=============================================== File 6BDOSFIL.TXT DOS.I: Detailed results of File Virus Detection of on-demand scanner tests under DOS: =============================================== (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning FILE viruses as well as selected FILE MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (6*10,000) viruses in a testbed with generations of 6 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- FDOS.F1: "FileVirus 1": Results of "full" Zoo test for file viruses FDOS.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses FDOS.FA: "Polyfile-Test": Results of Polymorphic test FDOS.FB: "VKIT Test": Results of VKIT file virus test FDOS.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR FDOS.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP FDOS.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA FDOS.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ FDOS.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR FDOS.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "False Positives" FDOS.F5: "File Malware": Results of "full" Zoo test for File-related malware Table FDOS.F1: "FileVirus 1": Results of "full" Zoo test for file viruses under DOS: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 17561 100.0% % % 132576 100.0% ----------------------------------------------------------- AVA 17109 97.4 768 4.4 132 0.8 129644 97.8 AVG 15206 86.6 513 2.9 370 2.1 117828 88.9 AVP 17522 99.8 431 2.5 5 0.0 132518 100.0 CMD 17276 98.4 61 0.3 36 0.2 131490 99.2 DRW 17262 98.3 524 3.0 194 1.1 130778 98.6 FPR 17426 99.2 10 0.1 9 0.1 132180 99.7 FSE 17437 99.3 454 2.6 22 0.1 132028 99.6 INO 16631 94.7 611 3.5 143 0.8 124956 94.3 MR2 11489 65.4 2318 13.2 814 4.6 80811 61.0 NAV 16856 96.0 0 0.0 431 2.5 127710 96.3 NOD 17024 96.9 1982 11.3 245 1.4 129433 97.6 PAV 17356 98.8 422 2.4 26 0.1 132118 99.7 SCN 17044 97.1 533 3.0 4 0.0 127871 96.5 SWP 17386 99.0 865 4.9 145 0.8 131675 99.3 TSC 9069 51.6 358 2.0 573 3.3 62267 47.0 VSP 13976 79.6 2847 16.2 1005 5.7 95727 72.2 ----------------------------------------------------------- Table FDOS.F2: "FileVirus 2": Results of "In-The-Wild" Test for file viruses under DOS: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AVA 46 100.0 8 17.4 4 8.7 1483 99.6 AVG 46 100.0 7 15.2 5 10.9 1482 99.5 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DRW 46 100.0 4 8.7 1 2.2 1487 99.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 2 4.3 2 4.3 1485 99.7 INO 44 95.7 5 10.9 3 6.5 1468 98.6 MR2 40 87.0 6 13.0 5 10.9 1374 92.3 NAV 46 100.0 0 0.0 5 10.9 1480 99.4 NOD 46 100.0 10 21.7 0 0.0 1489 100.0 PAV 46 100.0 1 2.2 3 6.5 1484 99.7 SCN 46 100.0 6 13.0 0 0.0 1489 100.0 SWP 46 100.0 4 8.7 1 2.2 1488 99.9 TSC 40 87.0 4 8.7 7 15.2 1350 90.7 VSP 36 78.3 7 15.2 6 13.0 1319 88.6 ----------------------------------------------------------- Table FDOS.FA: "Polyfile-Test": Results of Polymorphic test: ============================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 6 100.0% % % 60000 100.0% ----------------------------------------------------------- AVA 6 100.0 2 33.3 1 16.7 59999 100.0 AVG 6 100.0 0 0.0 0 0.0 60000 100.0 AVP 6 100.0 0 0.0 0 0.0 60000 100.0 CMD 6 100.0 1 16.7 0 0.0 60000 100.0 DRW 6 100.0 0 0.0 0 0.0 60000 100.0 FPR 6 100.0 1 16.7 0 0.0 60000 100.0 FSE 6 100.0 0 0.0 0 0.0 60000 100.0 INO 6 100.0 3 50.0 0 0.0 60000 100.0 MR2 6 100.0 3 50.0 1 16.7 59997 100.0 NAV 6 100.0 0 0.0 0 0.0 60000 100.0 NOD 6 100.0 0 0.0 0 0.0 60000 100.0 NVC 6 100.0 1 16.7 0 0.0 60000 100.0 PAV 6 100.0 0 0.0 0 0.0 60000 100.0 SCN 6 100.0 1 16.7 1 16.7 59997 100.0 SWP 6 100.0 1 16.7 0 0.0 60000 100.0 TSC 6 100.0 0 0.0 2 33.3 51308 85.5 VSP 6 100.0 2 33.3 3 50.0 58956 98.3 ---------------------------------------------------------- Remark: For 6 polymorphic viruses (with Maltese Amoeba, MTE.Encroacher.B, NATAS, TREMOR as in the previous test, plus One-Half and Tequila added in this test), 10,000 generations each were produced with VTCs dynamic polymorphic generation and test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table FDOS.FB: "VKIT Test": Results of VKIT file virus test: ============================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 10706 100.0% % % 104640 100.0% ----------------------------------------------------------- AVA 10706 100.0 1642 15.3 23 0.2 104595 100.0 AVG 9856 92.1 806 7.5 117 1.1 96021 91.8 AVP 10706 100.0 1198 11.2 0 0.0 104640 100.0 CMD 10704 100.0 976 9.1 7 0.1 104614 100.0 DRW 10704 100.0 1005 9.4 16 0.1 104572 99.9 FPR 10704 100.0 1431 13.4 7 0.1 104614 100.0 FSE 10706 100.0 1198 11.2 0 0.0 104640 100.0 INO 10703 100.0 1255 11.7 8 0.1 104578 99.9 MR2 10706 100.0 7805 72.9 0 0.0 104640 100.0 NAV 10696 99.9 0 0.0 120 1.1 103947 99.3 NOD 10685 99.8 2982 27.9 267 2.5 103579 99.0 NVC 10704 100.0 6198 57.9 327 3.1 102040 97.5 PAV 10706 100.0 1198 