========================================= File 8PROBLMS.TXT List of problems experienced during test: ========================================= Formatted with non-proportional font (Courier) Content of this file: --------------------- 1. Introduction: General Problems 2. List of benevolently behaving AV products 3. Problems of AV products observed during tests 3.1 Scanners unable to detect viruses in packed objects 3.2 List of scanner problems 1. Introduction: General Problems: ---------------------------------- For automatic tests on large viral databases, and for automatic processing of large scanner log files, a set of test conditions is prerequisite for scanners to participate in a VTC test (see: 4TESTCON.TXT). In many cases, serious problems were observed during some tests. DOS scanners were either not suitably running under SIMBOOT and crashed, or problems appeared with the (rather large) file virus database. In some cases, scanners crashed upon detecting some specific virus; in few cases, "manual" operation instead of automatic (batch) operation helped solving some of these problems. Such curative action was also applied when possible in cases where log files were inadequate (e.g.needing manual operation for export). With growing velocity of processors, DOS scanners (running without any problem on INTEL 386 and 486) growingly crash on Pentium II/III systems faster than 250 MHz. Another general problem with DOS scanners is related to counters for files and viruses which often seem to be designed as integers, so they start after 65,536 with 0. During preparation and test, we again experienced a serious problem reported in VTC Test "1998-10", according to which management of large sets of directories in FAT and NTFS may not reliably work. Both when attempting to move large parts of our file virus database, as when some scanner proceeded scanning subsequent viral directories, we found that several directories were not moved or touched. This effect seems to happen stochastically, such that subsequent attempts gave different results. Concerning omitted (=unscanned) directories, we overcame this "dysfunctional" behaviour of FAT and NTFS by repeat- ing scanning so long until the number of scanned files agreed with the (known) number of directories in testbeds. Overcoming this problem was extremely time-consuming, and this was a reason for delaying publication of results. In cases where scanners crashed during detection test upon the rather large file virus database, tests were performed in several runs on partitions (essentially on directories with same first letters of names). In most cases (apart those reported below), these tests were completed, and resulting files were joined and evaluated. Finally, with growing testbeds, test protocols produced by scanners grow equally. When processing such protocols, we need meanwhile up to 6 GByte of disk space, and our evaluation scripts (in AWK) become more complex. Under these conditions, we also suffered from an evident bug in the AWK processor which inhibited proper evaluation and required additional quality assurance (including time and efforts). 