=============================================== File 6BDOSFIL.TXT DOS.I: Detailed results of File Virus Detection of on-demand scanner tests under DOS: =============================================== (Formatted with non-proportional font: Courier) The following 16 products (versions) participated in DOS (File, Boot and Macro virus) tests (for details of AV producers: see A2SCNLS.txt, which also includes several scanners which didnot install or execute at all): ANT: v: 5.21.0.0 sig: Dec.03, 1999 AVA: v: 7.70-35 sig: Nov.25, 1999 AVP: v: 3.0 build 132 CMD: v: 4.58.0 DRW: v: 4.14 sig: Oct.26, 1999 FPR: v: 3.06c FSE: v: 3.0 Build 132 INO: v: V4.5 n(s) NAV: v: 1.0 NVC: v: 4.73.02 sig: Nov.23, 1999 NOD: v: 1.29 PAV: v: 3.0 build 132 SCN: v: 4.5.0 sig: Nov.30, 1999 SWP: 3.28 (AH) sig: Dec.06, 1999 VIT: 2.0.19 sig: Dec.01, 1999 VSP: 11.90.04 sig: Nov. 1999 The following tables summarize detection and identification quality concerning FILE viruses as well as selected FILE MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (6*10,000) viruses in a testbed with generations of 6 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- FDOS.F1: "FileVirus 1": Results of "full" Zoo test for file viruses FDOS.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses FDOS.FA: "Polyfile-Test": Results of Polymorphic test FDOS.FB: "VKIT Test": Results of VKIT file virus test FDOS.F3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR FDOS.F3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and packed with PKZIP, LHA, ARJ and RAR FDOS.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP FDOS.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA FDOS.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ FDOS.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR FDOS.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "False Positives" FDOS.F5: "File Malware": Results of "full" Zoo test for File-related malware Table FDOS.F1: "FileVirus 1": Results of "full" Zoo test for file viruses under DOS: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 18359 100.0 135907 100.0 ---------------------------------------------------------- ANT 17040 92.8 1400 7.6 480 2.6 128322 94.4 AVA 17906 97.5 800 4.4 132 0.7 133199 98.0 AVP 18294 99.6 410 2.2 115 0.6 135257 99.5 CMD 18271 99.5 62 0.3 2 0.0 135698 99.8 FPR 18288 99.6 10 0.1 3 0.0 135750 99.9 FSE 18347 99.9 452 2.5 13 0.1 135863 100.0 INO 17360 94.6 594 3.2 176 1.0 128477 94.5 NAV 17131 93.3 0 0.0 463 2.5 127800 94.0 NOD 18053 98.3 2160 11.8 200 1.1 134283 98.8 NVC 18192 99.1 1263 6.9 113 0.6 134822 99.2 PAV 18121 98.7 439 2.4 6 0.0 134107 98.7 SCN 18338 99.9 603 3.3 12 0.1 135636 99.8 SWP 18073 98.4 867 4.7 61 0.3 134631 99.1 VIT 1398 7.6 19 0.1 387 2.1 9169 6.7 ----------------------------------------------------------- Table FDOS.F2: "FileVirus 2": Results of "In-The-Wild" Test for file viruses under DOS: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 39 100.0 1047 100.0 ---------------------------------------------------------- ANT 35 89.7 2 5.1 4 10.3 995 95.0 AVA 39 100.0 4 10.3 3 7.7 1044 99.7 AVP 39 100.0 0 0.0 3 7.7 1044 99.7 CMD 39 100.0 2 5.1 0 0.0 1047 100.0 DRW 39 100.0 3 7.7 1 2.6 1046 