.3 0 0.0 60000 100.0 MR2 6 100.0 3 50.0 1 16.7 59997 100.0 NAV 6 100.0 3 50.0 0 0.0 60000 100.0 NOD 6 100.0 0 0.0 0 0.0 60000 100.0 NVN 6 100.0 1 16.7 0 0.0 60000 100.0 PAV 6 100.0 0 0.0 0 0.0 60000 100.0 PRO 5 83.3 0 0.0 3 50.0 35468 59.1 SCN 6 100.0 1 16.7 1 16.7 59997 100.0 SWP 6 100.0 1 16.7 0 0.0 60000 100.0 VSP 6 100.0 2 33.3 3 50.0 58957 98.3 ----------------------------------------------------------- Remark: For 6 polymorphic viruses (with Maltese Amoeba, MTE.Encroacher.B, NATAS, TREMOR as in the previous test, plus One-Half and Tequila added in this test), 10,000 generations each were produced with VTCs dynamic polymorphic generation and test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table WNT.FB: "VKIT Test": Results of VKIT file virus test: =========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 10706 100.0% % % 104640 100.0% ----------------------------------------------------------- ANT 3673 34.3 98 0.9 869 8.1 34773 33.2 AVA 10706 100.0 1642 15.3 23 0.2 104595 100.0 AVG 10118 94.5 806 7.5 379 3.5 96727 92.4 AVK 10706 100.0 1198 11.2 0 0.0 104640 100.0 AVP 10706 100.0 1198 11.2 0 0.0 104640 100.0 AVX 9434 88.1 16 0.1 8543 79.8 29318 28.0 CMD 10704 100.0 976 9.1 7 0.1 104614 100.0 DWW 10704 100.0 1005 9.4 16 0.1 104572 99.9 FPR 10704 100.0 1433 13.4 5 0.0 104631 100.0 FPW 10704 100.0 1431 13.4 7 0.1 104614 100.0 FSE 10706 100.0 983 9.2 0 0.0 104640 100.0 INO 10703 100.0 1261 11.8 8 0.1 104578 99.9 MR2 10706 100.0 7805 72.9 0 0.0 104640 100.0 NAV 10696 99.9 639 6.0 120 1.1 103947 99.3 NOD 10704 100.0 3000 28.0 5 0.0 104632 100.0 NVN 10704 100.0 6198 57.9 327 3.1 102040 97.5 PAV 10706 100.0 1198 11.2 0 0.0 104640 100.0 PRO 192 1.8 0 0.0 153 1.4 991 0.9 SCN 10706 100.0 1239 11.6 0 0.0 104640 100.0 SWP 10706 100.0 4781 44.7 1 0.0 104639 100.0 VSP 10706 100.0 8999 84.1 0 0.0 104640 100.0 ----------------------------------------------------------- Remark: A testbed of 10,706 viruses generated with the VKIT virus generator (out of about 14,000 viruses which can be generated) was used to test detection quality. This test was separated from the "normal" file virus test as 1) there is no agreement between AV producers whether viruses from VKIT should be counted just as 1 or as 14,000 different viruses (boasting number of detected viruses to over 40,000), and 2) because of the large size of this special testbed. Table WNT.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % ARJ % RAR % LHA % ---------------------------------------------------------- Testbed 46 100.0% 46 100.0% 46 100.0% 46 100.0% ---------------------------------------------------------- ANT 43 93.5 44 95.7 0 0.0 44 95.7 AVG 45 97.8 45 97.8 0 0.0 0 0.0 AVK 46 100.0 46 100.0 46 100.0 46 100.0 AVP 46 100.0 46 100.0 46 100.0 46 100.0 AVX 3 6.5 3 6.5 3 6.5 0 0.0 CMD 46 100.0 46 100.0 0 0.0 0 0.0 DWW 46 100.0 46 100.0 46 100.0 0 0.0 FPR 46 100.0 46 100.0 0 0.0 0 0.0 FPW 46 100.0 46 100.0 0 0.0 0 0.0 FSE 46 100.0 46 100.0 46 100.0 46 100.0 INO 45 97.8 46 100.0 0 0.0 46 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 46 100.0 0 0.0 46 100.0 NOD 46 100.0 46 100.0 46 100.0 0 0.0 NVN 46 100.0 46 100.0 0 0.0 0 0.0 PAV 46 100.0 46 100.0 46 100.0 46 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 46 100.0 0 0.0 0 0.0 46 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table WNT.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under Windows NT: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- ANT 43 93.5 4 8.7 6 13.0 1338 89.9 AVG 45 97.8 8 17.4 3 6.5 1469 98.7 AVK 46 100.0 3 6.5 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 AVX 3 6.5 0 0.0 2 4.3 39 2.6 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DWW 46 100.0 3 6.5 1 2.2 1487 99.