2. List of benevolently behaving AV products: --------------------------------------------- Few scanners could be tested *without any problem* (admittedly, the unstable behaviour of Windows-98 many have adversely influenced some scanner). Such benevolent behaviour (possibly with exemption of NFTS and FAT problems as mentioned above) can be reported for several (though no longer the majority) of DOS scanners: ----------------------------------------- NO problems with DOS scanners: AVP, NAV, NVC, NOD, PAV, SCN and SWP. ----------------------------------------- In comparison, W-98 scanners were significantly less stable, as only the minority behaved test-friendly: ---------------------------------------------- NO problems with W-98 scanners: AVP, CLE, DSE, FPW, FSE, FWN, NVC and SWP. ---------------------------------------------- Finally, W-NT scanners were significantly improved as 14 scanners completed without any problem compared to the last test: ---------------------------------------------------------------------------- NO problems with W-NT scanners: ATD, AVA, AVP, CLE, CMD, FPW, FSE, FWN, INO, MKS, NOD, NVC, PAV and SWP. ---------------------------------------------------------------------------- We very much appreciate that the following * 7 * scanners executed without any problems on the platforms for which they were submitted: ------------------------------------- DOS, W-98 and W-NT: AVP, NVC, SWP W-98, W-NT only: CLE, FPW, FWN W-98 only: DSE ------------------------------------- 3. Problems of AV products observed during tests: ------------------------------------------------- The following list reports specific problems observed for products as indicated ("spoon-feeding" means that scanner was restarted on each subsequent directory when a crash was experienced): ANT DOS: crashed multiple times on malware W-98: 2 crashes on fileviruses (u:\) W-NT: License disk worked only for German version During scanning, window opens "New virus variant fond - Please send in this file", exited button "Don't ask again" ATD: DOS: n/a W-98: Crash on w:\vk_01\00000469\00469cc.com (Vkit) Crash on w:\vk_03\ totally 5 crashes on Vkit (w:\)(scanning not finished) totally 3 crashes on Poly (v:\)(scanning not finished) totally 3 crashes on Fileviruses, each time after several 1000 viruses at different locations. (scanning not finished) u:\SOD\MRON\C\ODNATNAC\758\ u:\SOD\MRON\D\YCARCOMED\0763\ u:\SOD\MRONON\B\WB\0221\ totally 3 crashes on FileMalware, each time after several 1000 viruses at different locations. (scannning not finished) T:\NAJORT\MRONON\W\NIW\SYEKOCE\ROODKCAB\270311 T:\NAJORT\MRONON\W\NIW\OFNI\NAJORT\297991 T:\NAJORT\MRONON\W\NIW\NAJORT\K"TNUOC\8064 W-NT: --- AVA DOS: was not able to scan boot without crashes, but scanned boot-itw correctly W-98: (very complicated user interface, but no scanning problems) W-NT: --- AVG DOS: AVG didnot install, because .exe file was too large for memory; evidently no DOS version W-98: 1 crash on Vkit (w:\); 1 crash on Fileviruses (u:\); Spoon-feeding on Fileviruses (u:\) the lines in reportfile are partly cutted of W-NT: Some lines of report truncated (evaluation problems) AVK DOS: reported DOS-version in its windows help-file, but there were none W-98: 1 crash on Vkit (w:\), report was not lost 1 crash on Fileviruses (u:\), report was not lost W-NT: Crash after scanning W: and after scanning U:, but reports were complete AVP DOS: --- W-98: --- W-NT: --- AVX DOS: avxc.exe could not be run in dos mode W-98: 1 crash on u:\SOD\MRONOM\L\LAIVIRT\971\A\COA_001_.COM all following files of this directory were skipped as it is not possible to exclude one file from scanning AVXW caused an invalid page fault in: module KERNEL32.DLL at 015f:bff76847. Registers: EAX=033801d0 CS=015f EIP=bff76847 EFLGS=00010246 EBX=033801d0 SS=0167 ESP=03380000 EBP=03380018 ECX=0338009c DS=0167 