=================================== File 8PROBLMS.TXT: ----------------------------------- List of problems experienced during aVTC test "2003-04": =================================== Formatted with non-proportional font (Courier) Content of this file: ===================== 1. Introduction: General Problems for details: see Test "2002-12" 2. List of benevolently behaving AV products in test "2003-04" 3. Problems of AV products observed during test "2003-04" 3.1 List of Postscans 3.2 List of specific problems 1. Introduction: General Problems: ================================== For automatic tests on large viral databases, and for automatic processing of large scanner log files, a set of test conditions is prerequisite for scanners to participate in a VTC test (see: 4TESTCON.TXT). For a detaled analysis of test problems, see Test report "2002-12". 2. List of benevolently behaving AV products in test "2003-04": =============================================================== In comparison with previous tests esp. on platforms W-98 and W-2000, we are glad to report that scanners under Windows XP were much more stable: significantly less problems were observed, and a significantly lower number of postscans was required. W-XP products: ============================================== Out of 10 WXP scanners, 4 had NO problems: ---------------------------------------------- BDF, DRW, FSE and SCN ============================================== 3. Problems of AV products observed during test "2003-04": ========================================================== 3.1 List of Postscans: ---------------------- In some cases, AV/AM products didnot access and check all entries in testbeds (possibly due to the "FF/FN anomaly" as reported in 2002-12) or due to crashes or other product misbehaviour (see 3.2). In such cases, up to 2 "postscans" were started, whereever possible on the remainder of the related testbed. The following list summarizes those products where at least 1 postscan was initialised (2x implies that 2 postscans were needed): FILE: CMD(2x),INO,NAV(2x),NVC FILE_ITW: INO, NVC FILE_PAC: CMD,NAV,NVC,RAV FILE_MAL: INO(2x),NAV,NVC MACR: INO,NAV MACR_ITW: --- MACR_PAC: AVP,NAV,RAV(2x) MACR_MAL: INO,NAV SCRI: CMD,INO,NAV SCRI_ITW: INO SCRI_MAL: INO,NAV 3.2 List of specific problems: ----------------------------- General problems (as in Test "2002-12"): ---------------------------------------- The WinRAR archives for the "Macro packed" testbed require at least RAR 2.00 to extract files, while the WinRAR archive in the "File packed" testbed require at least RAR 2.90. Therefore most products *failed* to detect the WinRAR archives in "File packed" testbed although the WinRAR archives in the "Macro packed" testbed were (at least partially) detected. In comparison to previous tests (esp. including W2k tests in "2002-12"), we are very glad to report that ALL products were MUCH MORE STABLE. The following 8 products had NO SPECIFIC PROBLEMS (except postscans): AVP, BDF, CMD, DRW, FSE, RAV, NVC, SCN The following list reports specific problems observed for products as indicated ("spoon-feeding" means that scanner was restarted on each subsequent directory when a crash was experienced): INO: This product only reports infected files, so we can't ensure that all files were really scanned. NAV: This product only reports infected files, so we can't ensure that all files were really scanned. WXP: - crashed one time on the "file zoo" testbed on the file T:\DOS\MRONON\H\RETSMAH\645\A\COA_006.COM - some samples in the "Macro zoo" and the "File zoo" testbeds were reported as infected but could NOT be counted because instead of path and file name just random characters were written to the logfile. - In addition, the action is reported as "unknown" instead of "delete", "leave alone", etc. Example: "9/10/2002 11:38:14 AM,H,W97M.ANTISOCIAL.F, LEFT ALONE,EXCALIBUR, ADMINISTRATOR,H,INFECTED,H, UNKNOWN ACTION,LEAVE ALONE (LOG ONLY),MANUAL SCAN" "12/12/2002 6:27:24 PM,3),MTE.INSUF (2,LEFT ALONE, METEOR, ADMINISTRATOR,3),INFECTED,3),UNKNOWN ACTION, LEAVE ALONE (LOG ONLY), MANUAL SCAN" - For the "File packed" testbed, many samples were reported as infected but could NOT be counted because the filename was not reported properly. A total of 99 samples (only in ARJ archives) is not counted for the result. Example: "9/24/2002 2:48:08 PM,KSI...,W32.BLEBLA.WORM,FILE; COMPRESSED FILE, LEFT ALONE,EXCALIBUR,ADMINISTRATOR, V:\MALW\KSIR_CES\MRONON\W\23W\MM_ALBEL.B\ARJ.ARJ>> MALW\,INFECTED, V:\MALW\KSIR_CES\MRONON\W\23W\MM_ALBEL.B\ARJ.ARJ>> MALW\, LEAVE ALONE (LOG ONLY),LEAVE ALONE (LOG ONLY),MANUAL SCAN"