================================================ File 6GWNT.TXT: Detailed results of Macro Virus related on-demand scanner tests under Windows NT: ================================================ (Formatted with non-proportional font: Courier; 72 columns) The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed, under W-NT. Moreover, results for detection of viruses in objects compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 7EVAL.txt and 0XECSUM.TXT. As usual, results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- WNT.M1: "MacroVirus 1": Results of "full" test for macro viruses WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR WNT.M4: "False Positive" detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" WNT.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware WNT.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses (esp. VBS and MIRC) Table WNT.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 5418 100.0% 15720 100.0% ----------------------------------------------------------- ANT 5224 96.4 132 2.4 37 0.7 15169 96.5 AVA 5100 94.1 34 0.6 32 0.6 14809 94.2 AVG 5305 97.9 21 0.4 10 0.2 15428 98.1 AVK 5417 100.0 81 1.5 1 0.0 15716 100.0 AVP 5417 100.0 81 1.5 1 0.0 15716 100.0 AVX 5364 99.0 356 6.6 6 0.1 15580 99.1 CMD 5418 100.0% 63 1.2 0 0.0 15720 100.0% DRW 5282 97.5 60 1.1 34 0.6 15395 97.9 FPW 5418 100.0% 4 0.1 0 0.0 15720 100.0% FSE 5418 100.0% 1 0.0 0 0.0 15720 100.0% INO 5406 99.8 74 1.4 3 0.1 15688 99.8 NAV 5292 97.7 68 1.3 10 0.2 15324 97.5 NVC 5414 99.9 55 1.0 6 0.1 15698 99.9 PAV 5417 100.0 81 1.5 3 0.1 15713 100.0 PER 4606 85.0 152 2.8 891 16.4 12189 77.5 PRO 3745 69.1 0 0.0 111 2.0 10443 66.4 RAV 5252 96.9 212 3.9 11 0.2 15220 96.8 SCN 5418 100.0% 0 0.0 0 0.0 15720 100.0% ----------------------------------------------------------- Remark: since test "2000-07", "100.0%" or "100%" denotes "exactly 100%", whereas "100.0" or "100.0~" denotes "100% rounded-up". Table WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 133 100.0 241 100.0 ---------------------------------------------------------- ANT 131 98.5 0 0.0 0 0.0 239 99.2 AVA 133 100.0% 0 0.0 0 0.0 241 100.0% AVG 133 100.0% 0 0.0 0 0.0 241 100.0% AVK 133 100.0% 0 0.0 0 0.0 241 100.0% AVP 133 100.0% 0 0.0 0 0.0 241 100.0% AVX 133 100.0% 21 15.8 0 0.0 241 100.0% CMD 133 100.0% 0 0.0 0 0.0 241 100.0% DRW 133 100.0% 1 0.8 0 0.0 241 100.0% FPW 133 100.0% 0 0.0 0 0.0 241 100.0% FSE 133 100.0% 0 0.0 0 0.0 241 100.0% INO 133 100.0% 1 0.8 0 0.0 241 100.0% NAV 133 100.0% 1 0.8 0 0.0 241 100.0% NVC 133 100.0% 0 0.0 0 0.0 241 100.0% PAV 133 100.0% 0 0.0 0 0.0 241 100.0% PER 103 77.4 4 3.0 58 43.6 136 56.4 PRO 133 100.0% 0 0.0 0 0.0 241 100.0% QHL 116 87.2 9 6.8 3 2.3 212 88.0 RAV 133 100.0% 22 16.5 0 0.0 241 100.0% SCN 133 100.0% 0 0.0 0 0.0 241 100.0% ----------------------------------------------------------- Table WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 137 100.0% 137 100.0% 137 100.0% 137 100.0% ---------------------------------------------------------------- ANT 134 97.8 134 97.8 134 97.8 134 97.8 AVA 137 100.0% 0 0.0 0 0.0 0 0.0 AVG 137 100.0% 0 0.0 137 100.0% 137 100.0% AVK 137 100.0% 