==========================================
File 7EVAL-W32.txt
------------------------------------------
Comparison of File, Macro and Script Virus
and Malware detection under W32 platforms
 (Windows 98, Windows NT, Windows 2000)
==========================================
Formatted with non-proportional font (Courier)


  Content of this file:
  **********************************************************************
    Eval WW32:   Comparison of detection behaviour for W32 platforms
  **********************************************************************
    Eval W32.01: Background of this evaluation
    Eval W32.02: Test Hypothesis
    Eval W32.03: Results of comparison
    Eval W32.SUM Grading AV products concerning W32-harmonical behaviour
  **********************************************************************


This part of VTC "2001-10" test report evaluates the detailed results 
as given in section (file):

           6MCMP32.TXT       Comparison of detection rates for W32 platforms


W32.01 Background of this evaluation: 
-------------------------------------
With the fast deployment of new versions of Microsoft Windows-32 (in past 5 years
from W-NT to W-95, W-98, W-2000 and soon W-XP),	both customers needing protection
and producers of security-enhancing software (esp. AntiVirus and AntiMalware) can 
only cope with the pace when they essentially re-use engines prepared for previous 
W32 platforms and simply "adapt" them to the intrinsics of the new platforms. 
Otherwise, "rewriting" the resp. software would consume too much time and efforts, 
and customers would receive "adapted" products only with some delay.

AV/AM testers cannot determine the characteristics of the algorithms in scanning 
engines, either in following legal objectives (which, in most Copyright laws, 
prohibit reverse-engineering of proprietory code, except for specific reasons 
such as collecting evidence for a court case or teaching related techniques, as 
in Hamburg university IT Security curriculum), or for shere complexity of related 
code (and in many cases, for unsufficient professional knowledge of testers).

It is therefore worthwhile to analyse whether those AV/AM products versions of 
which are available for all W32 platforms behave EQUALLY concerning detection 
and identification of viral and malicious code.


W32.02 Test Hypothesis:
-----------------------
	We assume that those products which participate for all W32 
        platforms (WNT, W98 and W2k) for ALL categories shall yield IDENTICAL 
        results.

	We call product behaviour following this hypothesis "W32-harmonical".


W32.03 Results of comparison:
-----------------------------
The "Test Hypothesis" is in practice VALID for a large majority of 
W32 scanners, as the following comparison show:

        Equal detection of zoo macro viruses:        	16 (of 18) products
                        of zoo macro viral objects: 	16 (of 18) products
                        of ITW macro viruses:       ALL 18 (of 18) products
                        of ITW macro viral objects: ALL 18 (of 18) products
                        of ITW macro malware:          	15 (of 18) products
              In this category, the following 13 products yield IDENTICAL 
              results in all referenced categories:  
                          AVG,AVK,AVP,AVX,CMD,FPR,FPW,FSE,INO,NVC,PAV,RAD/RAV,SCN

        Equal detection of zoo script viruses:        	12 (of 18) products 
                        of zoo script viral objects: 	10 (of 18) products
                        of ITW script viruses:   	17 (of 18) products
                        of ITW script viral objects:	15 (of 18) products
                        of ITW script malware:          17 (of 18) products
              In this category, the following 10 products yield IDENTICAL 
              results in all referenced categories:  
                                          AVG,AVK,AVP,AVX,DRW,FPW,NAV,NVC,SCN,VSP


   *******************************************************************************
   Findings W32.1: Almost ALL W-32 scanners perform equally on W-98/W-NT/W-2k
                   in ALL categories and can be called "W32-harmonical".

		   ALL products are W32-harmonically in the detection of
                   In-The-Wild macro viruses, but detection of ITW script
                   viruses is slightly less developped.                   

                   When looking at specific categories only, W32-harmonical
                   behaviour is better developped for macro than for script
                   virus detection.
   ********************************************************************************
		   For ALL categories, the following *7* W32 scanners 
                   (of 17) yield identical results on ALL platforms: 
					                AVG,AVK,AVP,AVX,FPW,NVC,SCN

                   The following *14* W32 scanners yield identical results
                   for all macro (zoo,ITW) viruses:    AVG,AVK,AVP,AVX,CMD,DRW,FPR,
                                                    FPW,FSE,INO,NVC,PAV,RAD/RAV,SCN
         
		   The following *16* W32 scanners yield identical results 
                   for all macro malware:          AVA,AVG,AVK,AVP,AVX,CMD,DRW,FPR,
                                                FPW,FSE,INO,NAV,NVC,PAV,RAD/RAV,SCN

		   The following *9* products yield identical results
                   for all script (zoo,ITW) viruses:  
                                                AVG,AVK,AVX,DRW,FPW,NAV,NVC,SCN,VSP
                                            
		   The following *16* W32 scanners yield identical results 
                   for all script malware:         ANT,AVG,AVK,AVX,CMD,DRW,FPR,FPW,
                                                FSE,INO,NAV,NVC,PAV,RAD/RAV,SCN,VSP
   ********************************************************************************


W32.SUM: Grading AV products concerning W32-harmonical behaviour:
-----------------------------------------------------------------
The following grid is used to grade W32 products concerning their ability
for IDENTICAL detection for ALL categories on ALL W32 platforms:

	A "perfect" W32-harmonical AV product will yield IDENTICAL results 
        for all categories (macro and script viruses). (Assigned value: 5).

	A "perfect" W32-harmonical AM product will be a perfect AV product
        and yield IDENTICAL results for all categories (macro and script 
        malware). (Assigned value: 2).


    Grading W32-harmonical AntiVirus products:
    ===========================================================
    Grade:                                "Perfect"         
    W32-harmonical detection:     AVG,AVK,AVX,DRW,FPW,NVC,SCN
    ===========================================================

    Grading W32-harmonical AntiMalware products:
    ===========================================================
    Grade:                                "Perfect"        
    W32-harmonical detection:     AVG,AVK,AVX,CMD,DRW,FPR,FPW,
                                FSE,INO,NAV,NVC,PAV,RAD/RAV,SCN
    ===========================================================

   
    ************************************************************
    "Perfect" W32-harmonical AntiVirus products: 
        1st place:      AVG,AVK,AVX,DRW,FPW,NVC,SCN   (5 points)	
    ************************************************************
    "Perfect" W32-harmonical AntiMalware products: 
        1st place:      AVG,AVK,AVX,DRW,FPW,NVC,SCN   (7 points)
    ************************************************************