================================================== File 6DDOSMAC.TXT DOS.III: Detailed results of Macro Virus Detection of on-demand scanner tests under DOS: ================================================== (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Moreover, results for detection of macro viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses FDOS.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" FDOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related malware Table FDOS.M1: "MacroVirus 1": Results of "full" Zoo Test for macro viruses under DOS: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 3546 100.0 9731 100.0 ----------------------------------------------------------- AVA 3355 94.6 27 0.8 12 0.3 9267 95.2 AVG 3425 96.6 17 0.5 8 0.2 9392 96.5 AVP 3546 100.0 59 1.7 1 0.0 9728 100.0 CMD 3530 99.5 2 0.1 2 0.1 9680 99.5 FPR 3535 99.7 4 0.1 2 0.1 9696 99.6 FSE 3460 97.6 63 1.8 0 0.0 9443 97.0 INO 3529 99.5 53 1.5 4 0.1 9689 99.6 MR2 2469 69.6 145 4.1 49 1.4 6823 70.1 NAV 3495 98.6 0 0.0 6 0.2 9570 98.3 NOD 3546 100.0 24 0.7 1 0.0 9721 99.9 NVC 3531 99.6 36 1.0 10 0.3 9658 99.2 PAV 3502 98.8 63 1.8 0 0.0 9586 98.5 PRO 794 22.4 17 0.5 30 0.8 2475 25.4 SCN 3546 100.0 16 0.5 1 0.0 9730 100.0 SWP 3491 98.4 25 0.7 4 0.1 9622 98.9 TSC 2469 69.6 152 4.3 49 1.4 6823 70.1 VSP 5 0.1 0 0.0 4 0.1 5 0.1 ---------------------------------------------------------- Table FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" Test for macro viruses under DOS: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 59 100.0% % % 506 100.0% ----------------------------------------------------------- AVA 59 100.0 1 1.7 0 0.0 506 100.0 AVG 59 100.0 1 1.7 1 1.7 504 99.6 AVP 59 100.0 2 3.4 0 0.0 506 100.0 CMD 59 100.0 0 0.0 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 INO 59 100.0 4 6.8 0 0.0 506 100.0 MR2 39 66.1 6 10.2 4 6.8 386 76.3 NAV 59 100.0 0 0.0 0 0.0 506 100.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NVC 59 100.0 2 3.4 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 25 42.4 5 8.5 2 3.4 202 39.9 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 59 100.0 3 5.1 0 0.0 506 100.0 TSC 39 66.1 6 10.2 4 6.8 386 76.3 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- FDOS.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR =========================================================== This includes Viruses detected per packer Scanner ZIP % ARJ % RAR % LHA % ---------------------------------------------------------- Testbed 59 100.0% 59 100.0% 59 100.0% 59 100.0% ---------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 59 100.0 59 100.0 59 100.0 0 0.0 AVP 59 100.0 59 100.0 0 0.0 0 0.0 CMD 59 100.0 59 100.0 0 0.0 0 0.0 DRW 59 100.0 59 100.0 0 0.0 59 100.0 FPR 59 100.0 59 100.0 0 0.0 0 0.0 FSE 59 100.0 59 100.0 59 100.0 59 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 0 0.0 0 0.0 0 0.0 NOD 59 100.0 59 100.0 59 100.0 0 0.0 PAV 59 100.0 59 100.0 59 100.0 59 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 59 100.0 59 100.0 59 100.0 59 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------------- Table FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows NT: ====================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 CMD 59 100.0 0 0.0 0 0.0 506 100.0 DRW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows NT: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows NT: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 CMD 59 100.0 0 0.0 0 0.0 506 100.0 DRW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows NT: =================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" under DOS: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 26 100.0% % % 329 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 5 19.2 0 0.0 5 19.2 7 2.1 AVP 5 19.2 0 0.0 5 19.2 8 2.4 CMD 3 11.5 0 0.0 3 11.5 3 0.9 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 6 23.1 0 0.0 6 23.1 12 3.6 INO 15 57.7 0 0.0 15 57.7 29 8.8 MR2 14 53.8 0 0.0 14 53.8 23 7.0 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NOD 5 19.2 0 0.0 5 19.2 6 1.8 NVC 1 3.8 0 0.0 1 3.8 3 0.9 PAV 6 23.1 0 0.0 6 23.1 12 3.6 PRO 10 38.5 0 0.0 10 38.5 49 14.9 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 1 3.8 0 0.0 1 3.8 1 0.3 TSC 14 53.8 0 0.0 14 53.8 23 7.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table FDOS.M5: "Macro-Malware": Results of "full" Zoo Test for Macro-related malware under DOS: ========================================================= This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 167 100.0% % % 242 100.0% ----------------------------------------------------------- AVA 143 85.6 2 1.2 1 0.6 213 88.0 AVG 137 82.0 1 0.6 3 1.8 201 83.1 AVP 166 99.4 0 0.0 0 0.0 241 99.6 CMD 165 98.8 1 0.6 0 0.0 240 99.2 DRW 141 84.4 1 0.6 2 1.2 209 86.4 FPR 165 98.8 2 1.2 0 0.0 240 99.2 FSE 158 94.6 0 0.0 0 0.0 229 94.6 INO 161 96.4 1 0.6 5 3.0 229 94.6 MR2 112 67.1 5 3.0 2 1.2 165 68.2 NAV 157 94.0 0 0.0 2 1.2 229 94.6 NOD 167 100.0 1 0.6 0 0.0 242 100.0 NVC 152 91.0 3 1.8 1 0.6 217 89.7 PAV 161 96.4 0 0.0 0 0.0 235 97.1 PRO 29 17.4 3 1.8 1 0.6 48 19.8 SCN 167 100.0 0 0.0 1 0.6 241 99.6 SWP 157 94.0 2 1.2 2 1.2 229 94.6 TSC 112 67.1 5 3.0 2 1.2 165 68.2 VSP 1 0.6 0 0.0 0 0.0 1 0.4 -----------------------------------------------------------