======================================================== aVTC Test "2004-07" (File 6xLin.TXT): -------------------------------------------------------- Detailed results of File, Macro and Script Virus related on-demand scanner tests under Linux (SuSe edition): ======================================================== (Formatted with non-proportional font: Courier; 72 columns) The following =========== 11 products =========== participated in this part of VTC test "2004-07" (for details of engines, signatures and AV companies: see A2SCNLS.txt): =============================================================== ANT = Antivir v:2.0.6-22 H+B EDV Datentechnik Germany AVP = Kaspersky Anti-Virus (KAV), v:4.0.3.0 Kaspersky Lab Russia CLA = CLAM AntiVirus v:0.54 CMD = Command Antivirus v:4.75.0 Command Software Systems USA DRW = Dr. Web v:4.29.7 DialogueScience Russia FPR = F-PROT v:3.13 Frisk Software Iceland FSE = F-SECURE v:4.50 build 2092 F-Secure Corporation Finland INO = eTrust AV v:23.59.00 Computer Associates USA OAV = Open AntiVirus Open Antivirus Project SCN = McAfee ViruScan v4.24.0 Network Associates USA SWP = Sophos AV v:3.67 Sophos UK =============================================================== The following tables summarize detection and identification quality concerning FILE, MACRO and SCRIPT viruses as well as selected FILE, MACRO and SCRIPT MALWARE, both in full "zoo" virus collection and for viral In-The-Wild testbeds, under LINUX (SuSe). Moreover, results for detection of viruses in objects compressed with 6 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 7EVALLIN.txt. As usual, results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- LIN.F1: "FileVirus 1": Results of "full" Zoo test for file viruses LIN.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses LIN.F3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ, RAR 1.5, WinRAR 3.0 and CAB LIN.F3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of infected ITW file objects packed with PKZIP, LHA, ARJ, RAR 1.5, WinRAR 3.0 and CAB + LIN.F3R: "Detection of Archives infected with Packed File In-The-Wild viruses" under Linux + LIN.F3L: "Detection Loss in Archives (=number of viruses NOT detected in Archives) for File In-The-Wild viruses packed with different archivers under Linux LIN.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP LIN.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA LIN.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ LIN.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR 1.5 LIN.F3e: "WINRAR-Packed Macro Viruses": Results of Detection of ITW File Viruses Packed with WINRAR 3.0 LIN.F3f: "CAB-Packed File Viruses": Results of Detection of ITW File Viruses Packed with CAB LIN.F4: "False Positive" File Virus Detection: Results of "full" Zoo test for non-viral (clean) file objects detected as "false positives" LIN.F5: "File-Malware": Results of "full" Zoo test for file-related (non-viral) malware LIN.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses LIN.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses LIN.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ, RAR 1.5, WinRAR 3.0 and CAB LIN.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of infected ITW macro objects packed with PKZIP, LHA, ARJ, RAR 1.5, WinRAR 3.0 and CAB + LIN.M3R: "Detection of Archives infected with Packed Macro In-The-Wild viruses" under Linux + LIN.M3L: "Detection Loss in Archives (=number of viruses NOT detected in Archives) for Macro In-The-Wild viruses packed with different archivers under Linux LIN.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP LIN.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA LIN.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ LIN.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR 1.5 LIN.M3e: "WINRAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with WINRAR 3.0 LIN.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with CAB LIN.