============================================== File 6dDOS.TXT: ---------------------------------------------- Detailed results of Macro and Script Virus related on-demand scanner tests under DOS: ============================================== (Formatted with non-proportional font: Courier) The following *14* products (versions) participated in this part of VTC test "2001-09" (for details of related AV products: see A2SCNLS.txt): ================================================= ANT v(def): 6.8.0.56 sig: June 22,2001 AVA v(def): 7.70-53 sig: June 25,2001 AVG v(def): sig: June ,2001 AVK v(def): 3.0 Build 133 sig: June 4,2001 AVP v(def): 3.0 build 135 sig: June 22,2001 CMD v(def): 4.61.5 sig: June 25,2001 DRW v(def): 4.25 sig: June 20,2001 FPR v(def): 3.09d sig: June 25,2001 MR2 v(def): 1.17 sig: June ,2001 NAV v(def): sig: June 22,2001 PAV v(def): 3.0 Build 131 sig: June 8,2001 RAV v(def): 8.1.001 sig: June 25,2001 SCN v(def): 4.14.0 scan eng:4.1.40 sig: June 20,2001 VSP v(def): 12.22.1 sig: June ,2001 ================================================= The following tables summarize detection and identification quality concerning MACRO and SCRIPT viruses as well as selected MACRO and SCRIPT MALWARE, both in full "zoo" virus collection and for viral In-The-Wild testbeds, under DOS. Moreover, results for detection of viruses in objects compressed with 6 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 7EVALDOS.txt. As usual, results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- DOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses DOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses DOS.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB DOS.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of infected ITW macro objects packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB DOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP DOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA DOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ DOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with WINRAR DOS.M3e: "WINRAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR DOS.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with CAB DOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" DOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related (non-viral) malware DOS.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses (esp. VBS and MIRC) DOS.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses DOS.S5: "Script-Malware": Results of "full" Zoo test for Script-related (non-viral) malware Table DOS.M1: "MacroVirus 1": Results of "full" Zoo Test for macro viruses: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 6762 100.0% 21677 100.0% ----------------------------------------------------------- ANT 6557 97.0 185 2.7 56 0.8 20787 95.9 AVA 6292 93.0 56 0.8 66 1.0 20136 92.9 AVG 6651 98.4 47 0.7 13 0.2 21387 98.7 AVK 6762 100.0 116 1.7 1 0.~ 21674 100.~ AVP 6762 100.0 118 1.7 1 0.~ 21674 100.~ CMD 6760 100.~ 93 1.4 1 0.~ 21672 100.~ DRW 6725 99.5 81 1.2 14 0.2 21574 99.5 FPR 6760 100.~ 29 0.4 1 0.~ 21672 100.~ MR2 2758 40.8 198 2.9 76 1.1 8043 37.1 NAV 6731 99.5 111 1.6 16 0.2 21520 99.3 PAV 6762 100.0 116 1.7 1 0.~ 21674 100.~ RAV 6726 99.5 346 5.1 16 0.2 21546 99.4 SCN 6762 100.0 1 0.~ 0 0.0 21677 100.0 VSP 1 0.~ 0 0.0 1 0.~ 1 0.~ ----------------------------------------------------------- Remark: decimal ~ indicates that result is rounded: (100.~ up to 100.0%, 0.~ down to 0.0%). Table DOS.M2: "MacroVirus 2": Results of "In-The-Wild" Test for macro viruses: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 142 99.3 7 4.9 2 1.4 1294 98.9 AVA 142 99.3 9 6.3 7 4.9 1291 98.7 AVG 143 100.0 12 8.4 0 0.0 1308 100.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 0 0.0 1308 100.0 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FPR 143 100.0 2 1.4 0 0.0 1308 100.0 MR2 13 9.1 1 0.7 5 3.5 378 28.9 NAV 143 100.0 8 5.6 0 0.0 1308 100.0 PAV 143 100.0 9 6.3 0 0.0 1308 100.0 RAV 143 100.0 26 18.2 5 3.5 1302 99.5 SCN 143 100.0 0 0.0 0 0.0 1308 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table DOS.