========================================== File 7EVAL-W32.txt ------------------------------------------ Comparison of File, Macro and Script Virus and Malware detection under W32 platforms (Windows 98 and Windows 2000) ========================================== Formatted with non-proportional font (Courier) Content of this file: ********************************************************************** Eval WW32: Comparison of detection behaviour for W32 platforms ********************************************************************** Eval W32.01: Background of this evaluation Eval W32.02: Test Hypothesis Eval W32.03: Results of comparison Eval W32.SUM Grading AV products concerning W32-harmonical behaviour ********************************************************************** This part of VTC "2002-12" test report evaluates the detailed results as given in section (file): 6MCMP32.TXT Comparison of detection rates for W32 platforms W32.01 Background of this evaluation: ------------------------------------- With the fast deployment of new versions of Microsoft Windows-32 (in past 5 years from W-NT to W-95, W-98, W-2000 and W-XP), both customers needing protection and producers of security-enhancing software (esp. AntiVirus and AntiMalware) can only cope with the pace when they essentially re-use engines prepared for previous W32 platforms and simply "adapt" them to the intrinsics of the new platforms. Otherwise, "rewriting" the resp. software would consume too much time and efforts, and customers would receive "adapted" products only with some delay. AV/AM testers cannot determine the characteristics of the algorithms in scanning engines, either in following legal objectives (which, in most Copyright laws, prohibit reverse-engineering of proprietory code, except for specific reasons such as collecting evidence for a court case or teaching related techniques, as in Hamburg university IT Security curriculum), or for shere complexity of related code (and in many cases, for unsufficient professional knowledge of testers). It is therefore worthwhile to analyse whether those AV/AM products versions of which are available for W32 platforms behave EQUALLY concerning detection and identification of viral and malicious code. W32.02 Test Hypothesis: ----------------------- We assume that those products which participate for all W32 platforms (W98 and W2k) for ALL categories shall yield IDENTICAL results. We call product behaviour following this hypothesis "W32-harmonical". W32.03 Results of comparison: ----------------------------- Contrary to last test where the hypothesis was valid for the majority of products for macro and script viruses and malware, we now have to report that at best HALF of the products behave "W32-harmonically": this test last test -----------+----------- Equal detection of zoo file viruses: 9 (of 18) ----- of zoo infected files: 7 (of 18) ----- of ITW file viruses: 17 (of 18) ----- of ITW infected macro files: 17 (of 18) ----- of zoo file malware: 13 (of 18) ----- In this category, the following 7 products yield IDENTICAL results in ALL referenced (5) categories and are regarded as "perfect": AVK,AVP,BDF,CMD,FPR,FPW,SCN this test last test -----------+----------- Equal detection of zoo macro viruses: 16 (of 18) 16 (of 18) of zoo infected macro objects: 16 (of 18) 16 (of 18) of ITW macro viruses: ALL(of 18) ALL(of 18) of ITW infected macro files: ALL(of 18) ALL(of 18) of zoo macro malware: 15 (of 18) 15 (of 18) In this category, the following 14 products yield IDENTICAL results in all referenced categories and are regarded as "perfect": AVA,AVG,AVK,AVP,BDF,CMD,DRW,FPR,FPW,FSE,INO,PRO,SCN,VSP this test last test -----------+----------- Equal detection of zoo script viruses: 16 (of 18) 12 (of 18) of zoo script viral objects: 15 (of 18) 10 (of 18) of ITW script viruses: ALL(of 18) 17 (of 18) of ITW script viral objects: ALL(of 18) 15 (of 18) of ITW script malware: 16 (of 18) 17 (of 18) In this category, the following 15 products yield IDENTICAL results in all referenced categories and are regarded as "perfect": VA,AVG,AVK,AVP,CMD,DRW,FPR,FPW,INO,MR2,NVC,PRO,RAV,SCN,VSP ******************************************************************************* Findings W32.1: Many ALL W-32 scanners perform equally on W-98/W-2k in ALL categories and can be called "W32-harmonical". Concerning detection of FILE viruses, a MINORITY of 7 (out of 18) products behave "W32-harmonically" in all categories: AVK,AVP,BDF,CMD,INO,FPW,SCN And concerning file malware detection, only 7 (of 18) products behave in W32-harmonical form: AVK,AVP,BDF,CMD,FPW,SCN Concerning detection of MACRO viruses, a MAJORITY of 14 (out of 18) products behave "W32-harmonically" in all categories: AVA,AVG,AVK,AVP,BDF,CMD,DRW,FPR,FPW,FSE,INO,PRO,SCN,VSP And concerning macro malware detection, 14 (of 18) products behave in W32-harmonical form: AVA,AVG,AVK,AVP,BDF,CMD,DRW,FPR,FPW,FSE,INO,PRO,SCN,VSP Concerning detection of SCRIPT viruses, a MAJORITY of 16 (out of 18) products behave "W32-harmonically" in all categories: AVA,AVG,AVK,AVP,CMD,DRW,FPR,FPW,INO,PRO,MR2,NVC,PRO,RAV,SCN,VSP And concerning script malware detection, 14 (of 18) products behave in W32-harmonical form: AVA,AVG,AVK,AVP,CMD,DRW,FPR,FPW,INO,MR2,NVC,PRO,RAV,SCN,VSP In comparison, W32-harmonical behaviour is significantly better developped for script and macro virus detection, whereas W32-harmonicity of file viruses/malware is least developped. ******************************************************************************** For ALL categories, the following *6* W32 scanners (of 18) yield identical results on ALL platforms: AVK,AVP,CMD,FPR,FPW,SCN The following *7* W32 scanners detect file viruses/malware in W32-harmonical behaviour: AVK,AVP,BDF,CMD,FPR,FPW,SCN The following *14* W32 scanners yield identical results for all macro (zoo,ITW) viruses/malware: AVA,AVG,AVK,AVP,BDF,CMD,DRW,FPR,FPW,FSE,INO,PRO,SCN,VSP The following *16* products yield identical results for all script (zoo,ITW) viruses/malware: AVA,AVG,AVK,AVP,CMD,DRW,FPR,FPW,INO,MR2,NVC,PRO,RAV,SCN,VSP ******************************************************************************** W32.SUM: Grading AV products concerning W32-harmonical behaviour: ----------------------------------------------------------------- The following grid is used to grade W32 products concerning their ability for IDENTICAL detection for ALL categories on ALL W32 platforms: A "perfect" W32-harmonical AV product will yield IDENTICAL results for all categories (macro and script viruses). (Assigned value: 5). A "perfect" W32-harmonical AM product will be a perfect AV product and yield IDENTICAL results for all categories (macro and script malware). (Assigned value: 2). Grading W32-harmonical AntiVirus products: =========================================================== Grade: "Perfect" W32-harmonical detection: AVK,AVP,BDF,CMD,INO,FPW,SCN =========================================================== Grading W32-harmonical AntiMalware products: =========================================================== Grade: "Perfect" W32-harmonical detection: AVK,AVP,BDF,CMD,FPW,SCN =========================================================== ************************************************************ "Perfect" W32-harmonical AntiVirus products: 1st place: AVK,AVP,BDF,CMD,INO,FPW,SCN (5 points) ************************************************************ "Perfect" W32-harmonical AntiMalware products: 1st place: AVK,AVP,BDF,CMD,FPW,SCN (7 points) ************************************************************