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" LIN.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related (non-viral) malware LIN.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses (esp. VBS and MIRC) LIN.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses LIN.S5: "Script-Malware": Results of "full" Zoo test for Script-related (non-viral) malware Table LIN.F1: "FileVirus 1": Results of "full" Zoo test for file viruses: =============================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 23209 100.0% 166327 100.0% ----------------------------------------------------------- ANT 21093 90.9 6300 27.1 767 3.3 152875 91.9 AVP 23206 100.~ 876 3.8 2 0.~ 166313 100.~ CLA 8082 34.8 625 2.7 1190 5.1 52286 31.4 CMD 22999 99.1 491 2.1 49 0.2 165232 99.3 DRW 18326 79.0 676 2.9 261 1.1 135528 81.5 FPR 23119 99.6 387 1.7 20 0.1 166136 99.9 FSE 23207 100.~ 14319 61.7 2 0.~ 166319 100.~ INO 22135 95.4 883 3.8 441 1.9 162288 97.6 OAV 7911 34.1 434 1.9 1115 4.8 51638 31.0 SCN 23202 100.~ 1108 4.8 2 0.~ 166315 100.~ SWP 22800 98.2 1383 6.0 190 0.8 164197 98.7 ----------------------------------------------------------- Mean: 84.7% 84.7% Rate>10%: 84.7% 84.7% ----------------------------------------------------------- Remark: decimal ~ indicates that result is rounded: (100.~ up to 100.0%, 0.~ down to 0.0%). Table LIN.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses: ========================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 107 100.0% 638 100.0% ------------------------------------------------------------ ANT 107 100.0 16 15.0 4 3.7 631 98.9 AVP 106 99.1 6 5.6 0 0.0 637 99.8 CLA 49 45.8 2 1.9 14 13.1 282 44.2 CMD 107 100.0 22 20.6 3 2.8 633 99.2 DRW 106 99.1 5 4.7 0 0.0 637 99.8 FPR 106 99.1 3 2.8 0 0.0 637 99.8 FSE 106 99.1 64 59.8 0 0.0 637 99.8 INO 106 99.1 8 7.5 2 1.9 635 99.5 OAV 38 35.5 2 1.9 9 8.4 221 34.6 SCN 107 100.0 12 11.2 0 0.0 638 100.0 SWP 106 99.1 6 5.6 2 1.9 635 99.5 ----------------------------------------------------------- Mean: 88.7% 88.7% Rate>10%: 88.7% 88.7% ----------------------------------------------------------- Table LIN.F3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ================================================================ This includes Viruses detected per packer -------+------------+-----------+-----------+-----------+-----------+----------- ARJ % CAB % LHA % RAR1.5 % WRAR3.0 % ZIP % Testbed 107 100.0% 107 100.0% 107 100.0% 107 100.0% 107 100.0% 107 100.0% -------+------------+-----------+-----------+-----------+-----------+----------- ANT 107 100.0% 0 0.0% 107 100.0% 1 0.9% 0 0.0% 106 99.1% AVP 106 99.1% 106 99.1% 106 99.1% 106 99.1% 106 99.1% 106 99.1% CLA 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% CMD 107 100.0% 107 100.0% 107 100.0% 34 31.8% 1 0.9% 107 100.0% DRW 106 99.1% 106 99.1% 0 0.0% 106 99.1% 106 99.1% 106 99.1% FPR 106 99.1% 106 99.1% 106 99.1% 25 23.4% 0 0.0% 106 99.1% FSE 106 99.1% 106 99.1% 106 99.1% 106 99.1% 106 99.1% 106 99.1% INO 106 99.1% 106 99.1% 105 98.1% 1 0.9% 0 0.0% 106 99.1% OAV 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% SCN 107 100.0% 107 100.0% 107 100.0% 107 100.0% 0 0.0% 107 100.0% SWP 106 99.1% 106 99.1% 106 99.1% 106 99.1% 0 0.0% 106 99.1% ------------------------------------------------------------------------------- Mean: 81.3% 72.2% 72.2% 50.3% 27.1% 81.3% Rate>10%: 99.4% 99.3% 99.3% 78.8% 99.1% 99.3% ------------------------------------------------------------------------------- Table LIN.F3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ======================================================================== This includes Viral objects detected per packer -------+------------+-----------+-----------+-----------+-----------+----------- ARJ % CAB % LHA % RAR1.5 % WRAR3.0 % ZIP % Testbed 638 100.0% 638 100.0% 638 100.0% 638 100.0% 638 100.0% 638 100.0% -------+------------+-----------+-----------+-----------+-----------+----------- ANT 628 98.4% 0 0.0% 628 98.4% 2 0.3% 0 