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ================================================================ This includes Viruses detected per packer ------------------------------------------------------------------------------ ZIP % LHA % ARJ % RAR % WRAR % CAB % ------------------------------------------------------------------------------ Testbed 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 ------------------------------------------------------------------------------ ANT 142 99.3 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 AVG 143 100.0 0 0.0 143 100.0 143 100.0 143 100.0 0 0.0 AVK 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 AVP 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 CMD 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 DRW 143 100.0 0 0.0 143 100.0 143 100.0 143 100.0 0 0.0 FPR 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 NAV 143 100.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 PAV 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 RAV 143 100.0 0 0.0 143 100.0 143 100.0 143 100.0 143 100.0 SCN 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------------------------ Table DOS.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ======================================================================== This includes Viral objects detected per packer ------------------------------------------------------------------------------- ZIP % LHA % ARJ % RAR % WRAR % CAB % ------------------------------------------------------------------------------- Testbed 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 ------------------------------------------------------------------------------- ANT 142 10.9 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 AVG 1308 100.0 0 0.0 1308 100.0 1308 100.0 1308 100.0 0 0.0 AVK 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 AVP 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 CMD 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 DRW 1308 100.0 0 0.0 1308 100.0 1308 100.0 1308 100.0 0 0.0 FPR 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 NAV 1308 100.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 PAV 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 RAV 1302 99.5 0 0.0 1302 99.5 1298 99.2 1208 92.4 1302 99.5 SCN 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------------------------- Table DOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 142 99.3 0 0.0 142 99.3 142 10.9 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 143 100.0 12 8.4 0 0.0 1308 100.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 0 0.0 1308 100.0 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FPR 143 100.0 2 1.4 0 0.0 1308 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 143 100.0 8 5.6 0 0.0 1308 100.0 PAV 143 100.0 9 6.3 0 0.0 1308 100.0 RAV 143 100.0 26 18.2 5 3.5 1302 99.5 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table DOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 0 0.0 1308 100.0 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 143 100.0 2 1.4 0 0.0 1308 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 143 100.0 9 6.3 0 0.0 1308 100.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table DOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 143 100.0 12 8.4 0 0.0 1308 100.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 0 0.0 1308 100.0 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FPR 143 100.0 2 1.4 0 0.0 1308 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 143 100.0 9 6.3 0 0.0 1308 100.0 RAV 143 100.0 26 18.2 5 3.5 1302 99.5 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table DOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 143 100.0 12 8.4 0 0.0 1308 100.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 0 0.0 1308 100.0 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FPR 143 100.0 2 1.4 0 0.0 1308 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 143 100.0 9 6.3 0 0.0 1308 100.0 RAV 143 100.0 25 17.5 9 6.3 1298 99.2 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table DOS.M3e: "WINRAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with WINRAR: =================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0 % 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 143 100.0 12 8.4 0 0.0 1308 100.