================================================= File 6FW98PRE.TXT (PRE-RELEASE) Updated March 1,2000 Detailed results of Macro Virus related on-demand scanner tests under Windows 98: ================================================= (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed, under W-98. Moreover, results for detection of viruses in objects compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of PRE-RELEASED results, see 9XECPRE.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- W98.M1: "MacroVirus 1": Results of "full" test for macro viruses W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR W98.M4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware The following tables will be pubished in the FINAL report: ---------------------------------------------------------- W98.F1: "FileVirus 1": Results of "full" Zoo test for file viruses W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses W98.FA: "Polyfile-Test": Results of Polymorphic test W98.FB: "VKIT Test": Results of VKIT file virus test W98.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR W98.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP W98.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA W98.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ W98.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith RAR W98.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" W98.F5 "File Malware": Results of "full" Zoo test for File-related malware Table W98.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 3546 100.0% % % 9731 100.0% ----------------------------------------------------------- ANT 4081 90.2 127 2.8 30 0.7 11746 90.9 ATD 4522 99.9 75 1.7 1 0.0 12906 99.9 AVA 4266 94.3 33 0.7 13 0.3 12245 94.8 AVG 4410 97.5 26 0.6 11 0.2 12596 97.5 AVK 4522 99.9 75 1.7 1 0.0 12906 99.9 AVP 4522 99.9 75 1.7 1 0.0 12906 99.9 AVX 4276 94.5 91 2.0 10 0.2 12375 95.8 CMD 4525 100.0 54 1.2 0 0.0 12918 100.0 DRW 4453 98.4 53 1.2 16 0.4 12760 98.8 DSE 4525 100.0 34 0.8 0 0.0 12918 100.0 ESA 4022 88.9 143 3.2 136 3.0 11354 87.9 FPR 4525 100.0 0 0.0 0 0.0 12918 100.0 FPW 4525 100.0 10 0.2 0 0.0 12918 100.0 FSE 4525 100.0 17 0.4 0 0.0 12918 100.0 FWN 4516 99.8 53 1.2 3 0.1 12890 99.8 INO 4513 99.7 78 1.7 3 0.1 12891 99.8 MKS 4393 97.1 0 0.0 29 0.6 12599 97.5 NAV 4435 98.0 62 1.4 4 0.1 12665 98.0 NOD 4500 99.4 48 1.1 3 0.1 12857 99.5 NVC 4521 99.9 48 1.1 3 0.1 12906 99.9 PAV 4522 99.9 75 1.7 1 0.0 12906 99.9 PER 2429 53.7 54 1.2 131 2.9 6399 49.5 PRO 3048 67.4 0 0.0 95 2.1 8368 64.8 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 4428 97.9 153 3.4 4 0.1 12716 98.4 SCN 4525 100.0 0 0.0 0 0.0 12918 100.0 SWP 4463 98.6 36 0.8 11 0.2 12809 99.2 ----------------------------------------------------------- Table W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows 98: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 59 100.0% % % 506 100.0% ----------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 80 100.0 2 2.5 0 0.0 672 100.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 DSE 80 100.0 3 3.8 0 0.0 672 100.0 ESA 78 97.5 13 16.3 1 1.3 663 98.7 FPR 80 100.0 0 0.0 0 0.0 672 100.0 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 1 1.3 0 0.0 672 100.0 FWN 80 100.0 4 5.0 0 0.0 672 100.0 INO 80 100.0 5 6.3 0 0.0 672 100.0 MKS 79 98.8 0 0.0 1 1.3 665 99.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 80 100.0 5 6.3 0 0.0 672 100.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PER 44 55.0 5 6.3 3 3.8 457 68.0 PRO 78 97.5 0 0.0 8 10.0 654 97.3 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 80 100.0 0 0.0 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 VIT 31 38.8 1 1.3 7 8.8 294 43.8 ----------------------------------------------------------- Table W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 80 100.0 80 100.0 80 100.0 80 100.0 ---------------------------------------------------------------- ANT 78 97.5 78 97.5 78 97.5 0 0.0 ATD 80 100.0 80 100.0 80 100.0 80 100.0 AVA 80 100.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 0 0.0 80 100.0 80 100.0 AVK 80 100.0 80 100.0 80 100.0 80 100.0 AVP 80 100.0 80 100.0 80 100.0 80 100.0 AVX 80 100.0 80 100.0 80 100.0 80 100.0 CMD 80 100.0 0 0.0 80 100.0 0 0.0 DRW 80 100.0 0 0.0 80 100.0 80 100.0 DSE 80 100.0 80 100.0 0 0.0 0 0.0 ESA 78 97.5 78 97.5 78 97.5 78 97.5 FPR 80 100.0 0 0.0 80 100.0 0 0.0 FPW 80 100.0 0 0.0 80 100.0 0 0.0 FSE 80 100.0 80 100.0 80 100.0 80 100.0 FWN 80 100.0 0 0.0 0 0.0 80 100.0 INO 80 100.0 80 100.0 80 100.0 0 0.0 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 80 100.0 80 100.0 80 100.0 0 0.0 NOD 80 100.0 0 0.0 80 100.0 80 100.0 NVC 1 1.3 0 0.0 80 100.0 0 0.0 PAV 80 100.0 80 100.0 80 100.0 80 100.0 PER 44 55.