0.0% 627 98.3% AVP 637 99.8% 637 99.8% 637 99.8% 637 99.8% 637 99.8% 637 99.8% CLA 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% CMD 633 99.2% 633 99.2% 632 99.1% 40 6.3% 1 0.2% 633 99.2% DRW 631 98.9% 637 99.8% 0 0.0% 633 99.2% 633 99.2% 633 99.2% FPR 637 99.8% 637 99.8% 620 97.2% 30 4.7% 0 0.0% 637 99.8% FSE 106 16.6% 106 16.6% 106 16.6% 106 16.6% 106 16.6% 106 16.6% INO 605 94.8% 635 99.5% 105 16.5% 2 0.3% 0 0.0% 635 99.5% OAV 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% SCN 638 100.0% 638 100.0% 638 100.0% 638 100.0% 0 0.0% 638 100.0% SWP 635 99.5% 635 99.5% 635 99.5% 635 99.5% 0 0.0% 635 99.5% -------+------------+-----------+-----------+-----------+-----------+----------- Mean: 73.4% 64.9% 57.0% 38.8% 19.6% 73.8% Rate>10%: 89.7% 89.3% 78.4% 69.9% 71.9% 90.2% -------+------------+-----------+-----------+-----------+-----------+----------- Table LIN.F3R: Detection of aRchives infected with "Packed File In-The-Wild viruses" under Linux ============================================================ Total number of detected files in all archives ----------------------------- Testbed 642 100.0% ----------------------------- ANT 321 50.0% AVP 636 99.1% CLA 148 23.1% CMD 463 72.1% DRW 530 82.6% FPR 449 69.9% FSE 636 99.1% INO 424 66.0% OAV 38 5.9% SCN 535 83.3% SWP 530 82.6% ----------------------------- Mean 66.7% ----------------------------- Table LIN.F3L: Detection Loss in Archives (=number of viruses NOT detected in Archives) for "Packed File In-The-Wild" viruses packed with different archives under Linux ============================================================================== Number of files not detected in archives (but uncompressed) -------+------------+-----------+-----------+-----------+-----------+----------- ARJ % CAB % LHA % RAR1.5 % WRAR3.0 % ZIP % Testbed 638 100.0% 638 100.0% 638 100.0% 638 100.0% 638 100.0% 638 100.0% -------+------------+-----------+-----------+-----------+-----------+----------- ANT 3 0.5% 631 100.0% 3 0.5% 629 99.7% 631 100.0% 4 0.6% AVP 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% CLA 282 100.0% 282 100.0% 282 100.0% 282 100.0% 282 100.0% 282 100.0% CMD 0 0.0% 0 0.0% 1 0.2% 593 93.7% 632 99.8% 0 0.0% DRW 6 0.9% 0 0.0% 637 100.0% 4 0.6% 4 0.6% 4 0.6% FPR 0 0.0% 0 0.0% 17 2.7% 607 95.3% 637 100.0% 0 0.0% FSE 531 83.4% 531 83.4% 531 83.4% 531 83.4% 531 83.4% 531 83.4% INO 30 4.7% 0 0.0% 530 83.5% 633 99.7% 635 100.0% 0 0.0% OAV 221 100.0% 221 100.0% 221 100.0% 221 100.0% 221 100.0% 221 100.0% SCN 0 0.0% 0 0.0% 0 0.0% 0 0.0% 638 100.0% 0 0.0% SWP 0 0.0% 0 0.0% 0 0.0% 0 0.0% 635 100.0% 0 0.0% -------+------------+-----------+-----------+-----------+-----------+----------- Mean: 26.3% 34.9% 42.8% 61.1% 80.3% 25.9% -------+------------+-----------+-----------+-----------+-----------+----------- Remark: Values in this table represent the difference between unpacked ITW virus samples found and those found when compressed. Ideally, "0" implies that all viruses found ITW are also found in compressed archives, whereas "100%" implies that none of those ITW viruses detected in uncompressed form was found in compressed archives. Negative values imply that MORE ITW viruses are found in packed archives than in unpacked samples. Table LIN.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 107 100.0% 638 100.0% ------------------------------------------------------------ ANT 106 99.1 14 13.1 5 4.7 627 98.3 AVP 106 99.1 6 5.6 0 0.0 637 99.8 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 107 100.0 22 20.6 3 2.8 633 99.2 DRW 106 99.1 4 3.7 3 2.8 633 99.2 FPR 106 99.1 3 2.8 0 0.0 637 99.8 FSE 106 99.1 1 0.9 63 58.9 106 16.6 INO 106 99.1 8 7.5 2 1.9 635 99.5 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 107 100.0 12 11.2 0 0.0 638 100.0 SWP 106 99.1 6 5.6 2 1.9 635 99.5 ----------------------------------------------------------- Mean: 81.3% 73.8% Rate>10%: 99.3% 90.2% ----------------------------------------------------------- Table LIN.