137 100.0% 137 100.0% 137 100.0% AVP 137 100.0% 137 100.0% 137 100.0% 137 100.0% AVX 137 100.0% 137 100.0% 137 100.0% 137 100.0% CMD 137 100.0% 137 100.0% 137 100.0% 137 100.0% DRW 136 99.3 0 0.0 136 99.3 136 99.3 FPW 137 100.0% 0 0.0 137 100.0% 0 0.0 FSE 135 98.5 136 99.3 136 99.3 0 0.0 INO 137 100.0% 136 99.3 137 100.0% 0 0.0 NAV 137 100.0% 137 100.0% 137 100.0% 0 0.0 NVC 137 100.0% 0 0.0 137 100.0% 0 0.0 PAV 137 100.0% 137 100.0% 137 100.0% 137 100.0% PER 103 75.2 0 0.0 0 0.0 0 0.0 PRO 137 100.0% 0 0.0 0 0.0 0 0.0 QHL 116 84.7 0 0.0 116 84.7 0 0.0 RAV 136 99.3 137 100.0% 137 100.0% 0 0.0 SCN 137 100.0% 137 100.0% 137 100.0% 137 100.0% ---------------------------------------------------------------- Table WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows NT: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 134 97.8 0 0.0 1 0.7 243 98.4 AVA 137 100.0% 0 0.0 1 0.7 246 99.6 AVG 137 100.0% 0 0.0 1 0.7 246 99.6 AVK 137 100.0% 1 0.7 0 0.0 247 100.0% AVP 137 100.0% 1 0.7 0 0.0 247 100.0% AVX 137 100.0% 21 15.3 1 0.7 246 99.6 CMD 137 100.0% 1 0.7 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 FPW 137 100.0% 0 0.0 3 2.2 246 99.6 FSE 135 98.5 18 13.1 4 2.9 239 96.8 INO 137 100.0% 2 1.5 0 0.0 247 100.0% NAV 137 100.0% 1 0.7 1 0.7 246 99.6 NVC 137 100.0% 1 0.7 0 0.0 247 100.0% PAV 137 100.0% 1 0.7 0 0.0 247 100.0% PER 103 75.2 4 2.9 58 42.3 136 55.1 PRO 137 100.0% 1 0.7 0 0.0 247 100.0% QHL 116 84.7 5 3.6 3 2.2 212 85.8 RAV 136 99.3 21 15.3 2 1.5 244 98.8 SCN 137 100.0% 0 0.0 1 0.7 246 99.6 ----------------------------------------------------------- Table WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 134 97.8 0 0.0 1 0.7 243 98.4 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 137 100.0% 1 0.7 0 0.0 247 100.0% AVP 137 100.0% 1 0.7 0 0.0 247 100.0% AVX 137 100.0% 21 15.3 1 0.7 246 99.6 CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 136 99.3 11 8.0 4 2.9 241 97.6 INO 136 99.3 2 1.5 1 0.7 245 99.2 NAV 137 100.0% 1 0.7 1 0.7 246 99.6 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 137 100.0% 1 0.7 0 0.0 247 100.0% PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 137 100.0% 22 16.1 1 0.7 246 99.6 SCN 137 100.0% 0 0.0 1 0.7 246 99.6 ----------------------------------------------------------- Table WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 134 97.8 0 0.0 1 0.7 243 98.4 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 137 100.0% 0 0.0 1 0.7 246 99.6 AVK 137 100.0% 1 0.7 0 0.0 247 100.0% AVP 137 100.0% 1 0.7 0 0.0 247 100.0% AVX 137 100.0% 21 15.3 1 0.7 246 99.6 CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 FPW 137 100.0% 0 0.0 3 2.2 246 99.6 FSE 136 99.3 5 3.6 2 1.5 243 98.4 INO 137 100.0% 2 1.5 0 0.0 247 100.0% NAV 137 100.0% 1 0.7 1 0.7 246 99.6 NVC 137 100.0% 1 0.7 0 0.0 247 100.0% PAV 137 100.0% 1 0.7 0 0.0 247 100.0% PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 116 84.7 5 3.6 3 2.2 212 85.8 RAV 137 100.0% 22 16.1 1 0.7 246 99.6 SCN 137 100.0% 0 0.0 1 0.7 246 99.6 ----------------------------------------------------------- Table WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 134 97.8 0 0.0 1 0.7 243 98.4 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 137 100.0% 0 0.0 1 0.7 246 99.6 AVK 137 100.0% 1 0.7 0 0.0 247 100.0% AVP 137 100.0% 1 0.7 0 0.0 247 100.0% AVX 137 100.0% 21 15.3 1 0.7 246 99.6 CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 137 100.0% 1 0.7 0 0.0 247 100.0% PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 137 100.0% 0 0.0 1 0.7 246 99.6 ----------------------------------------------------------- Table WNT.