================================================ File 6GWNT.TXT: Detailed results of File and Macro Virus related on-demand scanner tests under Windows NT: ================================================ (Formatted with non-proportional font: Courier; 72 columns) The following 26 products (versions) participated in W-NT tests (for details of related AV producers: see A2SCNLS.txt): ANT v: 1.1200.06 German sig: VDF 5.21.0.0(0) Nov.27,1999 ATD v: 1.5 build Nov.25,1999 sig: Nov.27,1999 AVA: v: 3.0 build 197 sig: Nov.25,1999 AVG v: 6.0 Release 6.0.96 sig: Nov.22,1999 AVK v: 9.0.6 sig: Nov.12,1999 AVP v: 3.0.132.4 sig: Nov.22,1999 AVX v: 5.1 build 0001 sig: Nov.26,1999 CLE v: 3.0 build 3122 CMD v: 4.58 macdef: Nov.27,1999; sig: Nov.28,1999 DRW v: 4.14 sig: Nov.26,1999 ESA v: 2.1 sig: Dec.01,1999 FPW v: 3.06C macdef: Nov.22,1999; sig: Nov.28,1999 FSE v: 4.06.1470 sig: Nov.30,1999 FWN v: 1.86 sig: Sept.19,1999 (rec: Nov.1999) INO v: 4.53 sig: 6.0 Nov.12,1999 MKS v: 1.0 sig: Nov.23,1999 NAV v: 5.01.01 sig: Nov.29,1999 NOD v: 1.29 sig: Dec.04,1999 NVC v: 4.73 sig: Nov.28,1999 PAV v: 3.0 build 129 sig: Nov.27,1999 PRO v: 6.7.B05 QHL v: 5.21 sig: Nov.26,1999 RAV v: 7.6 SCN v: 4.0.3 Engine 4.0.50 sig: 4054 Dec.01,1999 SWP v: 3.28 build 4.10 Engine V.1.3 sig: Dec.06,1999 VSP v: 11.90.04 sig: November 1999 The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (4*10,000) viruses in a testbed with generations of 6 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- WNT.F1: "FileVirus 1": Results of "full" Zoo test for file viruses WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses WNT.FA: "Polyfile-Test": Results of Polymorphic test WNT.FB: "VKIT Test": Results of VKIT file virus test WNT.F3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.F3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and packed with PKZIP, LHA, ARJ and RAR WNT.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP WNT.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA WNT.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ WNT.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR WNT.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" WNT.F5 "File Malware": Results of "full" Zoo test for File-related malware WNT.M1: "MacroVirus 1": Results of "full" test for macro viruses WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR WNT.M4: "False Positive" detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" WNT.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware Table WNT.F1: "FileVirus 1": Results of "full" test for file viruses under Windows NT: =================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 18359 100.0 135907 100.0 ---------------------------------------------------------- ANT 17040 92.8 1399 7.6 480 2.6 128322 94.4 ATD 18351 100.0 426 2.3 0 0.0 135890 100.0 AVA 17840 97.2 644 3.5 143 0.8 133042 97.9 AVG 15681 85.4 527 2.9 318 1.7 120884 88.9 AVK 18295 99.7 408 2.2 34 0.2 135783 99.9 AVP 18349 99.9 426 2.3 0 0.0 135888 100.0 AVX 14756 80.4 2203 12.0 1310 7.1 107384 79.0 CMD 18287 99.6 55 0.3 3 0.0 135747 99.9 DRW 18054 98.3 472 2.6 190 1.0 134259 98.8 ESA 10647 58.0 270 1.5 555 3.0 84521 62.2 FPW 18287 99.6 11 0.1 3 0.0 135748 