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 107 100.0% 638 100.0% ------------------------------------------------------------ ANT 107 100.0 14 13.1 5 4.7 628 98.4 AVP 106 99.1 6 5.6 0 0.0 637 99.8 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 107 100.0 22 20.6 4 3.7 632 99.1 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 106 99.1 3 2.8 1 0.9 620 97.2 FSE 106 99.1 1 0.9 63 58.9 106 16.6 INO 105 98.1 0 0.0 63 58.9 105 16.5 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 107 100.0 12 11.2 0 0.0 638 100.0 SWP 106 99.1 6 5.6 2 1.9 635 99.5 ------------------------------------------------------------ Mean: 72.2% 57.0% Rate>10%: 99.3% 78.4% ------------------------------------------------------------ Table LIN.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 107 100.0% 638 100.0% ------------------------------------------------------------ ANT 107 100.0 14 13.1 5 4.7 628 98.4 AVP 106 99.1 6 5.6 0 0.0 637 99.8 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 107 100.0 22 20.6 3 2.8 633 99.2 DRW 106 99.1 4 3.7 5 4.7 631 98.9 FPR 106 99.1 3 2.8 0 0.0 637 99.8 FSE 106 99.1 1 0.9 63 58.9 106 16.6 INO 106 99.1 8 7.5 4 3.7 605 94.8 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 107 100.0 12 11.2 0 0.0 638 100.0 SWP 106 99.1 6 5.6 2 1.9 635 99.5 ----------------------------------------------------------- Mean: 81.3% 73.4% Rate>10%: 99.4% 89.7% ----------------------------------------------------------- Table LIN.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR 1.5: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 107 100.0% 638 100.0% ------------------------------------------------------------ ANT 1 0.9 0 0.0 1 0.9 2 0.3 AVP 106 99.1 6 5.6 0 0.0 637 99.8 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 34 31.8 5 4.7 21 19.6 40 6.3 DRW 106 99.1 4 3.7 3 2.8 633 99.2 FPR 25 23.4 0 0.0 14 13.1 30 4.7 FSE 106 99.1 1 0.9 63 58.9 106 16.6 INO 1 0.9 0 0.0 1 0.9 2 0.3 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 107 100.0 12 11.2 0 0.0 638 100.0 SWP 106 99.1 6 5.6 2 1.9 635 99.5 ----------------------------------------------------------- Mean: 50.3% 38.8% Rate>10%: 78.8% 60.9% ----------------------------------------------------------- Table LIN.F3e: "WINRAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with WINRAR 3.0: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 107 100.0% 638 100.0% ------------------------------------------------------------ ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVP 106 99.1 6 5.6 0 0.0 637 99.8 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 1 0.9 0 0.0 1 0.9 1 0.2 DRW 106 99.1 4 3.7 3 2.8 633 99.2 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 106 99.1 1 0.9 63 58.9 106 16.6 INO 0 0.0 0 0.0 0 0.0 0 0.0 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Mean: 27.1% 19.6% Rate>10%: 99.1% 81.9% ----------------------------------------------------------- Table LIN.F3f: "CAB-Packed File Viruses": Results of Detection of ITW File Viruses Packed with CAB: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 107 100.0% 638 100.0% ------------------------------------------------------------ ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVP 106 99.1 6 5.6 0 0.0 637 99.8 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 107 100.0 22 20.6 3 2.8 633 99.2 DRW 106 99.1 5 4.7 0 0.0 637 99.8 FPR 106 99.1 3 2.8 0 0.0 637 99.8 FSE 106 99.1 1 0.9 63 58.9 106 16.6 INO 106 99.1 8 7.5 2 1.9 635 99.5 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 107 100.0 12 11.2 0 0.0 638 100.0 SWP 106 99.1 6 5.6 2 1.9 635 99.5 ----------------------------------------------------------- Mean: 72.2% 64.9% Rate>10%: 99.3% 89.3% ----------------------------------------------------------- Table LIN.F4: "False Positive" file virus detection: Results of "full" Zoo test for non-viral (clean) file objects detected as "false positives": ============================================================= False positive Scanner detection ----------------------------- Testbed 721 100.0% ----------------------------- ANT 0 0.0 AVP 0 0.0 CLA 0 0.0 CMD 2 0.3 DRW 0 0.0 FPR 0 0.0 FSE 0 0.0 INO 0 0.0 OAV 0 0.0 SCN 0 0.0 SWP 0 0.0 ----------------------------- Mean: 0.03% ----------------------------- Table LIN.F5: "File-Malware": Results of "full" Zoo Test for File-related malware: ==================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 12368 100.0% 28621 100.0% ------------------------------------------------------------ ANT 8445 68.3 779 6.3 739 6.0 17401 60.8 AVP 12288 99.4 1310 10.6 38 0.3 28465 99.5 CLA 1741 14.1 53 0.4 278 2.2 3091 10.8 CMD 11730 94.8 6516 52.7 81 0.7 26796 93.6 DRW 706 5.7 41 0.3 30 0.2 1254 4.4 FPR 11973 96.8 6390 51.7 64 0.5 27486 96.0 FSE 12355 99.9 5751 46.5 12 0.1 28587 99.9 INO 9103 73.6 580 4.7 779 6.3 18645 65.1 OAV 470 3.8 10 0.1 135 1.1 1038 3.6 SCN 12100 97.8 395 3.2 25 0.2 28259 98.7 SWP 11229 90.8 870 7.0 640 5.2 25189 88.0 ----------------------------------------------------------- Mean: 67.7% 65.5% Rate>10%: 81.7% 79.2% ----------------------------------------------------------- Table LIN.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses: =============================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 7796 100.0% 27370 100.0% ------------------------------------------------------------ ANT 7634 97.9 295 3.8 49 0.6 26759 97.8 AVP 7795 100.~ 161 2.1 2 0.~ 27364 100.~ CLA 40 0.5 0 0.0 11 0.1 141 0.5 CMD 7789 99.9 79 1.0 7 0.1 27351 99.9 DRW 7750 99.4 101 1.3 14 0.2 27253 99.6 FPR 7790 99.9 77 1.0 7 0.1 27352 99.9 FSE 7796 100.0 6157 79.0 0 0.0 27369 100.0 INO 7744 99.3 143 1.8 19 0.2 27224 99.5 OAV 9 0.1 0 0.0 5 0.1 31 0.1 SCN 7795 100.~ 1079 13.8 3 0.~ 27361 100.~ SWP 7778 99.8 120 1.5 8 0.1 27338 99.9 ----------------------------------------------------------- Mean 81.6% 81.6% Rate>10%: 99.6% 99.6% ----------------------------------------------------------- Table LIN.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses: ========================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 74 100.0% 976 100.0% ------------------------------------------------------------ ANT 74 100.0 10 13.5 0 0.0 976 100.0 AVP 74 100.0 6 8.1 0 0.0 976 100.0 CLA 3 4.1 0 0.0 1 1.4 18 1.8 CMD 74 100.0 5 6.8 1 1.4 975 99.9 DRW 73 98.6 8 10.8 0 0.0 971 99.5 FPR 74 100.0 5 6.8 1 1.4 975 99.9 FSE 74 100.0 74 100.0 0 0.0 976 100.0 INO 74 100.0 5 6.8 1 1.4 975 99.9 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 74 100.0 14 18.9 0 0.0 976 100.0 SWP 74 100.0 14 18.9 0 0.0 976 100.0 ----------------------------------------------------------- Mean 82.1% 81.9% Rate>10%: 99.8% 99.9% ----------------------------------------------------------- Table LIN.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB: ================================================================ This includes Viruses detected per packer ------------------------------------------------------------------------------- ARJ % CAB % LHA % RAR % WRAR3.0 % ZIP % Testbed 74 100.0% 74 100.0% 74 100.0% 74 100.0% 74 100.0% 74 100.0% -------+------------+-----------+-----------+-----------+-----------+---------- ANT 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% AVP 74 100.0% 74 100.0% 74 100.0% 74 100.0% 74 100.0% 74 100.0% CLA 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% CMD 74 100.0% 74 100.0% 74 100.0% 2 2.7% 0 0.0% 74 100.0% DRW 74 100.0% 74 100.0% 0 0.0% 74 100.0% 74 100.0% 74 100.0% FPR 74 100.0% 74 100.0% 74 100.0% 2 2.7% 0 0.0% 74 100.0% FSE 74 100.0% 74 100.0% 74 100.0% 74 100.0% 74 100.0% 74 100.0% INO 74 100.0% 74 100.0% 74 100.0% 0 0.0% 0 0.0% 74 100.0% OAV 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% SCN 74 100.0% 74 100.0% 74 100.0% 74 100.0% 0 0.0% 74 100.0% SWP 74 100.0% 74 100.0% 74 100.0% 74 100.0% 0 0.0% 74 100.0% -------+------------+-----------+-----------+-----------+-----------+---------- Mean 72.7% 72.7% 63.6% 46.0% 27.3% 72.7% Rate>10%: 100.0% 100.0% 100.0% 100.0% 100.0% 100.0% -------+------------+-----------+-----------+-----------+-----------+---------- Table LIN.