ESI=8162ab40 FS=0d8f EDX=bff76859 ES=0167 EDI=033800c4 GS=0000 Bytes at CS:EIP: ff 75 08 ff 55 18 83 c4 10 64 8f 05 00 00 00 00 Stack dump: 033801d0 033800e0 0338009c 033801d0 bff76859 033801d0 033800ac bff87fc0 033800c4 033801d0 033800e0 0338009c bff76859 03380288 8162ab40 0347c0d7 1 crash on FileMalware T:\Avaj\MRONON\E\IE\CLB_000_.CLA all following files of this directory were skipped as it is not possible to exclude one file from scanning AVXW caused an invalid page fault in module KERNEL32.DLL at 015f:bff886be. Registers: EAX=c00300f4 CS=015f EIP=bff886be EFLGS=00010212 EBX=00000074 SS=0167 ESP=02b10000 EBP=02b10014 ECX=c00300f0 DS=0167 ESI=8162dd30 FS=2cd7 EDX=02b1024c ES=0167 EDI=02b10188 GS=0000 Bytes at CS:EIP: 57 33 f6 8b 38 8b 19 89 75 f8 39 77 54 0f 84 1c Stack dump: 8162dd30 00000074 00000000 00000000 00000000 02b100a4 bff87ee1 00000001 ffffffff 02b10188 02b100bc 02b1024c 02b101fc 00000074 00000000 00000000 W-NT: Crash at T:\AVAJ\MRONON\E\ie\clb_000_.cla CLE: DOS: n/a W-98: --- W-NT: --- CMD: DOS: Displayed error messages when scanning Form.a was 1st entry in the SIMBOOT configuration. Strangely this didNOT happen when Form.a is later in the list. W-98: 3 crashes on Vkit (w:\) 1 crash on Fileviruses (u:\) W-NT: --- DSE: DOS: n/a W-98: 1 crash on MacroViruses (r:\); 1 crash on FileMalware (t:\) The program crashed each time, when a new task was started whithout restarting the program first W-NT: n/a DRW: DOS: crashed multiple times on malware, file-zoo, boot-zoo W-98: 2 crashes on Vkit (w:\); 1 crash on Poly (v:\); 2 crashes on FileViruses (u:\) / Spoon-feeding FileViruses W-NT: Crashes at u:\sod\mronon\A\EDOPITNA\208\COA_011_.COM and u:\sod\mronon\A\DIORDNA\589\COA_000_.COM ESA: DOS: n/a W-98: 1 crash on r:\MACROVIR\WORD\Buero\A-de VS95NT caused an invalid page fault in module KERNEL32.DLL at 016f:bff7a179. Registers: EAX=014e0000 CS=016f EIP=bff7a179 EFLGS=00010246 EBX=015482b0 SS=0177 ESP=0070d4e8 EBP=015482ac ECX=00001538 DS=0177 ESI=01537634 FS=3cc7 EDX=00000000 ES=0177 EDI=00010c7c GS=0000 Bytes at CS:EIP: 89 75 00 83 c0 08 80 0b 02 39 38 73 07 83 c0 10 Stack dump: 0070d51c 01537634 014e0000 1000d86c bff7b30e 014e0000 01537634 000007d4 00000200 01537638 01537638 1000d86c 01537634 1000d860 014c3278 014e0000 W-NT: Crash at \\KELLY\MACROVIR\WORD\Buero\a-de FPR: DOS: Displayed error messages when scanning Form.a was 1st entry in the SIMBOOT configuration. Strangely this didNOT happen when Form.a is later in the list. W-98: 1 crash on Fileviruses (u:\); sometimes the program found a virus in memory and refused to work then, though definetely there was no virus in memory W-NT: n/a FPW DOS: n/a W-98: --- W-NT: --- FSE DOS: sometimes crashed on 2nd Win95.CIH-killer.1373, regardless of the infected file, and on several ozher occasions. Crashed on t:\tiknocor.t\pm.exe, but not on all machines W-98: --- W-NT: --- FWN: DOS: n/a W-98: --- W-NT: --- INO DOS: Displayed error messages when scanning Form.a was 1st entry in the SIMBOOT configuration. Strangely this didNOT happen when Form.a is later in the list. W-98: 1 crash on FileITW (i:\) W-NT: --- MKS: DOS: ONLY in Polish; demands different keystrokes at start and at recognition of a virus; hardly testable. W-98: ONLY in Polish; program is very slow on huge amounts of files: it needed 16 days on a Pentium 166 to scan 80 % of the Vkit files; it needed 3 weeks on a Pentium II 350 to scan 70 % of the File Viruses, than it crashed. The scan could not be finished due to lack of time. MKS_VIRW