================================================== File 6DDOSMAC.TXT DOS.III: Detailed results of Macro Virus Detection of on-demand scanner tests under DOS: ================================================== (Formatted with non-proportional font: Courier) The list of products participating in DOS Macro Virus detection test is summarized in 6BDOSFIL.txt. The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Moreover, results for detection of macro viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses FDOS.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR FDOS.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW macro viruses and packed with PKZIP, LHA, ARJ and RAR FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" FDOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related malware Table FDOS.M1: "MacroVirus 1": Results of "full" Zoo Test for macro viruses under DOS: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 4525 100.0 12918 100.0 ---------------------------------------------------------- ANT 3888 85.9 125 2.8 32 0.7 11262 87.2 AVA 4239 93.7 31 0.7 16 0.4 12193 94.4 AVP 4522 99.9 75 1.7 1 0.0 12906 99.9 CMD 4525 100.0 55 1.2 0 0.0 12918 100.0 DRW 4452 98.4 53 1.2 16 0.4 12759 98.8 FPR 4525 100.0 0 0.0 0 0.0 12918 100.0 FSE 4521 99.9 77 1.7 1 0.0 12904 99.9 INO 4512 99.7 78 1.7 3 0.1 12890 99.8 NAV 4408 97.4 0 0.0 7 0.2 12613 97.6 NOD 4500 99.4 48 1.1 3 0.1 12857 99.5 NVC 4521 99.9 48 1.1 2 0.0 12907 99.9 PAV 4522 99.9 75 1.7 1 0.0 12906 99.9 SCN 4525 100.0 95 2.1 0 0.0 12918 100.0 SWP 4453 98.4 36 0.8 15 0.3 12775 98.9 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" Test for macro viruses under DOS: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 AVA 79 98.8 2 2.5 0 0.0 667 99.3 AVP 80 100.0 4 5.0 0 0.0 672 100.0 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 FPR 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 INO 80 100.0 5 6.3 0 0.0 672 100.0 NAV 79 98.8 0 0.0 0 0.0 667 99.3 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 80 100.0 5 6.3 0 0.0 672 100.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 SCN 80 100.0 7 8.8 0 0.0 672 100.0 SWP 80 100.0 3 3.8 3 3.8 667 99.3 VIT 7 8.8 0 0.0 3 3.8 178 26.5 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================= Viruses detected per packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 80 100.0 80 100.0 80 100.0 80 100.0 ---------------------------------------------------------------- ANT 78 97.5 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 80 100.0 0 0.0 80 100.0 0 0.0 DRW 80 100.0 0 0.0 80 100.0 80 100.0 FPR 80 100.0 0 0.0 80 100.0 0 0.0 FSE 80 100.0 80 100.0 80 100.0 80 100.0 INO 80 100.0 0 0.0 80 100.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 79 98.8 0 0.0 0 0.0 0 0.0 NOD 80 100.0 0 0.0 80 100.0 80 100.0 NVC 0 0.0 0 0.0 80 100.0 0 0.0 PAV 80 100.0 80 100.0 80 100.0 80 100.0 SCN 80 100.0 80 100.0 80 100.0 80 100.0 SWP 80 100.0 0 0.0 80 100.0 80 100.0 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------------- Table FDOS.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW macro viruses and packed with PKZIP, LHA, ARJ and RAR ======================================================================== This includes Viral objects detected per packer ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 672 100.0% 672 100.0% 672 100.0% 672 100.0% ---------------------------------------------------------------- ANT 78 11.6 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 672 100.0 0 0.0 672 100.0 0 0.0 DRW 672 100.0 0 0.0 672 100.0 672 100.0 FPR 672 100.0 0 0.0 672 100.0 0 0.0 FSE 672 100.0 672 100.0 672 100.0 672 100.0 INO 672 100.0 0 0.0 672 100.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 667 99.3 0 0.0 0 0.0 0 0.0 NOD 672 100.0 0 0.0 672 100.0 672 100.0 NVC 0 0.0 0 0.0 672 100.0 0 0.0 PAV 672 100.0 672 100.0 672 100.0 672 100.0 SCN 672 100.0 672 100.0 672 100.0 672 100.0 SWP 669 99.6 0 0.0 669 99.6 669 99.6 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------------- Table FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under DOS: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 0 0.0 77 96.3 78 11.6 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 FPR 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 INO 80 100.0 5 6.3 0 0.0 672 100.0 NAV 79 98.8 4 5.0 0 0.0 667 99.3 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under DOS: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under DOS: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 FPR 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 INO 80 100.0 5 6.3 0 0.0 672 100.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 80 100.0 5 6.3 0 0.0 672 100.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under DOS: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 VIT 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" under DOS: ================================================================ False This includes Virus ---- unreliably ---- Files Scanner Alarm identified detected detected ---------------------------------------------------------- Maximum 26 100.0 329 100.0 ---------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 7.7 0 0.0 2 7.7 4 1.2 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 21 80.8 0 0.0 21 80.8 94 28.6 FPR 1 3.8 0 0.0 1 3.8 2 0.6 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 13 50.0 0 0.0 13 50.0 22 6.7 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 2 7.7 0 0.0 2 7.7 2 0.6 PAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table FDOS.M5: "Macro-Malware": Results of "full" Zoo Test for Macro-related malware under DOS: ========================================================= This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 260 100.0 394 100.0 ---------------------------------------------------------- ANT 175 67.3 1 0.4 2 0.8 284 72.1 AVA 210 80.8 3 1.2 4 1.5 315 79.9 AVP 252 96.9 0 0.0 0 0.0 386 98.0 CMD 260 100.0 4 1.5 0 0.0 394 100.0 DRW 204 78.5 1 0.4 4 1.5 316 80.2 FPR 260 100.0 1 0.4 0 0.0 394 100.0 FSE 250 96.2 0 0.0 0 0.0 384 97.5 INO 247 95.0 4 1.5 3 1.2 378 95.9 NAV 212 81.5 0 0.0 3 1.2 317 80.5 NOD 250 96.2 0 0.0 2 0.8 381 96.7 NVC 248 95.4 7 2.7 2 0.8 364 92.4 PAV 257 98.8 0 0.0 0 0.0 391 99.2 SCN 259 99.6 7 2.7 0 0.0 393 99.7 SWP 247 95.0 2 0.8 4 1.5 377 95.7 VIT 5 1.9 0 0.0 0 0.0 8 2.0 VSP 1 0.4 0 0.0 0 0.0 1 0.3 -----------------------------------------------------------