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW macro viruses and with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ======================================================================= This includes Viral objects detected per packer -------+------------+-----------+-----------+-----------+-----------+----------- ARJ % CAB % LHA % RAR1.5 % WRAR3.0 % ZIP % Testbed 976 100.0% 976 100.0% 976 100.0% 976 100.0% 976 100.0% 976 100.0% -------+------------+-----------+-----------+-----------+-----------+----------- ANT 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% AVP 976 100.0% 976 100.0% 976 100.0% 976 100.0% 976 100.0% 976 100.0% CLA 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% CMD 975 99.9% 975 99.9% 974 99.8% 4 0.4% 0 0.0% 975 99.9% DRW 976 100.0% 976 100.0% 0 0.0% 976 100.0% 975 99.9% 976 100.0% FPR 975 99.9% 975 99.9% 974 99.8% 4 0.4% 0 0.0% 975 99.9% FSE 74 7.6% 74 7.6% 74 7.6% 74 7.6% 74 7.6% 74 7.6% INO 975 99.9% 975 99.9% 975 99.9% 0 0.0% 0 0.0% 975 99.9% OAV 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% SCN 976 100.0% 976 100.0% 976 100.0% 976 100.0% 0 0.0% 976 100.0% SWP 976 100.0% 976 100.0% 976 100.0% 976 100.0% 0 0.0% 976 100.0% -------+------------+-----------+-----------+-----------+-----------+----------- Mean 64.3% 64.3% 55.2% 37.1% 18.9% 64.3% Rate>10%: 88.4% 88.4% 86.7% 81.5% 69.2% 88.4% -------+------------+-----------+-----------+-----------+-----------+----------- Table LIN.M3R: Detection of Archives infected with "Packed Macro In-The-Wild viruses" under LINUX ============================================================= Product Total number of detected files in all archives ----------------------------- Testbed 444 100.0% ----------------------------- ANT 223 50.2% AVP 444 100.0% CLA 9 2.0% CMD 298 67.1% DRW 370 83.3% FPR 298 67.1% FSE 444 100.0% INO 296 66.7% OAV 0 0.0% SCN 370 83.3% SWP 370 83.3% ----------------------------- Mean 63.9% ----------------------------- Table LIN.M3L: Detection Loss in Archives (=number of viruses NOT detected in Archives) for "Packed Macro In-The-Wild" viruses packed with different archives under LINUX ============================================================================== Number of files not detected in archives (but uncompressed) -------+------------+-----------+-----------+-----------+-----------+---------- ARJ % CAB % LHA % RAR1.5 % WRAR3.0 % ZIP % Testbed 976 100.0% 976 100.0% 976 100.0% 976 100.0% 976 100.0% 976 100.0% -------+------------+-----------+-----------+-----------+-----------+---------- ANT 976 100.0% 976 100.0% 976 100.0% 976 100.0% 976 100.0% 976 100.0% AVP 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% 0 0.0% CLA 18 100.0% 18 100.0% 18 100.0% 18 100.0% 18 100.0% 18 100.0% CMD 0 0.0% 0 0.0% 1 0.1% 971 99.6% 975 100.0% 0 0.0% DRW -5 ***** -5 ***** 971 100.0% -5 ***** -4 ***** -5 ***** FPR 0 0.0% 0 0.0% 1 0.1% 971 99.6% 975 100.0% 0 0.0% FSE 902 92.4% 902 92.4% 902 92.4% 902 92.4% 902 92.4% 902 92.4% INO 0 0.0% 0 0.0% 0 0.0% 975 100.0% 975 100.0% 0 0.0% OAV 0 ----- 0 ----- 0 ----- 0 ----- 0 ----- 0 ----- SCN 0 0.0% 0 0.0% 0 0.0% 0 0.0% 976 100.0% 0 0.0% SWP 0 0.0% 0 0.0% 0 0.0% 0 0.0% 976 100.0% 0 0.0% -------+------------+-----------+-----------+-----------+-----------+---------- Mean 29.2% 29.2% 39.3% 50.2% 79.2% 29.2% -------+------------+-----------+-----------+-----------+-----------+---------- Remark: Values in this table represent the difference between unpacked ITW virus samples found and those found when compressed. Ideally, "0" implies that all viruses found ITW are also found in compressed archives, whereas "100%" implies that none of those ITW viruses detected in uncompressed form was found in compressed archives. Negative values imply that MORE ITW viruses are found in packed archives than in unpacked samples. Table LIN.