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FPW 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 2 4.3 1 2.2 1487 99.9 INO 45 97.8 0 0.0 2 4.3 1466 98.5 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 3 6.5 4 8.7 1481 99.5 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 NVN 46 100.0 4 8.7 1 2.2 1488 99.9 PAV 46 100.0 2 4.3 2 4.3 1439 96.6 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 46 100.0 6 13.0 0 0.0 1489 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- ANT 44 95.7 4 8.7 6 13.0 1348 90.5 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 46 100.0 3 6.5 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 AVX 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 46 100.0 1 2.2 1 2.2 1487 99.9 INO 46 100.0 0 0.0 8 17.4 1302 87.4 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 3 6.5 4 8.7 1481 99.5 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVN 0 0.0 0 0.0 0 0.0 0 0.0 PAV 46 100.0 2 4.3 1 2.2 1486 99.8 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 46 100.0 6 13.0 0 0.0 1489 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- ANT 44 95.7 4 8.7 6 13.0 1348 90.5 AVG 45 97.8 8 17.4 3 6.5 1469 98.7 AVK 46 100.0 3 6.5 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 AVX 3 6.5 0 0.0 2 4.3 39 2.6 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DWW 46 100.0 3 6.5 1 2.2 1487 99.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FPW 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 1 2.2 1 2.2 1487 99.9 INO 46 100.0 0 0.0 3 6.5 1486 99.8 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 3 6.5 4 8.7 1481 99.5 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 NVN 46 100.0 4 8.7 1 2.2 1488 99.9 PAV 46 100.0 2 4.3 1 2.2 1486 99.8 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 46 100.0 3 6.5 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 AVX 3 6.5 0 0.0 2 4.3 38 2.6 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DWW 46 100.0 3 6.5 1 2.2 1487 99.9 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 46 100.0 2 4.3 1 2.2 1487 99.9 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 NVN 0 0.0 0 0.0 0 0.0 0 0.0 PAV 46 100.0 2 4.3 1 2.2 1486 99.8 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "false positives" under Windows NT: ============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 30 100.0% % % 3300 100.0% ----------------------------------------------------------- ANT 1 3.3 0 0.0 1 3.3 1 0.0 AVA 1 3.3 0 0.0 1 3.3 1 0.0 AVG 1 3.3 0 0.0 1 3.3 1 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 AVX 6 20.0 0 0.0 6 20.0 10 0.3 CMD 1 3.3 0 0.0 1 3.3 1 0.0 DWW 8 26.7 0 0.0 8 26.7 9 0.3 FPR 15 50.0 0 0.0 15 50.0 22 0.7 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 3 10.0 0 0.0 3 10.0 6 0.2 MR2 9 30.0 0 0.0 9 30.0 11 0.3 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 8 26.7 0 0.0 8 26.7 8 0.2 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 3 10.0 0 0.0 3 10.0 4 0.1 ----------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.F5 "File Malware": Results of "full" zoo test for File-related malware under Windows NT: ======================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 3691 100.0% % % 6217 100.0% ----------------------------------------------------------- ANT 2419 65.5 64 1.7 67 1.8 3356 54.0 AVA 2235 60.6 63 1.7 30 0.8 3421 55.0 AVG 2123 57.5 26 0.7 49 1.3 2948 47.4 AVK 3218 87.2 69 1.9 22 0.6 5170 83.2 AVP 3221 87.3 68 1.8 21 0.6 5174 