99.9 FSE 18350 100.0 82 0.4 1 0.0 135881 100.0 INO 18114 98.7 607 3.3 183 1.0 134743 99.1 MKS 14311 78.0 0 0.0 481 2.6 105264 77.5 NAV 17768 96.8 1327 7.2 274 1.5 132865 97.8 NOD 18053 98.3 2159 11.8 201 1.1 134282 98.8 NVC 18193 99.1 1263 6.9 112 0.6 134826 99.2 PAV 18351 100.0 426 2.3 0 0.0 135890 100.0 PRO 8368 45.6 537 2.9 914 5.0 66389 48.8 RAV 16147 88.0 1286 7.0 652 3.6 121343 89.3 SCN 18330 99.8 544 3.0 10 0.1 135590 99.8 SWP 18278 99.6 878 4.8 24 0.1 135346 99.6 VSP 14333 78.1 2787 15.2 1255 6.8 96240 70.8 ----------------------------------------------------------- Table WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows NT: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 39 100.0 1047 100.0 ---------------------------------------------------------- ANT 35 89.7 2 5.1 4 10.3 995 95.0 ATD 39 100.0 0 0.0 1 2.6 1046 99.9 AVA 39 100.0 2 5.1 2 5.1 1045 99.8 AVG 39 100.0 7 17.9 3 7.7 1043 99.6 AVK 39 100.0 0 0.0 1 2.6 1046 99.9 AVP 39 100.0 0 0.0 1 2.6 1046 99.9 AVX 34 87.2 5 12.8 10 25.6 911 87.0 CMD 39 100.0 2 5.1 0 0.0 1047 100.0 DRW 39 100.0 3 7.7 1 2.6 1046 99.9 ESA 39 100.0 1 2.6 8 20.5 1029 98.3 FPW 39 100.0 1 2.6 0 0.0 1047 100.0 FSE 39 100.0 2 5.1 0 0.0 1047 100.0 INO 39 100.0 3 7.7 2 5.1 1045 99.8 MKS 38 97.4 0 0.0 3 7.7 1033 98.7 NAV 39 100.0 4 10.3 1 2.6 1046 99.9 NOD 39 100.0 10 25.6 0 0.0 1047 100.0 NVC 39 100.0 4 10.3 2 5.1 1045 99.8 PAV 39 100.0 0 0.0 1 2.6 1046 99.9 PRO 39 100.0 2 5.1 10 25.6 975 93.1 QHL 36 92.3 1 2.6 9 23.1 977 93.3 RAV 39 100.0 5 12.8 5 12.8 1040 99.3 SCN 39 100.0 5 12.8 0 0.0 1047 100.0 SWP 39 100.0 2 5.1 1 2.6 1046 99.9 VSP 24 61.5 7 17.9 3 7.7 888 84.8 ----------------------------------------------------------- Table WNT.FA: "Polyfile-Test": Results of Polymorphic test: =========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Maximum 6 100.0% % % 60000 100.0% ----------------------------------------------------------- ANT 600 100.0 100 16.7 0 0.0 60000 100.0 ATD 600 100.0 0 0.0 0 0.0 60000 100.0 AVA 600 100.0 104 17.3 1 0.2 59999 100.0 AVG 600 100.0 0 0.0 0 0.0 60000 100.0 AVK 600 100.0 0 0.0 0 0.0 60000 100.0 AVP 600 100.0 0 0.0 0 0.0 60000 100.0 AVX 501 83.5 16 2.7 59 9.8 49900 83.2 CMD 600 100.0 1 0.2 0 0.0 60000 100.0 DRW 600 100.0 0 0.0 0 0.0 60000 100.0 ESA 600 100.0 1 0.2 19 3.2 59961 99.9 FPW 600 100.0 1 0.2 0 0.0 60000 100.0 FSE 600 100.0 1 0.2 0 0.0 60000 100.0 INO 600 100.0 1 0.2 0 0.0 60000 100.0 MKS 6 100.0 0 0.0 1 16.7 59895 99.8 NAV 600 100.0 106 17.7 0 0.0 60000 100.0 NOD 600 100.0 0 0.0 0 0.0 60000 100.0 NVC 600 100.0 100 16.7 0 0.0 60000 100.0 PAV 600 100.0 0 0.0 0 0.0 60000 100.0 PRO 441 73.5 0 0.0 141 23.5 40523 67.5 QHL 600 100.0 9 1.5 177 29.5 51951 86.6 RAV 600 100.0 300 50.0 0 0.0 60000 100.0 SCN 600 100.0 100 16.7 3 0.5 59997 100.0 SWP 600 100.0 6 1.0 0 0.0 60000 100.0 VSP 590 98.3 166 27.7 31 5.2 58912 98.2 ----------------------------------------------------------- Remark: For 6 polymorphic viruses (with Maltese Amoeba, MTE.Encroacher.B, NATAS, TREMOR, One-Half and Tequila as in the previous test), 10,000 generations each were produced with VTCs dynamic polymorphic generation and test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table WNT.FB: "VKIT