=================================================== File 6xLin.TXT: --------------------------------------------------- Detailed results of Macro and Script Virus related on-demand scanner tests under Linux (SuSe edition): =================================================== (Formatted with non-proportional font: Courier; 72 columns) The following *9* products (versions) participated in this part of VTC test "2001-09" (for details of related AV products: see A2SCNLS.txt): ================================================= ANT v(def): 6.8.0.56 sig: June 22,2001 AVK v(def): 3.0 beta 1.1 sig: June 16,2001 AVP v(def): 3.0 build 136 sig: June 27,2001 CMD v(def): 4.61.5 sig: June 25,2001 DRW v(def): 4.25 sig: June 20,2001 FSE v(def): 4.11 build 3190 sig: June 20,2001 MCV v(def): unknown sig: unknown RAV v(def): 8.0.005, scan eng:8.3 sig: June 25,2001 SCN v(def): 4.14.0 (4144) scan eng:4.1.40 sig: June 20,2001 ================================================= The following tables summarize detection and identification quality concerning MACRO and SCRIPT viruses as well as selected MACRO and SCRIPT MALWARE, both in full "zoo" virus collection and for viral In-The-Wild testbeds, under LINUX (SuSe). Moreover, results for detection of viruses in objects compressed with 6 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 7EVALLIN.txt. As usual, results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- LIN.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses LIN.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses LIN.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB LIN.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of infected ITW macro objects packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB LIN.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP LIN.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA LIN.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ LIN.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with WINRAR LIN.M3e: "WINRAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR LIN.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with CAB LIN.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" LIN.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related (non-viral) malware LIN.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses (esp. VBS and MIRC) LIN.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses LIN.S5: "Script-Malware": Results of "full" Zoo test for Script-related (non-viral) malware Table LIN.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses: =============================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 6762 100.0% 21677 100.0% ----------------------------------------------------------- ANT 6566 97.1 185 2.7 56 0.8 20811 96.0 AVK 6762 100.0 117 1.7 1 0.0 21674 100~ AVP 6762 100.0 118 1.7 1 0.0 21674 100~ CMD 6760 100~ 93 1.4 1 0.0 21672 100~ DRW 6725 99.5 81 1.2 14 0.2 21574 99.5 FSE 6760 100~ 29 0.4 1 0.0 21672 100~ MCV 612 9.1 0 0.0 32 0.5 1964 9.1 RAV 6726 99.5 348 5.1 15 0.2 21545 99.4 SCN 6762 100.0 132 2.0 0 0.0 21677 100.0% ----------------------------------------------------------- Table LIN.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses: ========================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 142 99.3 7 4.9 2 1.4 1294 98.9 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 0 0.0 1308 100.0 CMD 143 100.0 4 2.8 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FSE 143 100.0 7 4.9 0 0.0 1308 100.0 MCV 103 72.0 3 2.1 2 1.4 1028 78.6 RAV 143 100.0 26 18.2 5 3.5 1302 99.5 SCN 143 100.0 6 4.2 0 0.0 1308 100.0 ----------------------------------------------------------- Table LIN.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB: ================================================================ This includes Viruses detected per packer ------------------------------------------------------------------------------ ZIP % LHA % ARJ % RAR % WRAR % CAB % ------------------------------------------------------------------------------ Testbed 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 ------------------------------------------------------------------------------- ANT 142 99.3 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 AVK 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 AVP 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 CMD 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 DRW 143 100.0 0 0.0 143 100.0 143 100.0 143 100.0 0 0.0 FSE 143 100.0 143 100.0 143 100.0 0 0.0 0 0.0 0 0.0 MCV 103 72.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 RAV 143 100.0 0 0.0 143 100.0 143 100.0 143 100.0 143 100.0 SCN 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 143 100.0 ------------------------------------------------------------------------------ Table LIN.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ======================================================================= This includes Viral objects detected per packer ------------------------------------------------------------------------------- ZIP % LHA % ARJ % RAR % WRAR % CAB % ------------------------------------------------------------------------------- Testbed 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 ------------------------------------------------------------------------------- ANT 142 10.9 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 AVK 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 AVP 1307 99.9 1307 99.9 1307 99.9 1307 99.9 1307 99.9 1307 99.9 CMD 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 DRW 1308 100.0 0 0.0 1308 100.0 1308 100.0 1308 100.0 0 0.0 FSE 1308 100.0 1308 100.0 1308 100.0 0 0.0 0 0.0 0 0.0 MCV 1028 78.6 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 RAV 1302 99.5 0 0.0 1302 99.5 1298 99.2 1208 92.4 1302 99.5 SCN 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 1308 100.0 ------------------------------------------------------------------------------- Table LIN.