caused an invalid page fault in module MKS_VIRW.EXE at 016f:0041616f. Registers: EAX=01021dcc CS=016f EIP=0041616f EFLGS=00010246 EBX=00000001 SS=0177 ESP=006ec064 EBP=006ec53c ECX=00717905 DS=0177 ESI=00445958 FS=0e87 EDX=00000000 ES=0177 EDI=00715694 GS=0000 Bytes at CS:EIP: 88 0c 02 8b 55 08 52 8b 85 34 fb ff ff 8b 48 6c Stack dump: 00445958 0073b814 00000000 0071795c 00000000 00000000 01021db1 bf000301 ffffcc00 00000003 00000001 c1541fc0 00000000 000002df 00000001 8162a8b0 W-NT: --- NAV DOS: --- W-98: program was not able to generate a report file of the "whole at o nce" scan of file viruses. We tested this on a Pentium 133 with 32 megabytes as well as on a Pentium II 350 with 64 Megabytes. We tried it twice on each PC. So we scanned the file virus database in 5 parts manually. NAVW32 caused an invalid page fault in module MSVCRT.DLL at 0177:78012e10. Registers: EAX=656d614e CS=0177 EIP=78012e10 EFLGS=00010297 EBX=00000105 SS=017f ESP=00b3e308 EBP=00b3e310 ECX=00000001 DS=017f ESI=00b3e360 FS=0c9f EDX=00000001 ES=017f EDI=00000000 GS=0000 Bytes at CS:EIP: 89 44 8f fc 8d 04 8d 00 00 00 00 03 f0 03 f8 ff Stack dump: 00000000 00dbb646 78002a6d 00607253 00000000 00b3e360 00000005 00b3e9dc 00000848 00b3e77c 00b3ec90 00000005 0abbdc1e 0916f550 00b5208c 0000000d NAVW32 caused an invalid page fault in module MSVCRT.DLL at 0187:7801084c. Registers: EAX=656d614e CS=0187 EIP=7801084c EFLGS=00010297 EBX=00000105 SS=018f ESP=00b3e308 EBP=00b3e310 ECX=00000001 DS=018f ESI=00b3e360 FS=2b77 EDX=00000001 ES=018f EDI=00000000 GS=0000 Bytes at CS:EIP: 89 44 8f fc 8d 04 8d 00 00 00 00 03 f0 03 f8 ff Stack dump: 00000000 00dc7982 78002d75 00607253 00000000 00b3e360 00000005 00b3e9dc 00000468 00b3e77c 00b3ec90 00000005 0abb6eb6 0816faf8 00b5208c 0000003f W-NT: When starting from a batch file, produced report is not complete (Warning "Activity log full") NOD: DOS: --- W-98: 1 crash on Vkit (w:\); 1 crash on Poly (v:\); report of a task was written only after the program was closed W-NT: --- NVC: DOS: --- W-98: --- W-NT: --- PAV: DOS: --- W-98: 1 crash on Vkit (w:\); 1 crash on FileViruses (u:\) W-NT: --- PER: DOS: n/a W-98: 4 crashes on FileViruses (u:\), the scantask was not finished as it was not possible to exclude directories from scanning; we tried it on different PC. Crash #1: on u:\sod\mronon\e\fo_dne\387\coa_003_.com PER caused an invalid page fault in module PER.DLL at 015f:004663a5. Registers: EAX=00000000 CS=015f EIP=004663a5 EFLGS=00010202 EBX=0047fd84 SS=0167 ESP=01f5e6cc EBP=00000026 ECX=000000f8 DS=0167 ESI=00000000 FS=0e87 EDX=0048dcad ES=0167 EDI=00000000 GS=0000 Bytes at CS:EIP: 66 8b 02 2d 00 01 00 00 89 03 b8 01 00 00 00 5f Stack dump: 00000038 0047fd84 00000000 00000000 00466188 0047e860 0047fd84 00412980 00000038 00000038 00412980 00000000 00466142 00000038 0047fd84 00000000 Crash #2: on u:\sod\mronon\e\fo_dne\387\coa_003_.com PER caused an invalid page fault in module PER.DLL at 015f:004663a5. Registers: EAX=00000000 CS=015f EIP=004663a5 EFLGS=00010202 EBX=0047fd84 SS=0167 ESP=01f5e6cc EBP=00000026 ECX=000000f8 DS=0167 ESI=00000000 FS=0de7 EDX=0048dcad ES=0167 EDI=00000000 GS=0000 Bytes at CS:EIP: 66 8b 02 2d 00 01 00 00 89 03 b8 01 00 00 00 5f Stack dump: 00000038 0047fd84 00000000 00000000 00466188 0047e860 0047fd84 00412980 00000038 00000038 00412980 00000000 00466142 00000038 0047fd84 00000000 Crash #3: on u:\sod\mronon\e\fo_dne\387\coa_003_.com PER caused an invalid page fault in module PER.DLL at 015f:004663a5. Registers: EAX=00000000 