Test": Results of VKIT file virus test: =========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 10706 100.0 104640 100.0 ---------------------------------------------------------- ANT 10706 100.0 1365 12.7 3 0.0 104636 100.0 ATD 10706 100.0 1194 11.2 3 0.0 104637 100.0 AVA 10706 100.0 1642 15.3 23 0.2 104595 100.0 AVG 10137 94.7 783 7.3 117 1.1 97780 93.4 AVK 10706 100.0 1194 11.2 0 0.0 104640 100.0 AVP 10706 100.0 1194 11.2 0 0.0 104640 100.0 AVX 10706 100.0 1261 11.8 15 0.1 104617 100.0 CMD 10706 100.0 1137 10.6 3 0.0 104636 100.0 DRW 10706 100.0 1006 9.4 2 0.0 104638 100.0 FPW 10706 100.0 1438 13.4 3 0.0 104636 100.0 FSE 10706 100.0 1272 11.9 0 0.0 104640 100.0 INO 10703 100.0 1261 11.8 8 0.1 104579 99.9 MKS 9583 89.5 0 0.0 248 2.3 91133 87.1 NAV 10696 99.9 638 6.0 120 1.1 103947 99.3 NOD 10705 100.0 3001 28.0 4 0.0 104635 100.0 NVC 10704 100.0 6198 57.9 327 3.1 102041 97.5 PAV 10706 100.0 1194 11.2 0 0.0 104640 100.0 PRO 216 2.0 0 0.0 158 1.5 1282 1.2 QHL 9422 88.0 38 0.4 5369 50.1 74258 71.0 RAV 10704 100.0 1257 11.7 15 0.1 104605 100.0 SCN 10706 100.0 1178 11.0 0 0.0 104640 100.0 VSP 10638 99.4 5925 55.3 71 0.7 103416 98.8 ----------------------------------------------------------- Remark: A testbed of 10,706 viruses generated with the VKIT virus generator (out of about 14,000 viruses which can be generated) was used to test detection quality. This test was separated from the "normal" file virus test as 1) there is no agreement between AV producers whether viruses from VKIT should be counted just as 1 or as 14,000 different viruses (boasting number of detected viruses to over 40,000), and 2) because of the large size of this special testbed. Table WNT.F3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 39 100.0% 39 100.0% 39 100.0% 39 100.0% ---------------------------------------------------------------- ANT 35 89.7 35 89.7 35 89.7 3 7.7 ATD 39 100.0 39 100.0 39 100.0 39 100.0 AVA 39 100.0 3 7.7 3 7.7 4 10.3 AVG 39 100.0 2 5.1 39 100.0 39 100.0 AVK 39 100.0 39 100.0 39 100.0 39 100.0 AVP 39 100.0 39 100.0 39 100.0 39 100.0 AVX 33 84.6 33 84.6 33 84.6 33 84.6 CMD 39 100.0 0 0.0 39 100.0 0 0.0 DRW 39 100.0 0 0.0 39 100.0 39 100.0 ESA 39 100.0 39 100.0 39 100.0 39 100.0 FPW 39 100.0 0 0.0 39 100.0 0 0.0 FSE 39 100.0 39 100.0 39 100.0 39 100.0 INO 38 97.4 38 97.4 39 100.0 1 2.6 MKS 1 2.6 0 0.0 0 0.0 1 2.6 NAV 39 100.0 39 100.0 39 100.0 0 0.0 NOD 39 100.0 0 0.0 39 100.0 39 100.0 NVC 1 2.6 0 0.0 39 100.0 1 2.6 PAV 39 100.0 39 100.0 39 100.0 39 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 35 89.7 1 2.6 35 89.7 1 2.6 RAV 28 71.8 16 41.0 35 89.7 0 0.0 SCN 39 100.0 39 100.0 0 0.0 0 0.0 SWP 39 100.0 0 0.0 39 100.0 39 100.0 VSP 2 5.1 2 5.1 2 5.1 2 5.1 ---------------------------------------------------------------- Table WNT.F3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viral objects detected per packer ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 1047 100.0% 1047 100.0% 1047 100.0% 1047 100.0% ---------------------------------------------------------------- ANT 884 84.4 893 85.3 893 85.3 3 0.3 ATD 1046 99.9 1046 99.9 1046 99.9 1046 99.9 AVA 1045 99.8 3 0.3 3 0.3 4 0.4 AVG 1045 99.8 2 0.2 1045 99.8 1047 100.0 AVK 1046 