11.2 0 0.0 104640 100.0 SCN 10706 100.0 1239 11.6 0 0.0 104640 100.0 SWP 10706 100.0 4781 44.7 1 0.0 104639 100.0 TSC 10704 100.0 1260 11.8 12 0.1 104616 100.0 VSP 10638 99.4 5929 55.4 71 0.7 103416 98.8 ----------------------------------------------------------- Remark: A testbed of 10,706 viruses generated with the VKIT virus generator (out of about 14,000 viruses which can be generated) was used to test detection quality. This test was separated from the "normal" file virus test as 1) there is no agreement between AV producers whether viruses from VKIT should be counted just as 1 or as 14,000 different viruses (boasting number of detected viruses to over 40,000), and 2) because of the large size of this special testbed. Table FDOS.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % ARJ % RAR % LHA % ---------------------------------------------------------- Testbed 46 100.0 46 100.0 46 100.0 46 100.0 ---------------------------------------------------------- AVG 37 80.4 37 80.4 37 80.4 0 0.0 AVP 37 80.4 37 80.4 0 0.0 0 0.0 CMD 46 100.0 46 100.0 0 0.0 0 0.0 DRW 37 80.4 37 80.4 0 0.0 37 80.4 FPR 46 100.0 46 100.0 0 0.0 0 0.0 FSE 46 100.0 46 100.0 46 100.0 46 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 0 0.0 0 0.0 0 0.0 NOD 46 100.0 46 100.0 46 100.0 0 0.0 PAV 37 80.4 37 80.4 37 80.4 37 80.4 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 35 76.1 35 76.1 34 73.9 35 76.1 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 --------------------------------------------------------------- Table FDOS.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under DOS: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AVG 37 80.4 8 17.4 1 2.2 1353 90.9 AVP 37 80.4 2 4.3 0 0.0 1354 90.9 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DRW 37 80.4 3 6.5 0 0.0 1354 90.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 2 4.3 3 6.5 1438 96.6 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 1 2.2 6 13.0 1479 99.3 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 PAV 37 80.4 1 2.2 2 4.3 1306 87.7 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 35 76.1 3 6.5 0 0.0 1274 85.6 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 37 80.4 3 6.5 0 0.0 1354 90.9 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 46 100.0 2 4.3 2 4.3 1485 99.7 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 PAV 37 80.4 1 2.2 1 2.2 1353 90.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 35 76.1 3 6.5 0 0.0 1274 85.6 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AVG 37 80.4 8 17.4 1 2.2 1353 90.9 AVP 37 80.4 2 4.3 0 0.0 1354 90.9 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DRW 37 80.4 3 6.5 0 0.0 1354 90.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 2 4.3 2 4.3 1485 99.7 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 PAV 37 80.4 1 2.2 1 2.2 1353 90.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 35 76.1 3 6.5 0 0.0 1274 85.6 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AVG 37 80.4 8 17.4 1 2.2 1353 90.9 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 46 100.0 2 4.3 2 4.3 1485 99.7 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 PAV 37 80.4 1 2.2 1 2.2 1353 90.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 34 73.9 2 4.3 0 0.0 1235 82.9 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "False Positives" under DOS: ============================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 30 100.0% % % 3300 100.0% ----------------------------------------------------------- AVA 1 3.3 0 0.0 1 3.3 1 0.0 AVG 1 3.3 0 0.0 1 3.3 1 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 7 23.3 0 0.0 7 23.3 9 0.3 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 2 6.7 0 0.0 2 6.7 4 0.1 MR2 10 33.3 0 0.0 10 33.3 13 0.4 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 2 6.7 0 0.0 2 6.7 2 0.1 PAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 4 13.3 0 0.0 4 13.3 5 0.2 ----------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table FDOS.F5 "File Malware": Results of "full" Zoo test for File-related malware under DOS: ======================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 3691 100.0% % % 6217 100.0% ----------------------------------------------------------- AVA 2237 60.6 71 1.9 30 0.8 3454 55.6 AVG 2105 57.0 25 0.7 52 1.4 2916 46.9 AVP 3169 85.9 67 1.8 22 0.6 5045 81.1 CMD 3089 83.7 21 0.6 44 1.2 5244 84.3 FPR 3131 84.8 1 0.0 41 1.1 5311 85.4 FSE 3112 84.3 68 1.8 17 0.5 4963 79.8 INO 3036 82.3 47 1.3 33 0.9 4823 77.6 MR2 1604 43.5 44 1.2 45 1.2 1993 32.1 NAV 2310 62.6 0 0.0 60 1.6 3843 61.8 NOD 2386 64.6 116 3.1 64 1.7 3447 55.4 PAV 3119 84.5 66 1.8 19 0.5 4980 80.1 SCN 3547 96.1 79 2.1 4 0.1 6038 97.1 SWP 2833 76.8 62 1.7 88 2.4 4201 67.6 TSC 1535 41.6 34 0.9 53 1.4 2077 33.4 VSP 2145 58.1 103 2.8 54 1.5 2954 47.5 -----------------------------------------------------------