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 74 100.0% 976 100.0% ------------------------------------------------------------ ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVP 74 100.0 6 8.1 0 0.0 976 100.0 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 74 100.0 5 6.8 1 1.4 975 99.9 DRW 74 100.0 8 10.8 0 0.0 976 100.0 FPR 74 100.0 5 6.8 1 1.4 975 99.9 FSE 74 100.0 0 0.0 74 100.0 74 7.6 INO 74 100.0 5 6.8 1 1.4 975 99.9 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 74 100.0 14 18.9 0 0.0 976 100.0 SWP 74 100.0 14 18.9 0 0.0 976 100.0 ----------------------------------------------------------- Mean 72.7% 64.3% Rate>10%: 100.0% 88.4% ----------------------------------------------------------- Table LIN.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 74 100.0% 976 100.0% ------------------------------------------------------------ ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVP 74 100.0 6 8.1 0 0.0 976 100.0 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 74 100.0 5 6.8 2 2.7 974 99.8 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 74 100.0 5 6.8 2 2.7 974 99.8 FSE 74 100.0 0 0.0 74 100.0 74 7.6 INO 74 100.0 5 6.8 1 1.4 975 99.9 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 74 100.0 14 18.9 0 0.0 976 100.0 SWP 74 100.0 14 18.9 0 0.0 976 100.0 ----------------------------------------------------------- Mean 63.6% 55.2% Rate>10%: 100.0% 86.7% ----------------------------------------------------------- Table LIN.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 74 100.0% 976 100.0% ------------------------------------------------------------ ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVP 74 100.0 6 8.1 0 0.0 976 100.0 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 74 100.0 5 6.8 1 1.4 975 99.9 DRW 74 100.0 8 10.8 0 0.0 976 100.0 FPR 74 100.0 5 6.8 1 1.4 975 99.9 FSE 74 100.0 0 0.0 74 100.0 74 7.6 INO 74 100.0 5 6.8 1 1.4 975 99.9 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 74 100.0 14 18.9 0 0.0 976 100.0 SWP 74 100.0 14 18.9 0 0.0 976 100.0 ----------------------------------------------------------- Mean 72.7% 64.3% Rate>10%: 100.0% 88.4% ----------------------------------------------------------- Table LIN.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR v1.5: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 74 100.0% 976 100.0% ------------------------------------------------------------ ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVP 74 100.0 6 8.1 0 0.0 976 100.0 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 2 2.7 0 0.0 2 2.7 4 0.4 DRW 74 100.0 8 10.8 0 0.0 976 100.0 FPR 2 2.7 0 0.0 2 2.7 4 0.4 FSE 74 100.0 0 0.0 74 100.0 74 7.6 INO 0 0.0 0 0.0 0 0.0 0 0.0 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 74 100.0 14 18.9 0 0.0 976 100.0 SWP 74 100.0 14 18.9 0 0.0 976 100.0 ----------------------------------------------------------- Mean 46.0% 37.1% Rate>10%: 100.0% 81.5% ----------------------------------------------------------- Table LIN.M3e: "WinRAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with WinRAR 3.0: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 74 100.0% 976 100.0% ------------------------------------------------------------ ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVP 74 100.0 6 8.1 0 0.0 976 100.0 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 74 100.0 8 10.8 1 1.4 975 99.9 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 74 100.0 0 0.0 74 100.0 74 7.6 INO 0 0.0 0 0.0 0 0.0 0 0.0 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Mean 27.3% 18.7% Rate>10%: 100.0% 69.2% ----------------------------------------------------------- Table LIN.