99.9 FPR 39 100.0 0 0.0 0 0.0 1047 100.0 FSE 39 100.0 3 7.7 2 5.1 1045 99.8 INO 39 100.0 3 7.7 2 5.1 1045 99.8 NAV 39 100.0 0 0.0 2 5.1 1045 99.8 NOD 39 100.0 10 25.6 0 0.0 1047 100.0 NVC 39 100.0 4 10.3 2 5.1 1045 99.8 PAV 39 100.0 0 0.0 2 5.1 1045 99.8 SCN 39 100.0 3 7.7 0 0.0 1047 100.0 SWP 39 100.0 2 5.1 1 2.6 1046 99.9 VIT 18 46.2 0 0.0 4 10.3 656 62.7 VSP 24 61.5 7 17.9 3 7.7 888 84.8 ----------------------------------------------------------- Table FDOS.FA: "Polyfile-Test": Results of Polymorphic test: ============================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Maximum 6 100.0 60000 100.0 ---------------------------------------------------------- ANT 6 100.0 1 16.7 0 0.0 60000 100.0 AVA 6 100.0 2 33.3 1 16.7 59999 100.0 AVP 6 100.0 0 0.0 0 0.0 60000 100.0 CMD 6 100.0 1 16.7 0 0.0 60000 100.0 DRW 6 100.0 0 0.0 0 0.0 60000 100.0 FPR 6 100.0 1 16.7 0 0.0 60000 100.0 FSE 6 100.0 0 0.0 0 0.0 60000 100.0 INO 6 100.0 2 33.3 0 0.0 60000 100.0 NAV 6 100.0 0 0.0 0 0.0 60000 100.0 NOD 6 100.0 0 0.0 0 0.0 60000 100.0 NVC 6 100.0 1 16.7 0 0.0 60000 100.0 PAV 6 100.0 0 0.0 0 0.0 60000 100.0 SCN 6 100.0 1 16.7 1 16.7 59997 100.0 SWP 6 100.0 2 33.3 0 0.0 60000 100.0 VIT 4 66.7 0 0.0 4 66.7 147 0.2 VSP 6 100.0 2 33.3 3 50.0 58857 98.1 ---------------------------------------------------------- Remark: For 6 polymorphic viruses (with Maltese Amoeba, MTE.Encroacher.B, NATAS, TREMOR, One-Half and Tequila as in the previous test), 10,000 generations each were produced with VTCs dynamic polymorphic generation and test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table FDOS.FB: "VKIT Test": Results of VKIT file virus test: ============================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 10706 100.0 104640 100.0 ---------------------------------------------------------- ANT 10706 100.0 1365 12.7 3 0.0 104636 100.0 AVA 10706 100.0 1642 15.3 23 0.2 104595 100.0 AVP 10706 100.0 1194 11.2 0 0.0 104640 100.0 CMD 10704 100.0 1135 10.6 5 0.0 104630 100.0 DRW 10706 100.0 1006 9.4 2 0.0 104638 100.0 FPR 10706 100.0 1438 13.4 3 0.0 104636 100.0 FSE 10706 100.0 1194 11.2 0 0.0 104640 100.0 INO 10703 100.0 1261 11.8 8 0.1 104579 99.9 NAV 10696 99.9 0 0.0 120 1.1 103947 99.3 NOD 10705 100.0 3001 28.0 4 0.0 104635 100.0 NVC 10704 100.0 6198 57.9 327 3.1 102041 97.5 PAV 10706 100.0 1194 11.2 0 0.0 104640 100.0 SCN 10706 100.0 2763 25.8 0 0.0 104640 100.0 SWP 10706 100.0 748 7.0 1 0.0 104639 100.0 VIT 189 1.8 0 0.0 57 0.5 1124 1.1 VSP 10638 99.4 5925 55.3 71 0.7 103416 98.8 ----------------------------------------------------------- Remark: A testbed of 10,706 viruses generated with the VKIT virus generator (out of about 14,000 viruses which can be generated) was used to test detection quality. This test was separated from the "normal" file virus test as 1) there is no agreement between AV producers whether viruses from VKIT should be counted just as 1 or as 14,000 different viruses (boasting number of detected viruses to over 40,000), and 2) because of the large size of this special testbed. Table FDOS.F3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 39 100.0% 39 100.0% 39 100.0% 39 