================================================== File 6DDOS.TXT DOS.III: Detailed results of Macro Virus Detection of on-demand scanner tests under DOS: ================================================== (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed, under DOS. Moreover, results for detection of viruses in objects compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 7EVAL.txt and 0XECSUM.TXT. As usual, results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses FDOS.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" FDOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related malware FDOS.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses (esp. VBS and MIRC) Table FDOS.M1: "MacroVirus 1": Results of "full" Zoo Test for macro viruses under DOS: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 5418 100.0% 15720 100.0% ----------------------------------------------------------- ANT 5057 93.3 128 2.4 41 0.8 14737 93.7 AVK 5416 100.0 81 1.5 1 0.0 15709 99.9 CMD 5417 100.0 64 1.2 0 0.0 15713 100.0 DRW 5287 97.6 60 1.1 34 0.6 15402 98.0 FPR 5416 100.0 4 0.1 0 0.0 15709 99.9 INO 5404 99.7 74 1.4 4 0.1 15678 99.7 NAV 5254 97.0 0 0.0 10 0.2 15264 97.1 NVC 5413 99.9 55 1.0 6 0.1 15691 99.8 SCN 5417 100.0 107 2.0 0 0.0 15713 100.0 UKV 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: since test "2000-07", "100.0%" or "100%" denotes "exactly 100%", whereas "100.0" or "100.0~" denotes "100% rounded-up". Table FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" Test for macro viruses under DOS: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 133 100.0 241 100.0 ---------------------------------------------------------- ANT 131 98.5 0 0.0 0 0.0 239 99.2 AVK 133 100.0% 0 0.0 0 0.0 241 100.0% CMD 133 100.0% 0 0.0 0 0.0 241 100.0% DRW 133 100.0% 1 0.8 0 0.0 241 100.0% FPR 133 100.0% 0 0.0 0 0.0 241 100.0% INO 133 100.0% 1 0.8 0 0.0 241 100.0% NAV 132 99.2 0 0.0 0 0.0 240 99.6 NVC 133 100.0% 0 0.0 0 0.0 241 100.0% SCN 133 100.0% 5 3.8 0 0.0 241 100.0% UKV 11 8.3 0 0.0 1 0.8 21 8.7 ----------------------------------------------------------- FDOS.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR =========================================================== This includes Viruses detected per packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 137 100.0% 137 100.0% 137 100.0% 137 100.0% ---------------------------------------------------------------- ANT 134 97.8 0 0.0 0 0.0 0 0.0 AVK 137 100.0% 137 100.0% 137 100.0% 137 100.0% CMD 137 100.0% 137 100.0% 137 100.0% 137 100.0% DRW 136 99.3 0 0.0 136 99.3 136 99.3 FPR 137 100.0% 0 0.0 137 100.0% 0 0.0 INO 137 100.0% 0 0.0 137 100.0% 0 0.0 NAV 134 97.8 0 0.0 0 0.0 0 0.0 SCN 137 100.0% 137 100.0% 137 100.0% 137 100.0% UKV 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------------- Table FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows NT: ====================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 134 97.8 0 0.0 108 78.8 134 54.3 AVK 137 100.0% 1 0.7 0 0.0 247 100.0% CMD 137 100.0% 1 0.7 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 FPR 137 100.0% 0 0.0 3 2.2 246 99.6 INO 137 100.0% 2 1.5 0 0.0 247 100.0% NAV 134 97.8 1 0.7 1 0.7 242 98.0 SCN 137 100.0% 1 0.7 1 0.7 246 99.6 UKV 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows NT: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 137 100.0% 1 0.7 0 0.0 247 100.0% CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 137 100.0% 1 0.7 1 0.7 246 99.6 UKV 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows NT: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 137 100.0% 1 0.7 0 0.0 247 100.0% CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 FPR 137 100.0% 0 0.0 3 2.2 246 99.6 INO 137 100.0% 2 1.5 0 0.0 247 100.0% NAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 137 100.0% 1 0.7 1 0.7 246 99.6 UKV 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows NT: =================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 137 100.0% 1 0.7 0 0.0 247 100.0% CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 FPR 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 137 100.0% 1 0.7 1 0.7 246 99.6 UKV 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" under DOS: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 26 100.0% 329 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 21 80.8 0 0.0 21 80.8 94 28.6 FPR 1 3.8 0 0.0 1 3.8 2 0.6 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NVC 3 11.5 0 0.0 3 11.5 5 1.5 SCN 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table FDOS.M5: "Macro-Malware": Results of "full" Zoo Test for Macro-related malware under DOS: ========================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 334 100.0% 500 100.0% ----------------------------------------------------------- ANT 262 78.4 3 0.9 4 1.2 397 79.4 AVK 328 98.2 0 0.0 0 0.0 494 98.8 CMD 334 100.0% 4 1.2 0 0.0 500 100.0% DRW 233 69.8 1 0.3 6 1.8 367 73.4 FPR 334 100.0% 1 0.3 0 0.0 500 100.0% INO 310 92.8 3 0.9 3 0.9 472 94.4 NAV 256 76.6 0 0.0 3 0.9 392 78.4 NVC 332 99.4 9 2.7 4 1.2 484 96.8 SCN 330 98.8 7 2.1 0 0.0 496 99.2 UKV 10 3.0 0 0.0 3 0.9 20 4.0 ----------------------------------------------------------- Table FDOS.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses under DOS: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 306 100.0% 527 100.0% ----------------------------------------------------------- ANT 169 55.2 6 2.0 15 4.9 321 60.9 AVK 280 91.5 20 6.5 2 0.7 495 93.9 CMD 286 93.5 1 0.3 0 0.0 502 95.3 DRW 186 60.8 5 1.6 10 3.3 314 59.6 FPR 277 90.5 4 1.3 4 1.3 484 91.8 INO 238 77.8 8 2.6 9 2.9 426 80.8 NAV 76 24.8 0 0.0 12 3.9 171 32.4 NVC 256 83.7 7 2.3 9 2.9 457 86.7 SCN 262 85.6 5 1.6 2 0.7 398 75.5 UKV 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------