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 26 100.0% 329 100.0% ----------------------------------------------------------- ANT 15 57.7 0 0.0 15 57.7 36 10.9 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 AVX 16 61.5 0 0.0 16 61.5 25 7.6 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 21 80.8 0 0.0 21 80.8 94 28.6 FPW 1 3.8 0 0.0 1 3.8 2 0.6 FSE 1 3.8 0 0.0 1 3.8 2 0.6 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NVC 3 11.5 0 0.0 3 11.5 5 1.5 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PER 23 88.5 0 0.0 23 88.5 111 33.7 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 24 92.3 0 0.0 24 92.3 106 32.2 SCN 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.M5: "Macro-Malware": Results of "full" test for Macro-related malware under Windows NT: ========================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 334 100.0% 500 100.0% ----------------------------------------------------------- ANT 269 80.5 4 1.2 4 1.2 412 82.4 AVA 241 72.2 3 0.9 3 0.9 364 72.8 AVG 267 79.9 3 0.9 5 1.5 414 82.8 AVK 328 98.2 0 0.0 0 0.0 494 98.8 AVP 328 98.2 0 0.0 0 0.0 494 98.8 AVX 313 93.7 14 4.2 4 1.2 474 94.8 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 334 100.0% 4 1.2 0 0.0 500 100.0% DRW 233 69.8 1 0.3 6 1.8 367 73.4 FPW 334 100.0% 1 0.3 0 0.0 500 100.0% FSE 334 100.0% 0 0.0 0 0.0 500 100.0% INO 326 97.6 3 0.9 3 0.9 488 97.6 NAV 258 77.2 1 0.3 3 0.9 394 78.8 NVC 332 99.4 9 2.7 4 1.2 484 96.8 PAV 328 98.2 0 0.0 0 0.0 494 98.8 PER 240 71.9 2 0.6 28 8.4 335 67.0 PRO 181 54.2 0 0.0 7 2.1 247 49.4 QHL 207 62.0 5 1.5 17 5.1 287 57.4 RAV 300 89.8 16 4.8 6 1.8 447 89.4 SCN 334 100.0% 0 0.0 0 0.0 500 100.0% ----------------------------------------------------------- Table WNT.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses under DOS: ===================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 306 100.0% 527 100.0% ----------------------------------------------------------- ANT 169 55.2 6 2.0 15 4.9 321 60.9 AVA 46 15.0 1 0.3 4 1.3 164 31.1 AVG 140 45.8 6 2.0 12 3.9 302 57.3 AVK 281 91.8 20 6.5 2 0.7 496 94.1 AVP 270 88.2 20 6.5 1 0.3 476 90.3 AVX 188 61.4 3 1.0 25 8.2 358 67.9 CLE 13 4.2 0 0.0 6 2.0 24 4.6 CMD 286 93.5 1 0.3 0 0.0 502 95.3 DRW 183 59.8 5 1.6 10 3.3 311 59.0 FPW 278 90.8 3 1.0 2 0.7 487 92.4 FSE 296 96.7 1 0.3 1 0.3 512 97.2 INO 239 78.1 9 2.9 8 2.6 436 82.7 NAV 112 36.6 5 1.6 12 3.9 240 45.5 NVC 256 83.7 7 2.3 9 2.9 457 86.7 PAV 276 90.2 20 6.5 2 0.7 487 92.4 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 40 13.1 0 0.0 14 4.6 137 26.0 QHL 21 6.9 0 0.0 3 1.0 38 7.2 RAV 144 47.1 6 2.0 10 3.3 274 52.0 SCN 293 95.8 1 0.3 0 0.0 509 96.6 -----------------------------------------------------------