========================================= File 8PROBLMS.TXT List of problems experienced during test: ========================================= Formatted with non-proportional font (Courier) Content of this file: --------------------- 1. Introduction: General Problems 2. List of benevolently behaving AV products 3. Problems of AV products observed during tests 3.1 Scanners unable to detect viruses in packed objects 3.2 List of scanner problems 1. Introduction: General Problems: ---------------------------------- (Essentially unchanged since last test) For automatic tests on large viral databases, and for automatic processing of large scanner log files, a set of test conditions is prerequisite for scanners to participate in a VTC test (see: 4TESTCON.TXT). In many cases, serious problems were observed during some tests. DOS scanners were either not suitably running under SIMBOOT and crashed, or problems appeared with the (rather large) file virus database. In some cases, scanners crashed upon detecting some specific virus; in few cases, "manual" operation instead of automatic (batch) operation helped solving some of these problems. Such curative action was also applied when possible in cases where log files were inadequate (e.g.needing manual operation for export). With growing velocity of processors, DOS scanners (running without any problem on INTEL 386 and 486) growingly crash on Pentium II/III systems faster than 250 MHz. Another general problem with DOS scanners is related to counters for files and viruses which often seem to be designed as integers, so they start after 65,536 with 0. During preparation and test, we again experienced a serious problem reported in VTC Test "1998-10", according to which management of large sets of directories in FAT and NTFS may not reliably work. Both when attempting to move large parts of our file virus database, as when some scanner proceeded scanning subsequent viral directories, we found that several directories were not moved or touched. This effect seems to happen stochastically, such that subsequent attempts gave different results. Concerning omitted (=unscanned) directories, we overcame this "dysfunctional" behaviour of FAT and NTFS by repeat- ing scanning so long until the number of scanned files agreed with the (known) number of directories in testbeds. Overcoming this problem was extremely time-consuming, and this was a reason for delaying publication of results. In cases where scanners crashed during detection test upon the rather large file virus database, tests were performed in several runs on partitions (essentially on directories with same first letters of names). In most cases (apart those reported below), these tests were completed, and resulting files were joined and evaluated. Finally, with growing testbeds, test protocols produced by scanners grow equally. When processing such protocols, we need meanwhile up to 6 GByte of disk space, and our evaluation scripts (in AWK) become more complex. Under these conditions, we also suffered from an evident bug in the AWK processor which inhibited proper evaluation and required additional quality assurance (including time and efforts). 2. List of benevolently behaving AV products: --------------------------------------------- Few scanners could be tested *without any problem* (admittedly, the unstable behaviour of Windows-98 many have adversely influenced some scanner). Such benevolent behaviour (possibly with exemption of NFTS and FAT problems as mentioned above) can be reported for several (though no longer the majority) of DOS scanners as well as for W-NT and W-2k scanners (which surprised as "new" Microsoft platforms have previous- ly been less stable). ----------------------------------------- NO problems with DOS scanners: ANT, CMD, DRW, FPR, INO, NAV, SCN ----------------------------------------- In comparison with last test, W-98 scanners were significantly improved as 16 products were tested without any problem, and as only a minority of products were unstable: ---------------------------------------------- NO problems with W-98 scanners: ANT, AVA, AVP, AVX, CLE, CMD, DSE, FPW, INO, PER, NAV, NVC, PAV, PRO, RAV, SCN ---------------------------------------------- Moreover, W-NT scanners were significantly improved as 16 scanners completed without any problem compared to the last test: ---------------------------------------------- NO problems with W-NT scanners: ANT, AVG, AVK, AVP, AVX, CLE, CMD, DRW, FPW, INO, NAV, NVC, PAV, PER, PRO, SCN ----------------------------------------------- Finally, we were surprised that W-2k scanners behaved very stable, with 12 (of 20) products running without any problem, and the rest (if installable) also behaving in a "benevolent manner" (no single crash!): --------------------------------------------------------- NO problems (except possibly warning) with W-2k scanners: ANT, AVG, AVK, AVP, AVX, CLE, CMD, DRW, FPW, INO, NAV, NVC, PAV, PRO, RAV, SCN --------------------------------------------------------- We very much appreciate that the following * 9 * scanners executed WITHOUT ANY PROBLEMS OR WARNINS on the platforms for which they were submitted: ---------------------------------- No problems on ANY platform: ANT, AVP, AVX, CLE, DSE, FPR/FPW, INO, PRO and SCN. ---------------------------------- ------------------------------------ Moreover, 2 products could be tested when warnings were disregarded: CMD, NAV ------------------------------------ 3. Problems of AV products observed during tests: ------------------------------------------------- The following list reports specific problems observed for products as indicated ("spoon-feeding" means that scanner was restarted on each subsequent directory when a crash was experienced). For details of scanner versions, see A2SCNLS.TXT. ANT DOS: --- W-98: --- W-NT: --- W-2k: --- ATD DOS: n/a W-98: n/a W-NT: Problems: product could not be tested, as the update works only with a password, which was not available. W-2k: Problems: Program says it needs at least Servicepack 3. Update needs a password AVA DOS: n/a W-98: --- W-NT: Multiple problems: In the report the scanner told that there were two errors this was reproducable by scanning only this directory resulting in equal (none) detection no file of the directory r:\WORD97\INEXIST\ was detected as infected. r:\WORD97\INEXIST\A-FR\INEXIS-B.DOT [E] not tested due to error 34531 r:\WORD97\INEXIST\A-FR\W97INEXI.DOC [E] not tested due to error 34531 W-2k: Problems: Does not show a driveletter for network drives AVG DOS: n/a W-98: Multiple Problems: multiple crashes on t; copied database t to z and removed files which crash the scanner... only part of the report: A fatal Exception 0E has occurred at 0028:C008FDC8 in VXD AVGCORE(01) + 00014FC8. Crashed on T:\irc\J\Jeepwarz\D\irc_000_.ini A fatal Exception 0E has occurred at 0028:C008FDC8 in VXD AVGCORE(01) + 00014FC8. Crashed on T:\vbs\L\LoveLett\gen\vbs_023_.vbs A fatal Exception 0E has occurred at 0028:C008FDC8 in VXD AVGCORE(01) + 00014FC8. Crashed on T:\vbs\M\Monopoly\A\vbs_000_.vbs A fatal Exception 0E has occurred at 0028:C008FDC8 in VXD AVGCORE(01) + 00014FC8. Crashed on T:\vbs\R\Reaper\A\vbs_000_.vbs W-NT: --- W-2k: --- AVK DOS: n/a W-98: One crash on macro virus "ZOO" database W-NT: --- W-2k: --- AVP DOS: n/a W-98: --- W-NT: --- W-2k: --- AVX DOS: n/a W-98: --- W-NT: --- W-2k: --- CLE DOS: n/a W-98: --- W-NT: --- W-2k: --- CMD DOS: --- W-98: --- W-NT: --- W-2k: Problems: F-prot32.exe reports that it does not find all program dll's. But missing Dll's are all in the directory. Fprot.exe runs without problems DSE DOS: n/a W-98: --- W-NT: n/a W-2k: n/a DRW DOS: --- W-98: One crash on macro virus "ZOO" database W-NT: W-2k: --- FPR DOS: --- FPW W-98: --- W-NT: --- W-2k: --- FSE DOS: Displays error "Error in link debus.c: Too many links" while loading & quitting W-98: Multiple problems: crash on t (script-viruses): FSAV32 caused an invalid page fault in module FSAV32.EXE at 015f:0040680f. Registers: EAX=00c7febc CS=015f EIP=0040680f EFLGS=00010213 EBX=00000000 SS=0167 ESP=00c7f998 EBP=01bcf00c