83.2 AVX 2011 54.5 42 1.1 54 1.5 2724 43.8 CMD 3085 83.6 21 0.6 44 1.2 5240 84.3 DWW 2501 67.8 23 0.6 32 0.9 3740 60.2 FPR 3182 86.2 4 0.1 42 1.1 5385 86.6 FPW 3131 84.8 1 0.0 41 1.1 5311 85.4 FSE 3533 95.7 94 2.5 16 0.4 6002 96.5 INO 3036 82.3 46 1.2 33 0.9 4823 77.6 MR2 2125 57.6 98 2.7 61 1.7 2856 45.9 NAV 3093 83.8 83 2.2 96 2.6 5225 84.0 NOD 2476 67.1 118 3.2 68 1.8 3565 57.3 NVN 2503 67.8 100 2.7 57 1.5 4088 65.8 PAV 3195 86.6 69 1.9 22 0.6 5141 82.7 PRO 468 12.7 7 0.2 48 1.3 712 11.5 SCN 3512 95.2 82 2.2 4 0.1 5979 96.2 SWP 2852 77.3 63 1.7 93 2.5 4547 73.1 VSP 2153 58.3 122 3.3 53 1.4 2965 47.7 ----------------------------------------------------------- Table WNT.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 3546 100.0% % % 9731 100.0% ----------------------------------------------------------- ANT 3166 89.3 104 2.9 32 0.9 8669 89.1 AVA 3328 93.9 26 0.7 12 0.3 9209 94.6 AVG 3425 96.6 17 0.5 6 0.2 9396 96.6 AVK 3546 100.0 59 1.7 1 0.0 9728 100.0 AVP 3546 100.0 59 1.7 1 0.0 9728 100.0 AVX 3499 98.7 39 1.1 130 3.7 9471 97.3 CMD 3532 99.6 2 0.1 2 0.1 9684 99.5 DWW 3502 98.8 53 1.5 16 0.5 9596 98.6 FPR 3537 99.7 4 0.1 2 0.1 9700 99.7 FPW 3537 99.7 4 0.1 2 0.1 9700 99.7 FSE 3546 100.0 5 0.1 0 0.0 9731 100.0 FWN 3504 98.8 48 1.4 3 0.1 9614 98.8 INO 3535 99.7 53 1.5 4 0.1 9707 99.8 MR2 2468 69.6 145 4.1 49 1.4 6820 70.1 NAV 3501 98.7 44 1.2 6 0.2 9588 98.5 NOD 3546 100.0 24 0.7 1 0.0 9721 99.9 NVC 3508 98.9 36 1.0 10 0.3 9576 98.4 NVN 3529 99.5 36 1.0 10 0.3 9654 99.2 PAV 3536 99.7 63 1.8 1 0.0 9692 99.6 PRO 2196 61.9 3 0.1 57 1.6 5899 60.6 SCN 3546 100.0 16 0.5 1 0.0 9730 100.0 SWP 3491 98.4 22 0.6 4 0.1 9622 98.9 VSP 11 0.3 0 0.0 9 0.3 11 0.1 ----------------------------------------------------------- Table WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 59 100.0% % % 506 100.0% ----------------------------------------------------------- ANT 57 96.6 3 5.1 3 5.1 482 95.3 AVA 59 100.0 1 1.7 0 0.0 506 100.0 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 AVX 59 100.0 4 6.8 4 6.8 495 97.8 CMD 59 100.0 0 0.0 0 0.0 506 100.0 DWW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FPW 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 0 0.0 0 0.0 506 100.0 FWN 59 100.0 3 5.1 1 1.7 502 99.2 INO 59 100.0 4 6.8 0 0.0 506 100.0 MR2 39 66.1 6 10.2 4 6.8 386 76.3 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NVC 59 100.0 2 3.4 0 0.0 506 100.0 NVN 59 100.0 2 3.4 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 58 98.3 0 0.0 5 8.5 489 96.6 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 59 100.0 3 5.1 0 0.0 506 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % ARJ % RAR % LHA % ---------------------------------------------------------- Testbed 59 100.0% 59 100.0% 59 100.0% 59 100.0% ---------------------------------------------------------- ANT 57 96.6 57 96.6 0 0.0 57 96.6 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 59 100.0 59 100.0 0 0.0 0 0.0 AVK 59 100.0 59 100.0 59 100.0 59 100.0 AVP 59 100.0 59 100.0 59 100.0 59 100.0 AVX 59 100.0 59 100.0 59 100.0 0 0.0 CMD 59 100.0 59 100.0 0 0.0 0 0.0 DWW 59 100.0 59 100.0 59 100.0 0 0.0 FPR 59 100.0 59 100.0 0 0.0 0 0.0 FPW 59 100.0 59 100.0 0 0.0 0 0.0 FSE 59 100.0 59 100.0 59 100.0 59 100.0 FWN 59 100.0 0 0.0 59 100.0 0 0.0 INO 59 100.0 59 100.0 0 0.0 59 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 59 100.0 0 0.0 59 100.0 NOD 59 100.0 59 100.0 59 100.0 0 0.0 NVN 59 100.0 59 100.0 0 0.0 0 0.0 PAV 59 100.0 59 100.0 59 100.0 59 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 59 100.0 0 0.0 0 0.0 59 