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 0 0.0 1308 100.0 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FPR 143 100.0 2 1.4 0 0.0 1308 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 143 100.0 9 6.3 0 0.0 1308 100.0 RAV 143 100.0 25 17.5 7 4.9 1208 92.4 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table DOS.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with CAB: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 143 100.0 10 7.0 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 0 0.0 1308 100.0 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 143 100.0 2 1.4 0 0.0 1308 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 143 100.0 9 6.3 0 0.0 1308 100.0 RAV 143 100.0 26 18.2 5 3.5 1302 99.5 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------ Table DOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives": ============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 26 100.0% 329 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 7.7 0 0.0 2 7.7 4 1.2 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 10 38.5 0 0.0 10 38.5 29 8.8 FPR 1 3.8 0 0.0 1 3.8 2 0.6 MR2 13 50.0 0 0.0 13 50.0 20 6.1 NAV 5 19.2 0 0.0 5 19.2 5 1.5 PAV 0 0.0 0 0.0 0 0.0 0 0.0 RAV 2 7.7 0 0.0 2 7.7 2 0.6 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table DOS.M5: "Macro-Malware": Results of "full" Zoo Test for Macro-related malware: ===================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 426 100.0% 683 100.0% ----------------------------------------------------------- ANT 341 80.0 7 1.6 9 2.1 553 81.0 AVA 324 76.1 3 0.7 7 1.6 522 76.4 AVG 352 82.6 1 0.2 5 1.2 584 85.5 AVK 425 99.8 0 0.0 0 0.0 682 99.9 AVP 426 100.0 0 0.0 0 0.0 683 100.0 CMD 424 99.5 6 1.4 0 0.0 676 99.0 DRW 387 90.8 1 0.2 7 1.6 622 91.1 FPR 424 99.5 2 0.5 0 0.0 676 99.0 MR2 135 31.7 5 1.2 2 0.5 208 30.5 NAV 368 86.4 4 0.9 7 1.6 596 87.3 PAV 425 99.8 1 0.2 0 0.0 682 99.9 RAV 416 97.7 28 6.6 4 0.9 663 97.1 SCN 426 100.0 0 0.0 0 0.0 683 100.0 VSP 1 0.2 0 0.0 0 0.0 1 0.1 ----------------------------------------------------------- Table DOS.S1: "ScriptVirus 1": Results of "full" Zoo test for script viruses: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 588 100.0% 1079 100.0% ----------------------------------------------------------- ANT 481 81.8 41 7.0 34 5.8 837 77.6 AVA 198 33.7 8 1.4 29 4.9 444 41.1 AVG 370 62.9 21 3.6 32 5.4 727 67.4 AVK 588 100.0 48 8.2 0 0.0 1079 100.0 AVP 588 100.0 48 8.2 0 0.0 1079 100.0 CMD 552 93.9 21 3.6 16 2.7 987 91.5 DRW 561 95.4 32 5.4 12 2.0 992 91.9 FPR 556 94.6 22 3.7 17 2.9 991 91.8 MR2 490 83.3 54 9.2 44 7.5 829 76.8 NAV 554 94.2 38 6.5 23 3.9 986 91.4 PAV 588 100.0 48 8.2 0 0.0 1079 100.0 RAV 485 82.5 32 5.4 36 6.1 805 74.6 SCN 587 99.8 1 0.2 1 0.2 1077 99.8 VSP 494 84.0 54 9.2 44 7.5 835 77.4 ----------------------------------------------------------- Table DOS.S2: "ScriptVirus 2": Results of "In-The-Wild" Test for Script viruses: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 19 100.0 110 100.0 ---------------------------------------------------------- ANT 19 100.0 7 36.8 2 10.5 109 99.1 AVA 18 94.7 4 21.1 4 21.1 100 90.9 AVG 19 100.0 2 10.5 5 26.3 107 97.3 AVK 19 100.0 2 10.5 0 0.0 110 100.0 AVP 19 100.0 2 10.5 0 0.0 110 100.0 CMD 19 100.0 3 15.8 1 5.3 109 99.1 DRW 19 100.0 2 10.5 0 0.0 110 100.0 FPR 19 100.0 3 15.8 1 5.3 109 99.1 MR2 17 89.5 2 10.5 8 42.1 86 78.2 NAV 19 100.0 7 36.8 0 0.0 110 100.0 PAV 19 100.0 2 10.5 0 0.0 110 100.0 RAV 18 94.7 2 10.5 5 26.3 109 99.1 SCN 19 100.0 0 0.0 0 0.0 110 100.0 VSP 17 89.5 3 15.8 7 36.8 87 79.1 ---------------------------------------------------------- Table DOS.S5: "Script-Malware": Results of "full" Zoo Test for Script-related malware: ===================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 22 100.0% 30 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 5 22.7 0 0.0 1 4.5 5 16.7 AVK 22 100.0 1 4.5 0 0.0 30 100.0 AVP 22 100.0 1 4.5 0 0.0 30 100.0 CMD 14 63.6 0 0.0 0 0.0 16 53.3 DRW 8 36.4 0 0.0 0 0.0 9 30.0 FPR 14 63.6 0 0.0 0 0.0 16 53.3 MR2 5 22.7 1 4.5 0 0.0 6 20.0 NAV 8 36.4 0 0.0 0 0.0 11 36.7 PAV 22 100.0 1 4.5 0 0.0 30 100.0 RAV 18 81.8 0 0.0 0 0.0 25 83.3 SCN 22 100.0 0 0.0 0 0.0 30 100.0 VSP 5 22.7 1 4.5 0 0.0 6 20.0 -----------------------------------------------------------