99.9 1046 99.9 1046 99.9 1046 99.9 AVP 1046 99.9 1046 99.9 1046 99.9 1046 99.9 AVX 910 86.9 910 86.9 910 86.9 910 86.9 CMD 1047 100.0 0 0.0 1047 100.0 0 0.0 DRW 1046 99.9 0 0.0 1046 99.9 1046 99.9 ESA 39 3.7 39 3.7 39 3.7 39 3.7 FPW 1047 100.0 0 0.0 1047 100.0 0 0.0 FSE 1047 100.0 1047 100.0 1047 100.0 1046 99.9 INO 1025 97.9 92 8.8 1045 99.8 1 0.1 MKS 1 0.1 0 0.0 0 0.0 1 0.1 NAV 1046 99.9 1046 99.9 1046 99.9 0 0.0 NOD 1047 100.0 0 0.0 1047 100.0 1047 100.0 NVC 1 0.1 0 0.0 1045 99.8 1 0.1 PAV 1046 99.9 1046 99.9 1046 99.9 1046 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 963 92.0 1 0.1 973 92.9 1 0.1 RAV 483 46.1 73 7.0 902 86.2 0 0.0 SCN 1047 100.0 1047 100.0 0 0.0 0 0.0 SWP 1046 99.9 0 0.0 1046 99.9 1046 99.9 VSP 2 0.2 2 0.2 2 0.2 2 0.2 ---------------------------------------------------------------- Table WNT.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under Windows NT: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 39 100.0% % % 1047 100.0% ----------------------------------------------------------- ANT 35 89.7 2 5.1 7 17.9 884 84.4 ATD 39 100.0 0 0.0 1 2.6 1046 99.9 AVA 39 100.0 2 5.1 6 15.4 1045 99.8 AVG 39 100.0 4 10.3 7 17.9 1045 99.8 AVK 39 100.0 0 0.0 1 2.6 1046 99.9 AVP 39 100.0 0 0.0 1 2.6 1046 99.9 AVX 33 84.6 5 12.8 9 23.1 910 86.9 CMD 39 100.0 2 5.1 0 0.0 1047 100.0 DRW 39 100.0 3 7.7 1 2.6 1046 99.9 ESA 39 100.0 0 0.0 37 94.9 39 3.7 FPW 39 100.0 1 2.6 0 0.0 1047 100.0 FSE 39 100.0 3 7.7 0 0.0 1047 100.0 INO 38 97.4 3 7.7 1 2.6 1025 97.9 MKS 1 2.6 0 0.0 1 2.6 1 0.1 NAV 39 100.0 4 10.3 1 2.6 1046 99.9 NOD 39 100.0 13 33.3 0 0.0 1047 100.0 NVC 1 2.6 0 0.0 1 2.6 1 0.1 PAV 39 100.0 0 0.0 1 2.6 1046 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 35 89.7 1 2.6 12 30.8 963 92.0 RAV 28 71.8 0 0.0 9 23.1 483 46.1 SCN 39 100.0 5 12.8 0 0.0 1047 100.0 SWP 39 100.0 2 5.1 1 2.6 1046 99.9 VSP 2 5.1 0 0.0 2 5.1 2 0.2 ----------------------------------------------------------- Table WNT.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 39 100.0% % % 1047 100.0% ----------------------------------------------------------- ANT 35 89.7 2 5.1 6 15.4 893 85.3 ATD 39 100.0 0 0.0 1 2.6 1046 99.9 AVA 3 7.7 0 0.0 3 7.7 3 0.3 AVG 2 5.1 0 0.0 2 5.1 2 0.2 AVK 39 100.0 0 0.0 1 2.6 1046 99.9 AVP 39 100.0 0 0.0 1 2.6 1046 99.9 AVX 33 84.6 5 12.8 9 23.1 910 86.9 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 ESA 39 100.0 0 0.0 37 94.9 39 3.7 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 39 100.0 3 7.7 0 0.0 1047 100.0 INO 38 97.4 1 2.6 30 76.9 92 8.8 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 39 100.0 4 10.3 1 2.6 1046 99.9 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 39 100.0 0 0.0 1 2.6 1046 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 1 2.6 0 0.0 1 2.6 1 0.1 RAV 16 41.0 0 0.0 10 25.6 73 7.0 SCN 39 100.0 5 12.8 0 0.0 1047 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 2 5.1 0 0.0 2 5.1 2 0.2 ----------------------------------------------------------- Table WNT.