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows NT: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- ANT 57 96.6 3 5.1 3 5.1 482 95.3 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 AVX 59 100.0 4 6.8 4 6.8 495 97.8 CMD 59 100.0 0 0.0 0 0.0 506 100.0 DWW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FPW 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 FWN 59 100.0 4 6.8 1 1.7 483 95.5 INO 59 100.0 0 0.0 0 0.0 506 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NVN 59 100.0 2 3.4 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- ANT 57 96.6 3 5.1 3 5.1 482 95.3 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 AVX 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 59 100.0 0 0.0 2 3.4 439 86.8 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVN 0 0.0 0 0.0 0 0.0 0 0.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- ANT 57 96.6 3 5.1 3 5.1 482 95.3 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 AVX 59 100.0 4 6.8 4 6.8 495 97.8 CMD 59 100.0 0 0.0 0 0.0 506 100.0 DWW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FPW 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 59 100.0 0 0.0 0 0.0 506 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NVN 59 100.0 2 3.4 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 AVX 59 100.0 4 6.8 4 6.8 495 97.8 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DWW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 FWN 59 100.0 4 6.8 0 0.0 506 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NVN 0 0.0 0 0.0 0 0.0 0 0.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 26 100.0% % % 329 100.0% ----------------------------------------------------------- ANT 15 57.7 0 0.0 15 57.7 36 10.9 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 5 19.2 0 0.0 5 19.2 7 2.1 AVK 4 15.4 0 0.0 4 15.4 4 1.2 AVP 5 19.2 0 0.0 5 19.2 8 2.4 AVX 26 100.0 2 7.7 21 80.8 277 84.2 CMD 3 11.5 0 0.0 3 11.5 3 0.9 DWW 22 84.6 0 0.0 22 84.6 95 28.9 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 7 26.9 0 0.0 7 26.9 11 3.3 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 15 57.7 0 0.0 15 57.7 29 8.8 MR2 14 53.8 0 0.0 14 53.8 23 7.0 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NOD 5 19.2 0 0.0 5 19.2 6 1.8 NVC 1 3.8 0 0.0 1 3.8 3 0.9 NVN 1 3.8 0 0.0 1 3.8 3 0.9 PAV 6 23.1 0 0.0 6 23.1 12 3.6 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 1 3.8 0 0.0 1 3.8 1 0.3 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.M5: "Macro-Malware": Results of "full" test for Macro-related malware under Windows NT: ========================================================= This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 167 100.0% % % 242 100.0% ----------------------------------------------------------- ANT 141 84.4 1 0.6 3 1.8 203 83.9 AVA 143 85.6 2 1.2 1 0.6 213 88.0 AVG 137 82.0 1 0.6 3 1.8 201 83.1 AVK 166 99.4 0 0.0 0 0.0 241 99.6 AVP 166 99.4 0 0.0 0 0.0 241 99.6 AVX 159 95.2 3 1.8 7 4.2 226 93.4 CMD 165 98.8 1 0.6 0 0.0 240 99.2 DWW 141 84.4 1 0.6 2 1.2 209 86.4 FPR 165 98.8 2 1.2 0 0.0 240 99.2 FPW 165 98.8 2 1.2 0 0.0 240 99.2 FSE 167 100.0 2 1.2 0 0.0 242 100.0 FWN 160 95.8 4 2.4 1 0.6 231 95.5 INO 161 96.4 1 0.6 5 3.0 229 94.6 MR2 112 67.1 5 3.0 2 1.2 165 68.2 NAV 157 94.0 0 0.0 2 1.2 229 94.6 NOD 167 100.0 1 0.6 0 0.0 242 100.0 NVC 152 91.0 3 1.8 1 0.6 217 89.7 NVN 152 91.0 3 1.8 1 0.6 217 89.7 PAV 163 97.6 0 0.0 0 0.0 237 97.9 PRO 48 28.7 0 0.0 3 1.8 87 36.0 SCN 166 99.4 0 0.0 1 0.6 240 99.2 SWP 157 94.0 2 1.2 2 1.2 229 94.6 VSP 2 1.2 0 0.0 0 0.0 2 0.8 -----------------------------------------------------------