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 0 0.0 77 96.3 0 0.0 RAV 80 100.0 80 100.0 80 100.0 0 0.0 SCN 80 100.0 80 100.0 80 100.0 80 100.0 SWP 80 100.0 0 0.0 80 100.0 80 100.0 VIT 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows 98: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 80 100.0% % % 672 100.0% ----------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 80 100.0 2 2.5 0 0.0 672 100.0 AVG 80 100.0 4 5.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 DSE 80 100.0 3 3.8 0 0.0 672 100.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPR 80 100.0 0 0.0 0 0.0 672 100.0 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 80 100.0 4 5.0 1 1.3 647 96.3 INO 80 100.0 0 0.0 0 0.0 672 100.0 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 1 1.3 0 0.0 0 0.0 6 0.9 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PER 44 55.0 5 6.3 3 3.8 457 68.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 10 12.5 12 15.0 625 93.0 RAV 80 100.0 13 16.3 4 5.0 667 99.3 SCN 80 100.0 0 0.0 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 ----------------------------------------------------------- Table W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 80 100.0% % % 672 100.0% ----------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSE 80 100.0 3 3.8 0 0.0 672 100.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 80 100.0 0 0.0 3 3.8 594 88.4 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 80 100.0 0 0.0 0 0.0 672 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 80 100.0% % % 672 100.0% ----------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 4 5.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 DSE 0 0.0 0 0.0 0 0.0 0 0.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPR 80 100.0 0 0.0 0 0.0 672 100.0 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 80 100.0 0 0.0 0 0.0 672 100.0 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 80 100.0 5 6.3 0 0.0 672 100.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 10 12.5 12 15.0 625 93.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 80 100.0 0 0.0 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 ----------------------------------------------------------- Table W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 80 100.0% % % 672 100.0% ----------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 4 5.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 DSE 0 0.0 0 0.0 0 0.0 0 0.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 80 100.0 4 5.0 0 0.0 672 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 80 100.0 0 0.0 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 ----------------------------------------------------------- Table W98.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows 98: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 26 100.0% % % 329 100.0% ----------------------------------------------------------- ANT 15 57.7 0 0.0 15 57.7 36 10.9 ATD 2 7.7 0 0.0 2 7.7 4 1.2 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 7.7 0 0.0 2 7.7 4 1.2 AVX 25 96.2 0 0.0 25 96.2 129 39.2 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 21 80.8 0 0.0 21 80.8 94 28.6 DSE 0 0.0 0 0.0 0 0.0 0 0.0 ESA 2 7.7 0 0.0 2 7.7 4 1.2 FPR 1 3.8 0 0.0 1 3.8 2 0.6 FPW 1 3.8 0 0.0 1 3.8 2 0.6 FSE 1 3.8 0 0.0 1 3.8 2 0.6 FWN 1 3.8 0 0.0 1 3.8 2 0.6 INO 13 50.0 0 0.0 13 50.0 22 6.7 MKS 24 92.3 0 0.0 24 92.3 154 46.8 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 2 7.7 0 0.0 2 7.7 2 0.6 PAV 2 7.7 0 0.0 2 7.7 4 1.2 PER 1 3.8 0 0.0 1 3.8 2 0.6 PRO 1 3.8 0 0.0 1 3.8 1 0.3 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 24 92.3 0 0.0 24 92.3 104 31.6 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware under Windows 98: =============================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 260 100.0 394 100.0 ----------------------------------------------------------- ANT 181 69.6 2 0.8 2 0.8 294 74.6 ATD 257 98.8 0 0.0 0 0.0 391 99.2 AVA 212 81.5 3 1.2 4 1.5 317 80.5 AVG 203 78.1 2 0.8 4 1.5 303 76.9 AVK 257 98.8 0 0.0 0 0.0 391 99.2 AVP 252 96.9 0 0.0 0 0.0 386 98.0 AVX 245 94.2 7 2.7 2 0.8 377 95.7 CMD 260 100.0 4 1.5 0 0.0 394 100.0 DRW 204 78.5 1 0.4 4 1.5 316 80.2 DSE 259 99.6 4 1.5 0 0.0 393 99.7 ESA 148 56.9 0 0.0 10 3.8 238 60.4 FPR 260 100.0 1 0.4 0 0.0 394 100.0 FPW 260 100.0 1 0.4 0 0.0 394 100.0 FSE 260 100.0 1 0.4 0 0.0 394 100.0 FWN 252 96.9 6 2.3 0 0.0 386 98.0 INO 253 97.3 4 1.5 3 1.2 384 97.5 MKS 225 86.5 0 0.0 4 1.5 350 88.8 NAV 214 82.3 1 0.4 3 1.2 319 81.0 NOD 250 96.2 0 0.0 2 0.8 381 96.7 NVC 248 95.4 7 2.7 2 0.8 364 92.4 PAV 257 98.8 0 0.0 0 0.0 391 99.2 PER 112 43.1 1 0.4 8 3.1 169 42.9 PRO 64 24.6 0 0.0 5 1.9 107 27.2 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 248 95.4 14 5.4 5 1.9 373 94.7 SCN 260 100.0 0 0.0 0 0.0 394 100.0 SWP 247 95.0 2 0.8 4 1.5 377 95.7 VIT 9 3.5 0 0.0 0 0.0 16 4.1 -----------------------------------------------------------