100.0% ---------------------------------------------------------------- ANT 35 89.7 2 5.1 2 5.1 3 7.7 AVA 2 5.1 3 7.7 3 7.7 4 10.3 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 39 100.0 0 0.0 39 100.0 0 0.0 DRW 10 25.6 0 0.0 10 25.6 10 25.6 FPR 39 100.0 0 0.0 39 100.0 0 0.0 FSE 39 100.0 39 100.0 39 100.0 39 100.0 INO 38 97.4 0 0.0 39 100.0 1 2.6 NAV 39 100.0 0 0.0 0 0.0 0 0.0 NOD 39 100.0 0 0.0 39 100.0 39 100.0 NVC 1 2.6 0 0.0 39 100.0 1 2.6 PAV 39 100.0 39 100.0 39 100.0 39 100.0 SCN 39 100.0 39 100.0 39 100.0 39 100.0 SWP 39 100.0 0 0.0 39 100.0 39 100.0 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 2 5.1 2 5.1 2 5.1 2 5.1 --------------------------------------------------------------- Table FDOS.F3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and with PKZIP, LHA, ARJ and RAR =================================================================== This includes Viral objects detected per packer ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 1047 100.0% 1047 100.0% 1047 100.0% 1047 100.0% ---------------------------------------------------------------- ANT 35 3.3 2 0.2 2 0.2 3 0.3 AVA 2 0.2 3 0.3 3 0.3 4 0.4 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 1047 100.0 0 0.0 1047 100.0 0 0.0 DRW 86 8.2 0 0.0 86 8.2 86 8.2 FPR 1047 100.0 0 0.0 1047 100.0 0 0.0 FSE 1045 99.8 1045 99.8 1045 99.8 1045 99.8 INO 1025 97.9 0 0.0 1045 99.8 1 0.1 NAV 1045 99.8 0 0.0 0 0.0 0 0.0 NOD 1047 100.0 0 0.0 1047 100.0 1047 100.0 NVC 1 0.1 0 0.0 1045 99.8 1 0.1 PAV 1045 99.8 1045 99.8 1045 99.8 1045 99.8 SCN 1047 100.0 1047 100.0 1047 100.0 1047 100.0 SWP 1046 99.9 0 0.0 1046 99.9 1046 99.9 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 2 0.2 2 0.2 2 0.2 2 0.2 ---------------------------------------------------------------- Table FDOS.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under DOS: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 39 100.0 1047 100.0 ---------------------------------------------------------- ANT 35 89.7 0 0.0 34 87.2 35 3.3 AVA 2 5.1 0 0.0 2 5.1 2 0.2 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 39 100.0 2 5.1 0 0.0 1047 100.0 DRW 10 25.6 0 0.0 1 2.6 86 8.2 FPR 39 100.0 0 0.0 0 0.0 1047 100.0 FSE 39 100.0 3 7.7 2 5.1 1045 99.8 INO 38 97.4 3 7.7 1 2.6 1025 97.9 NAV 39 100.0 3 7.7 2 5.1 1045 99.8 NOD 39 100.0 13 33.3 0 0.0 1047 100.0 NVC 1 2.6 0 0.0 1 2.6 1 0.1 PAV 39 100.0 0 0.0 2 5.1 1045 99.8 SCN 39 100.0 3 7.7 0 0.0 1047 100.0 SWP 39 100.0 2 5.1 1 2.6 1046 99.9 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 2 5.1 0 0.0 2 5.1 2 0.2 ----------------------------------------------------------- Table FDOS.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 39 100.0 1047 100.0 ---------------------------------------------------------- ANT 2 5.1 0 0.0 2 5.1 2 0.2 AVA 3 7.7 0 0.0 3 7.7 3 0.3 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 39 100.0 3 7.7 2 5.1 1045 99.8 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 39 100.0 0 0.0 2 5.1 1045 99.8 SCN 39 100.0 3 7.7 0 0.0 1047 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 2 5.1 0 0.0 2 5.1 2 0.2 ----------------------------------------------------------- Table FDOS.