================================================ File 6GWNTPRE.TXT: (PRE-RELEASE) Updated March 1,2000 Detailed results of Macro Virus related on-demand scanner tests under Windows NT: ================================================ (Formatted with non-proportional font: Courier; 72 columns) The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed, under W-NT. Moreover, results for detection of viruses in objects compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of PRE-RELEASED results, see 9XECPRE.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- WNT.M1: "MacroVirus 1": Results of "full" test for macro viruses WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR WNT.M4: "False Positive" detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" WNT.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware The following tables will be pubished in the FINAL report: ---------------------------------------------------------- WNT.F1: "FileVirus 1": Results of "full" Zoo test for file viruses WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses WNT.FA: "Polyfile-Test": Results of Polymorphic test WNT.FB: "VKIT Test": Results of VKIT file virus test WNT.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP WNT.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA WNT.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ WNT.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR WNT.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" WNT.F5 "File Malware": Results of "full" Zoo test for File-related malware Table WNT.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 4525 100.0 12918 100.0 ---------------------------------------------------------- ANT 4081 90.2 127 2.8 30 0.7 11746 90.9 ATD 4522 99.9 75 1.7 1 0.0 12906 99.9 AVA 4266 94.3 33 0.7 13 0.3 12245 94.8 AVG 4410 97.5 15 0.3 11 0.2 12596 97.5 AVK 4522 99.9 75 1.7 1 0.0 12906 99.9 AVP 4522 99.9 75 1.7 1 0.0 12906 99.9 AVX 4276 94.5 91 2.0 10 0.2 12375 95.8 CMD 4525 100.0 54 1.2 0 0.0 12918 100.0 DRW 4453 98.4 53 1.2 16 0.4 12760 98.8 ESA 4022 88.9 143 3.2 136 3.0 11354 87.9 FPW 4525 100.0 10 0.2 0 0.0 12918 100.0 FSE 4525 100.0 17 0.4 0 0.0 12918 100.0 FWN 4522 99.9 54 1.2 2 0.0 12910 99.9 INO 4513 99.7 78 1.7 3 0.1 12891 99.8 NAV 4435 98.0 62 1.4 4 0.1 12665 98.0 NOD 4500 99.4 48 1.1 3 0.1 12857 99.5 NVC 4521 99.9 48 1.1 3 0.1 12906 99.9 PAV 4522 99.9 75 1.7 1 0.0 12906 99.9 PRO 3048 67.4 0 0.0 95 2.1 8368 64.8 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 4428 97.9 153 3.4 4 0.1 12716 98.4 SCN 4525 100.0 34 0.8 0 0.0 12918 100.0 SWP 4463 98.6 36 0.8 11 0.2 12809 99.2 ----------------------------------------------------------- Table WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 80 100.0 2 2.5 0 0.0 672 100.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 ESA 78 97.5 13 16.3 1 1.3 663 98.7 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 1 1.3 0 0.0 672 100.0 FWN 80 100.0 4 5.0 0 0.0 672 100.0 INO 80 100.0 5 6.3 0 0.0 672 100.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 80 100.0 5 6.3 0 0.0 672 100.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 78 97.5 0 0.0 8 10.0 654 97.3 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 ----------------------------------------------------------- Table WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 80 100.0 80 100.0 80 100.0 80 100.0 ---------------------------------------------------------------- ANT 78 97.5 78 97.5 78 97.5 0 0.0 ATD 80 100.0 80 100.0 80 100.0 80 100.0 AVA 80 100.