ECX=00000013 DS=0167 ESI=0077d000 FS=2137 EDX=000003fb ES=0167 EDI=01bcf7e0 GS=0000 Bytes at CS:EIP: f3 a5 8b ca 83 e1 03 f3 a4 ff 15 68 3f 41 00 3d Stack dump: 00c7febc 0064fac8 0064faa0 00c7ff30 00c7febc 00000000 0077cc50 0064faa0 c76d2e20 ffffffff bffabf97 00c7fce4 24da474 00c7fcec 00000011 00c7fcf4 Scanner stopped on r: (Macro-Virus-Zoo) after 16040 files R:\word97\ZMK\S\Doc1.Doc (last files of database). Scanner is not telling that it has finished scanning. Scanner reports only the first part of the scanned files in it's html-report file. After setting a registry key (provided by the manufacturer), this scanner is able to generate a text-reportfile. All scanned files were included there. Scanner is still hanging at the end of the scan over the Macro-Virus "Zoo" Database. \\HKLM\Software\Data Fellows\F-Secure\Anti-Virus\AltReportEnable = 1 Report file of packed macro viruses didn't contain all infected files for each listed archive. W-NT: Multiple problems: Scanner stopped on R (Macro Virus "ZOO" Database) after 16049 files = R:\word97\ZMK\S\Doc1.Doc (last files in Database) Scanner is not telling that it has fishished the scan. Scanner reports only the first part of the scanned files in it's html-report. Next try on "R:\word" only: The following message appeared in the internal log file: "A crash of the module F-Secure Anti-Virus Handler was detected. Restart will be attempted later." The third attempt did work. W-2k: Problems: Generates only html-Report, open with IE + export as text required for processing INO DOS: --- W-98: --- W-NT: --- W-2k: --- NAV DOS: --- W-98: --- W-NT: --- W-2k: Warning: "may be incompatible with W2k" NVC DOS: Crashes while scanning Macro-Pack W-98: --- W-NT: --- W-2k: --- PAV DOS: Displays error "Error in link debus.c: Too many links" while loading & quitting W-98: --- W-NT: --- W-2k: --- PER DOS: n/a W-98: --- W-NT: --- W-2k: Problems: Spanish Version, configuration guessed. Beeps on every virus PRO DOS: n/a W-98: --- W-NT: --- W-2k: --- QHL DOS: n/a W-98: Multiple problems: Scanner is only testable when copying the testbed to a local drive; this is incompatible with VTCs test confition (and test procedures). As the scanner tries to disinfect the files automatically, it skips all files for which he doesn't have write access. 1st crash on r:\word\appder\g\normal.dot 2nd crash on r:\word\atom\c\atom.dot 3rd crash on r:\word\buero\a-de\buero-x.doc QH32 caused an invalid page fault in module QHSCAN.DLL at 015f:02ca9e93. Registers: EAX=00000000 CS=015f EIP=02ca9e93 EFLGS=00010206 EBX=02cbe07c SS=0167 ESP=02c6fbfc EBP=02c6fc2c ECX=00000000 DS=0167 ESI=02cbe060 FS=30e7 EDX=00000002 ES=0167 EDI=05d203e8 GS=0d56 Bytes at CS:EIP: 8b 71 04 85 f6 74 20 8b 7c 24 0c 2b d2 8b c7 c1 Stack dump: 05d203e8 02cbe060 02caba0e 000003d0 05d203e8 00000000 00000001 02caa3c1 02cbe060 02c6fe28 02caa3da 00000000 00000001 02c9f910 00000001 02c80000 W-NT: Multiple problems: Scanner detects macro viruses only if he has write access to the files. Otherwise it skipps them. Scanner is only testable when copying the testbed to a local drive; this is incompatible with VTCs test confition (and automatic test procedures). As the scanner tries to disinfect the files automatically, it skips all files for which he doesn't have write access. 1st crash r:\word\Appder\G\Normal.dot 2nd crash r:\word\atom\c\atom.dot 3rd crash r: Qh32.exe, 3x access violation(0xc0000005),Adress 0x77003834 W-2k: Problems: Displays warning on installation: "Could not locate MS-Word. If you install MS-Word later, load it and open QHFW.DOC file for macro virus protection." RAV DOS: n/a W-98: --- W-NT: Problems: Didn't start on one computer (Tsunami) "Error while loading the engine (code=0x00008001)! and c:\ravav.exe" W-2k: --- SCN DOS: --- W-98: --- W-NT: --- W-2k: --- UKV DOS: Crashes constantly while scanning macro-zoo, Switch /diag (diagnostics of unknown viruses) causes system to crash (no test) possible. W-98: n/a W-NT: Problems: cannot generate a logfile W-2k: Problems: Readme says only for Win95, does not start