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 39 100.0 1047 100.0 ---------------------------------------------------------- ANT 2 5.1 0 0.0 2 5.1 2 0.2 AVA 3 7.7 0 0.0 3 7.7 3 0.3 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 39 100.0 2 5.1 0 0.0 1047 100.0 DRW 10 25.6 0 0.0 1 2.6 86 8.2 FPR 39 100.0 0 0.0 0 0.0 1047 100.0 FSE 39 100.0 3 7.7 2 5.1 1045 99.8 INO 39 100.0 3 7.7 2 5.1 1045 99.8 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 39 100.0 13 33.3 0 0.0 1047 100.0 NVC 39 100.0 4 10.3 2 5.1 1045 99.8 PAV 39 100.0 0 0.0 2 5.1 1045 99.8 SCN 39 100.0 4 10.3 0 0.0 1047 100.0 SWP 39 100.0 2 5.1 1 2.6 1046 99.9 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 2 5.1 0 0.0 2 5.1 2 0.2 ----------------------------------------------------------- Table FDOS.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under DOS: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 39 100.0 1047 100.0 ---------------------------------------------------------- ANT 3 7.7 0 0.0 3 7.7 3 0.3 AVA 4 10.3 0 0.0 4 10.3 4 0.4 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 10 25.6 0 0.0 1 2.6 86 8.2 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 39 100.0 3 7.7 2 5.1 1045 99.8 INO 1 2.6 0 0.0 1 2.6 1 0.1 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 39 100.0 13 33.3 0 0.0 1047 100.0 NVC 1 2.6 0 0.0 1 2.6 1 0.1 PAV 39 100.0 0 0.0 2 5.1 1045 99.8 SCN 39 100.0 3 7.7 0 0.0 1047 100.0 SWP 39 100.0 2 5.1 1 2.6 1046 99.9 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 2 5.1 0 0.0 2 5.1 2 0.2 ----------------------------------------------------------- Table FDOS.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "False Positives" under DOS: ============================================================ False This includes Virus ---- unreliably ---- Files Scanner Alarm identified detected detected ---------------------------------------------------------- Maximum 38 100.0 1851 100.0 ---------------------------------------------------------- ANT 2 5.3 0 0.0 2 5.3 2 0.1 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 38 100.0 0 0.0 38 100.0 997 53.9 INO 1 2.6 0 0.0 1 2.6 1 0.1 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 9 23.7 0 0.0 9 23.7 11 0.6 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VIT 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 38 non-viral directories and totally 1851 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table FDOS.F5 "File Malware": Results of "full" Zoo test for File-related malware under DOS: ======================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 4282 100.0 6639 100.0 ---------------------------------------------------------- AVA 2420 56.5 69 1.6 47 1.1 3757 56.6 AVP 3561 83.2 91 2.1 79 1.8 5588 84.2 CMD 3972 92.8 27 0.6 37 0.9 6174 93.0 FPR 4080 95.3 0 0.0 34 0.8 6309 95.0 FSE 4049 94.6 117 2.7 10 0.2 6346 95.6 INO 3197 74.7 44 1.0 69 1.6 5069 76.4 NAV 3145 73.4 0 0.0 131 3.1 4908 73.9 NOD 3323 77.6 144 3.4 104 2.4 5228 78.7 NVC 2777 64.9 110 2.6 82 1.9 4434 66.8 PAV 3888 90.8 103 2.4 17 0.4 6131 92.3 SCN 3999 93.4 97 2.3 11 0.3 6269 94.4 SWP 3352 78.3 83 1.9 116 2.7 5138 77.4 VIT 269 6.3 0 0.0 28 0.7 378 5.7 VSP 2162 50.5 109 2.5 57 1.3 3020 45.5 -----------------------------------------------------------