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 0 0.0 80 100.0 80 100.0 AVK 80 100.0 80 100.0 80 100.0 80 100.0 AVP 80 100.0 80 100.0 80 100.0 80 100.0 AVX 80 100.0 80 100.0 80 100.0 80 100.0 CMD 80 100.0 0 0.0 80 100.0 0 0.0 DRW 80 100.0 0 0.0 80 100.0 80 100.0 ESA 78 97.5 78 97.5 78 97.5 78 97.5 FPW 80 100.0 0 0.0 80 100.0 0 0.0 FSE 80 100.0 80 100.0 80 100.0 80 100.0 FWN 80 100.0 0 0.0 0 0.0 80 100.0 INO 80 100.0 80 100.0 80 100.0 0 0.0 NAV 80 100.0 80 100.0 80 100.0 0 0.0 NOD 80 100.0 0 0.0 80 100.0 80 100.0 NVC 0 0.0 0 0.0 80 100.0 0 0.0 PAV 80 100.0 80 100.0 80 100.0 80 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 0 0.0 77 96.3 0 0.0 RAV 80 100.0 80 100.0 80 100.0 0 0.0 SCN 80 100.0 80 100.0 0 0.0 0 0.0 SWP 80 100.0 0 0.0 80 100.0 80 100.0 ---------------------------------------------------------- Table WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows NT: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 80 100.0 2 2.5 0 0.0 672 100.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 80 100.0 4 5.0 1 1.3 647 96.3 INO 80 100.0 0 0.0 0 0.0 672 100.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 10 12.5 12 15.0 625 93.0 RAV 80 100.0 13 16.3 4 5.0 667 99.3 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 ----------------------------------------------------------- Table WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 80 100.0 0 0.0 3 3.8 594 88.4 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 80 100.0 0 0.0 0 0.0 672 100.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 80 100.0 5 6.3 0 0.0 672 100.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 10 12.5 12 15.0 625 93.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 ----------------------------------------------------------- Table WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 80 100.0 4 5.0 0 0.0 672 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 ----------------------------------------------------------- Table WNT.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Maximum 26 100.0 329 100.0 ---------------------------------------------------------- ANT 15 57.7 0 0.0 15 57.7 36 10.9 ATD 2 7.7 0 0.0 2 7.7 4 1.2 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 7.7 0 0.0 2 7.7 4 1.2 AVX 25 96.2 0 0.0 25 96.2 129 39.2 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 21 80.8 0 0.0 21 80.8 94 28.6 ESA 2 7.7 0 0.0 2 7.7 4 1.2 FPW 1 3.8 0 0.0 1 3.8 2 0.6 FSE 1 3.8 0 0.0 1 3.8 2 0.6 FWN 24 92.3 0 0.0 24 92.3 174 52.9 INO 13 50.0 0 0.0 13 50.0 22 6.7 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 2 7.7 0 0.0 2 7.7 2 0.6 PAV 2 7.7 0 0.0 2 7.7 4 1.2 PRO 1 3.8 0 0.0 1 3.8 1 0.3 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 24 92.3 0 0.0 24 92.3 104 31.6 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.M5: "Macro-Malware": Results of "full" test for Macro-related malware under Windows NT: ========================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 260 100.0 394 100.0 ---------------------------------------------------------- ANT 181 69.6 2 0.8 2 0.8 294 74.6 ATD 257 98.8 0 0.0 0 0.0 391 99.2 AVA 212 81.5 3 1.2 4 1.5 317 80.5 AVG 203 78.1 2 0.8 4 1.5 303 76.9 AVK 257 98.8 0 0.0 0 0.0 391 99.2 AVP 252 96.9 0 0.0 0 0.0 386 98.0 AVX 245 94.2 7 2.7 2 0.8 377 95.7 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 260 100.0 4 1.5 0 0.0 394 100.0 DRW 204 78.5 1 0.4 4 1.5 316 80.2 ESA 148 56.9 0 0.0 10 3.8 238 60.4 FPW 260 100.0 1 0.4 0 0.0 394 100.0 FSE 260 100.0 1 0.4 0 0.0 394 100.0 FWN 255 98.1 6 2.3 0 0.0 389 98.7 INO 253 97.3 4 1.5 3 1.2 384 97.5 NAV 214 82.3 1 0.4 3 1.2 319 81.0 NOD 250 96.2 0 0.0 2 0.8 381 96.7 NVC 248 95.4 7 2.7 2 0.8 364 92.4 PAV 257 98.8 0 0.0 0 0.0 391 99.2 PRO 64 24.6 0 0.0 5 1.9 107 27.2 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 248 95.4 14 5.4 5 1.9 373 94.7 SCN 259 99.6 4 1.5 0 0.0 393 99.7 SWP 247 95.0 2 0.8 4 1.5 377 95.7 -----------------------------------------------------------