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 142 99.3 0 0.0 142 99.3 142 10.9 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 1 0.7 1307 99.9 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FSE 143 100.0 7 4.9 0 0.0 1308 100.0 MCV 103 72.0 3 2.1 2 1.4 1028 78.6 RAV 143 100.0 26 18.2 5 3.5 1302 99.5 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 ----------------------------------------------------------- Table LIN.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 1 0.7 1307 99.9 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 143 100.0 7 4.9 0 0.0 1308 100.0 MCV 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 ----------------------------------------------------------- Table LIN.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 1 0.7 1307 99.9 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FSE 143 100.0 7 4.9 0 0.0 1308 100.0 MCV 0 0.0 0 0.0 0 0.0 0 0.0 RAV 143 100.0 26 18.2 5 3.5 1302 99.5 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 ----------------------------------------------------------- Table LIN.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 1 0.7 1307 99.9 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 MCV 0 0.0 0 0.0 0 0.0 0 0.0 RAV 143 100.0 25 17.5 9 6.3 1298 99.2 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 ----------------------------------------------------------- Table LIN.M3e: "WinRAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with WinRAR: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 1 0.7 1307 99.9 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 143 100.0 10 7.0 0 0.0 1308 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 MCV 0 0.0 0 0.0 0 0.0 0 0.0 RAV 143 100.0 25 17.5 7 4.9 1208 92.4 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 ----------------------------------------------------------- Table LIN.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with CAB: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 143 100.0% 1308 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 143 100.0 9 6.3 0 0.0 1308 100.0 AVP 143 100.0 9 6.3 1 0.7 1307 99.9 CMD 143 100.0 2 1.4 0 0.0 1308 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 MCV 0 0.0 0 0.0 0 0.0 0 0.0 RAV 143 100.0 26 18.2 5 3.5 1302 99.5 SCN 143 100.0 7 4.9 0 0.0 1308 100.0 ----------------------------------------------------------- Table LIN.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives": ============================================================= False This includes Virus ---- unreliably ---- Files Scanner Alarm identified detected detected ----------------------------------------------------------- Maximum 26 100.0% 329 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 2 7.7 0 0.0 2 7.7 4 1.2 AVP 2 7.7 0 0.0 2 7.7 4 1.2 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 10 38.5 0 0.0 10 38.5 29 8.8 FSE 1 3.8 0 0.0 1 3.8 2 0.6 MCV 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table LIN.M5: "Macro-Malware": Results of "full" test for Macro-related malware: ================================================ Macro This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 426 100.0% 683 100.0% ----------------------------------------------------------- ANT 379 89.0 9 2.1 9 2.1 607 88.9 AVK 425 99.8 0 0.0 0 0.0 682 99.9 AVP 426 100.0 0 0.0 0 0.0 683 100.0 CMD 426 100.0 5 1.2 0 0.0 683 100.0 DRW 387 90.8 1 0.2 7 1.6 622 91.1 FSE 424 99.5 2 0.5 0 0.0 676 99.0 MCV 284 66.7 0 0.0 1 0.2 434 63.5 RAV 416 97.7 28 6.6 4 0.9 663 97.1 SCN 426 100.0 4 0.9 0 0.0 683 100.0 ----------------------------------------------------------- Table LIN.S1: "ScriptVirus 1": Results of "full" Zoo test for script viruses: ================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 588 100.0% 1079 100.0% ----------------------------------------------------------- ANT 481 81.8 40 6.8 32 5.4 839 77.8 AVK 588 100.0 48 8.2 0 0.0 1079 100.0 AVP 588 100.0 48 8.2 0 0.0 1079 100.0 CMD 554 94.2 22 3.7 16 2.7 988 91.6 DRW 561 95.4 32 5.4 13 2.2 991 91.8 FSE 543 92.3 18 3.1 19 3.2 968 89.7 MCV 162 27.6 1 0.2 13 2.2 272 25.2 RAV 485 82.5 51 8.7 33 5.6 800 74.1 SCN 587 99.8 40 6.8 2 0.3 1076 99.7 ----------------------------------------------------------- Table LIN.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 19 100.0% 110 100.0% ----------------------------------------------------------- ANT 19 100.0 6 31.6 2 10.5 109 99.1 AVK 19 100.0 2 10.5 0 0.0 110 100.0 AVP 19 100.0 2 10.5 0 0.0 110 100.0 CMD 19 100.0 3 15.8 1 5.3 109 99.1 DRW 19 100.0 2 10.5 1 5.3 110 100.0 FSE 18 94.7 3 15.8 0 0.0 101 98.2 MCV 4 21.1 0 0.0 1 5.3 15 13.6 RAV 18 94.7 5 26.3 3 15.8 107 97.3 SCN 19 100.0 3 15.8 0 0.0 110 100.0 ----------------------------------------------------------- Table LIN.S5: "Script-Malware": Results of "full" Zoo Test for Script-related malware: ===================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 22 100.0% 30 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVK 22 100.0 1 4.5 0 0.0 30 100.0 AVP 22 100.0 1 4.5 0 0.0 30 100.0 CMD 14 63.6 0 0.0 0 0.0 16 53.3 DRW 8 36.4 0 0.0 0 0.0 9 30.0 FSE 10 45.5 0 0.0 0 0.0 11 36.7 MCV 0 0.0 0 0.0 0 0.0 0 0.0 RAV 18 81.8 0 0.0 0 0.0 25 83.3 SCN 22 100.0 0 0.0 0 0.0 30 100.0 -----------------------------------------------------------