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with CAB: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 74 100.0% 976 100.0% ------------------------------------------------------------ ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVP 74 100.0 6 8.1 0 0.0 976 100.0 CLA 0 0.0 0 0.0 0 0.0 0 0.0 CMD 74 100.0 5 6.8 1 1.4 975 99.9 DRW 74 100.0 8 10.8 0 0.0 976 100.0 FPR 74 100.0 4 5.4 1 1.4 975 99.9 FSE 74 100.0 0 0.0 74 100.0 74 7.6 INO 74 100.0 5 6.8 1 1.4 975 99.9 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 74 100.0 14 18.9 0 0.0 976 100.0 SWP 74 100.0 14 18.9 0 0.0 976 100.0 ----------------------------------------------------------- Mean 72.7% 64.3% Rate>10%: 100.0% 88.4% ----------------------------------------------------------- Table LIN.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives": ============================================================= False positive Scanner detection ----------------------------- Testbed 329 100.0% ----------------------------- ANT 0 0.0 AVP 1 0.3 CLA 0 0.0 CMD 2 0.6 DRW 29 8.8 FPR 2 0.6 FSE 2 0.6 INO 0 0.0 OAV 0 0.0 SCN 0 0.0 SWP 0 0.0 ----------------------------- Mean 1.0% ----------------------------- Table LIN.M5: "Macro-Malware": Results of "full" test for Macro-related malware: ================================================ Macro This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 485 100.0% 792 100.0% ------------------------------------------------------------ ANT 419 86.4 18 3.7 7 1.4 697 88.0 AVP 485 100.0 1 0.2 1 0.2 791 99.9 CLA 1 0.2 0 0.0 0 0.0 1 0.1 CMD 483 99.6 4 0.8 0 0.0 789 99.6 DRW 480 99.0 5 1.0 4 0.8 783 98.9 FPR 485 100.0 4 0.8 0 0.0 792 100.0 FSE 485 100.0 146 30.1 0 0.0 792 100.0 INO 435 89.7 6 1.2 5 1.0 719 90.8 OAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 484 99.8 109 22.5 1 0.2 790 99.7 SWP 477 98.4 6 1.2 3 0.6 771 97.3 ----------------------------------------------------------- Mean 79.4% 79.5% Rate>10%: 97.0% 97.1% ----------------------------------------------------------- Table LIN.S1: "ScriptVirus 1": Results of "full" Zoo test for script viruses: ================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 959 100.0% 2222 100.0% ------------------------------------------------------------ ANT 840 87.6 95 9.9 100 10.4 1803 81.1 AVP 956 99.7 134 14.0 2 0.2 2216 99.7 CLA 260 27.1 5 0.5 63 6.6 688 31.0 CMD 953 99.4 164 17.1 19 2.0 2185 98.3 DRW 915 95.4 91 9.5 38 4.0 2081 93.7 FPR 953 99.4 159 16.6 14 1.5 2196 98.8 FSE 958 99.9 328 34.2 1 0.1 2220 99.9 INO 926 96.6 140 14.6 36 3.8 2124 95.6 OAV 260 27.1 5 0.5 63 6.6 688 31.0 SCN 957 99.8 80 8.3 4 0.4 2215 99.7 SWP 932 97.2 108 11.3 47 4.9 2112 95.0 ----------------------------------------------------------- Mean 84.5% 84.0% Rate>10%: 84.5% 84.0% ----------------------------------------------------------- Table LIN.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 22 100.0% 178 100.0% ------------------------------------------------------------ ANT 22 100.0 3 13.6 7 31.8 157 88.2 AVP 22 100.0 5 22.7 0 0.0 178 100.0 CLA 10 45.5 1 4.5 4 18.2 100 56.2 CMD 22 100.0 6 27.3 1 4.5 177 99.4 DRW 22 100.0 2 9.1 3 13.6 174 97.8 FPR 22 100.0 6 27.3 1 4.5 177 99.4 FSE 22 100.0 13 59.1 1 4.5 177 99.4 INO 22 100.0 6 27.3 2 9.1 170 95.5 OAV 10 45.5 1 4.5 4 18.2 100 56.2 SCN 22 100.0 4 18.2 0 0.0 178 100.0 SWP 22 100.0 2 9.1 2 9.1 168 94.4 ----------------------------------------------------------- Mean 90.1% 89.7% Rate>10%: 90.1% 89.7% ----------------------------------------------------------- Table LIN.S5: "Script-Malware": Results of "full" Zoo Test for Script-related malware: ===================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 330 100.0% 1103 100.0% ------------------------------------------------------------ ANT 198 60.0 21 6.4 57 17.3 406 36.8 AVP 324 98.2 72 21.8 17 5.2 1075 97.5 CLA 22 6.7 0 0.0 8 2.4 27 2.4 CMD 291 88.2 106 32.1 41 12.4 861 78.1 DRW 220 66.7 17 5.2 70 21.2 636 57.7 FPR 295 89.4 108 32.7 39 11.8 871 79.0 FSE 327 99.1 147 44.5 6 1.8 1092 99.0 INO 242 73.3 30 9.1 55 16.7 645 58.5 OAV 22 6.7 0 0.0 8 2.4 29 2.6 SCN 324 98.2 22 6.7 4 1.2 1067 96.7 SWP 253 76.7 24 7.3 65 19.7 695 63.0 ----------------------------------------------------------- Mean 69.4% 61.0% Rate>10%: 83.3% 74.0% -----------------------------------------------------------