CS=015f EIP=004663a5 EFLGS=00010202 EBX=0047fd84 SS=0167 ESP=01f5e6cc EBP=00000026 ECX=000000f8 DS=0167 ESI=00000000 FS=0dff EDX=0048dcad ES=0167 EDI=00000000 GS=0000 Bytes at CS:EIP: 66 8b 02 2d 00 01 00 00 89 03 b8 01 00 00 00 5f Stack dump: 00000038 0047fd84 00000000 00000000 00466188 0047e860 0047fd84 00412980 00000038 00000038 00412980 00000000 00466142 00000038 0047fd84 00000000 Crash #4: on U:\SOD\MRONON\E\FO_DNE\ W-NT: n/a PRO DOS: Did only install evaluation-version, which demanded keystrokes at start. W-98: 1 crash on FileMalware (t:\); 1 crash on FileViruses (u:\) W-NT: Crash at U:\SOD\MRONON\B\WB\275\ QHL: DOS: n/a W-98: If one doesnot use the option "delete files if they could not be repaired", everytime a window pops up: "Unable to rename the file... " 3 crashes on Vkit (w:\) 3 crashes on FileMalware, the scantask was not finished T:\NAJORT\MRONON\F\SUTEOF\0151\B\COA_000_.com T:\najort\mronon\h\cllh\ T:\reppord\mronon\d\rellik_k.sid 3 crashes on FileViruses (u:\), the scantask was not finished N-NT: Various crashes. No option for just reporting found viruses (only choice between rename and delete), so error warnings are reported ('file skipped') when no write access on that files. RAV DOS: n/a W-98: 2 crashes on Vkit w:\vk_10\a\03360C0$.com 2 crashes on PackFile (l:\); Spoon-feeding on t,u,l,w W-NT: Error while loading the engine (code=0x00004001)! (on one pc) Several crashes on L: \\.\arch\l:\59W\MRONON\F\ONOF\25171\A\LZH.LZH->EXA_014_.EXE \\.\arch\l:\SOD\MRONON\C\EDACSAC\4071\A\ARJ.ARJ->SOD/MRONON/ C/EDACSAC/4071/A/COA_033_.COM \\.\arch\l:\SOD\MRONON\J\MELASURE.J\8081\A\ARJ.ARJ->SOD/ MRONON/J/MELASURE.J/8081/A/EXA_028_.EXE \\.\arch\l:\SOD\MRONON\M\NOZNAM\6241\LZH.LZH->COA_027_.com \\.\arch\l:\SOD\MRONON\N\SATAN\4774\LZH.LZH->COA_003_.COM \\.\arch\l:\SOD\MRONON\O\FLAH_ENO\4453\A\ARJ.ARJ \\.\arch\l:\SOD\MRONON\T\ROMERT\0004\A\ARJ.ARJ l:\SOD\MRONON\T\OVPT\3873\A\ l:\SOD\MRONON\N\LLAFTHGI.N\8154\ l:\SOD\MRONON\H\PLLH\0087\B\ SCN DOS: --- W-98: 1 crash on Vkit (w:\) W-NT: Scanner quits while scanning with error: 2/4/00 5:11 PM Infected Administrator u:\SOD\MRONON\K\SSERPYEK\8521\EXA_004_.EXE Keypress.1258 (Removable) 2/4/00 5:11 PM Scan Error Administrator Critical error occurred, unable to allocate enough memory to continue scan. 3/23/99 5:27 PM Infected Administrator u:\SOD\MRONON\K\AINROPIL.AK\685\COA_002_.COM Trivial.b.ow (Removable) 3/23/99 5:27 PM Scan Error Administrator Critical error occurred, unable to allocate enough memory to continue scan. SWP: DOS: --- W-98: --- W-NT: --- VIT DOS: Vit had a very old virus database (Feb.01,1999) and did not write correct report files; 50% of reports are almost empty, the other ones do not list all Results. Crashed multiple times on Macro-zoo, boot-zoo and boot-itw. W-98: more than 3 crashes on MacroViruses (r:\), R:\word\box\c-tw and R:\word97 3 crashes on FileViruses, scantask was not finished (remark: it seems to be a problem with unclosed handles) W-NT: Unable to run, Error: "entrypoint in kernel32.dll not found" VSP DOS: Hung on v:\oneh3544\onea0000.e\8\one9854.exe and crashed multiple times on file-zoo, boot-zoo and boot-itw W-98: Program always skipped parts of the directories it should scan; therefore spoon-feeding on u:,v:,w:,t:,r: 1 crash on Poly V:\ONEH3544\ONEA0000.E\8\ONE9854.EXE - One_Half.3544; all following files of this directory were skipped W-NT: Crash at V:\ONEH3544\ONEA0000.E\8\ONE9855.EXE (just like last test) Doesn't scan every files in u:\, spoon-feeding was nessesary