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 39 100.0% % % 1047 100.0% ----------------------------------------------------------- ANT 35 89.7 2 5.1 6 15.4 893 85.3 ATD 39 100.0 0 0.0 1 2.6 1046 99.9 AVA 3 7.7 0 0.0 3 7.7 3 0.3 AVG 39 100.0 5 12.8 5 12.8 1045 99.8 AVK 39 100.0 0 0.0 1 2.6 1046 99.9 AVP 39 100.0 0 0.0 1 2.6 1046 99.9 AVX 33 84.6 5 12.8 9 23.1 910 86.9 CMD 39 100.0 2 5.1 0 0.0 1047 100.0 DRW 39 100.0 3 7.7 1 2.6 1046 99.9 ESA 39 100.0 0 0.0 37 94.9 39 3.7 FPW 39 100.0 1 2.6 0 0.0 1047 100.0 FSE 39 100.0 3 7.7 0 0.0 1047 100.0 INO 39 100.0 3 7.7 2 5.1 1045 99.8 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 39 100.0 4 10.3 1 2.6 1046 99.9 NOD 39 100.0 13 33.3 0 0.0 1047 100.0 NVC 39 100.0 4 10.3 2 5.1 1045 99.8 PAV 39 100.0 0 0.0 1 2.6 1046 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 35 89.7 1 2.6 8 20.5 973 92.9 RAV 35 89.7 4 10.3 9 23.1 902 86.2 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 39 100.0 2 5.1 1 2.6 1046 99.9 VSP 2 5.1 0 0.0 2 5.1 2 0.2 ----------------------------------------------------------- Table WNT.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 39 100.0% % % 1047 100.0% ----------------------------------------------------------- ANT 3 7.7 0 0.0 3 7.7 3 0.3 ATD 39 100.0 0 0.0 1 2.6 1046 99.9 AVA 4 10.3 0 0.0 4 10.3 4 0.4 AVG 39 100.0 4 10.3 7 17.9 1047 100.0 AVK 39 100.0 0 0.0 1 2.6 1046 99.9 AVP 39 100.0 0 0.0 1 2.6 1046 99.9 AVX 33 84.6 5 12.8 9 23.1 910 86.9 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 39 100.0 3 7.7 1 2.6 1046 99.9 ESA 39 100.0 0 0.0 37 94.9 39 3.7 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 39 100.0 2 5.1 1 2.6 1046 99.9 INO 1 2.6 0 0.0 1 2.6 1 0.1 MKS 1 2.6 0 0.0 1 2.6 1 0.1 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 39 100.0 13 33.3 0 0.0 1047 100.0 NVC 1 2.6 0 0.0 1 2.6 1 0.1 PAV 39 100.0 0 0.0 1 2.6 1046 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 1 2.6 0 0.0 1 2.6 1 0.1 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 39 100.0 2 5.1 1 2.6 1046 99.9 VSP 2 5.1 0 0.0 2 5.1 2 0.2 ----------------------------------------------------------- Table WNT.F4: "False Positive" detection: Results of "full" zoo test for Non-viral (clean) samples detected as "false positives" under Windows NT: ============================================================== False This includes Virus ---- unreliably ---- Files Scanner Alarm identified detected detected ---------------------------------------------------------- Maximum 38 100.0 1851 100.0 ---------------------------------------------------------- ANT 2 5.3 0 0.0 2 5.3 2 0.1 ATD 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 AVX 1 2.6 0 0.0 1 2.6 4 0.2 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 6 15.8 0 0.0 6 15.8 7 0.4 ESA 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 1 2.6 0 0.0 1 2.6 1 0.1 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 9 23.7 0 0.0 9 23.7 11 0.6 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 2 5.3 0 0.0 2 5.3 3 0.2 ----------------------------------------------------------- Remark: within 38 non-viral directories and totally 1851 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.F5 "File Malware": Results of "full" zoo test for File-related malware under Windows NT: ======================================================== File This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 4282 100.0 6639 100.0 ---------------------------------------------------------- ANT 2794 65.2 123 2.9 41 1.0 4129 62.2 ATD 3923 91.6 103 2.4 15 0.4 6192 93.3 AVA 2384 55.7 63 1.5 48 1.1 3675 55.4 AVG 2259 52.8 33 0.8 53 1.2 3271 49.3 AVK 3901 91.1 101 2.4 18 0.4 6164 92.8 AVP 3921 91.6 103 2.4 15 0.4 6190 93.2 AVX 2520 58.9 65 1.5 141 3.3 3621 54.5 CLE 205 4.8 5 0.1 27 0.6 322 4.9 CMD 4080 95.3 26 0.6 34 0.8 6309 95.0 DRW 2861 66.8 30 0.7 54 1.3 4304 64.8 ESA 1397 32.6 20 0.5 82 1.9 2182 32.9 FPW 3916 91.5 4 0.1 31 0.7 6075 91.5 FSE 4226 98.7 90 2.1 6 0.1 6557 98.8 INO 3352 78.3 51 1.2 58 1.4 5294 79.7 MKS 1586 37.0 0 0.0 78 1.8 2484 37.4 NAV 3273 76.4 84 2.0 126 2.9 5115 77.0 NOD 3323 77.6 144 3.4 104 2.4 5228 78.7 NVC 2777 64.9 110 2.6 82 1.9 4434 66.8 PAV 3923 91.6 103 2.4 15 0.4 6192 93.3 PRO 583 13.6 11 0.3 52 1.2 954 14.4 RAV 1994 46.6 53 1.2 62 1.4 2825 42.6 SCN 3996 93.3 117 2.7 10 0.2 6266 94.4 SWP 3352 78.3 83 1.9 116 2.7 5138 77.4 VSP 2167 50.6 110 2.6 55 1.3 3027 45.6 ----------------------------------------------------------- Table WNT.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 4525 100.0 12918 100.0 ---------------------------------------------------------- ANT 4081 90.2 127 2.8 30 0.7 11746 90.9 ATD 4522 99.9 75 1.7 1 0.0 12906 99.9 AVA 4266 94.3 33 0.7 13 0.3 12245 94.8 AVG 4410 97.5 15 0.3 11 0.2 12596 97.5 AVK 4522 99.9 75 1.7 1 0.0 12906 99.9 AVP 4522 99.9 75 1.7 1 0.0 12906 99.9 AVX 4276 94.5 91 2.0 10 0.2 12375 95.8 CMD 4525 100.0 54 1.2 0 0.0 12918 100.0 DRW 4453 98.4 53 1.2 16 0.4 12760 98.8 ESA 4022 88.9 143 3.2 136 3.0 11354 87.9 FPW 4525 100.0 10 0.2 0 0.0 12918 100.0 FSE 4525 100.0 17 0.4 0 0.0 12918 100.0 FWN 4522 99.9 54 1.2 2 0.0 12910 99.9 INO 4513 99.7 78 1.7 3 0.1 12891 99.8 MKS 4393 97.1 0 0.0 29 0.6 12599 97.5 NAV 4435 98.0 62 1.4 4 0.1 12665 98.0 NOD 4500 99.4 48 1.1 3 0.1 12857 99.5 NVC 4521 99.9 48 1.1 3 0.1 12906 99.9 PAV 4522 99.9 75 1.7 1 0.0 12906 99.9 PRO 3048 67.4 0 0.0 95 2.1 8368 64.8 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 4428 97.9 153 3.4 4 0.1 12716 98.4 SCN 4525 100.0 34 0.8 0 0.0 12918 100.0 SWP 4463 98.6 36 0.8 11 0.2 12809 99.2 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 80 100.0 2 2.5 0 0.0 672 100.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 ESA 78 97.5 13 16.3 1 1.3 663 98.7 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 1 1.3 0 0.0 672 100.0 FWN 80 100.0 4 5.0 0 0.0 672 100.0 INO 80 100.0 5 6.3 0 0.0 672 100.0 MKS 79 98.8 0 0.0 1 1.3 665 99.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 80 100.0 5 6.3 0 0.0 672 100.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 78 97.5 0 0.0 8 10.0 654 97.3 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 80 100.0 80 100.0 80 100.0 80 100.0 ---------------------------------------------------------------- ANT 78 97.5 78 97.5 78 97.5 0 0.0 ATD 80 100.0 80 100.0 80 100.0 80 100.0 AVA 80 100.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 0 0.0 80 100.0 80 100.0 AVK 80 100.0 80 100.0 80 100.0 80 100.0 AVP 80 100.0 80 100.0 80 100.0 80 100.0 AVX 80 100.0 80 100.0 80 100.0 80 100.0 CMD 80 100.0 0 0.0 80 100.0 0 0.0 DRW 80 100.0 0 0.0 80 100.0 80 100.0 ESA 78 97.5 78 97.5 78 97.5 78 97.5 FPW 80 100.0 0 0.0 80 100.0 0 0.0 FSE 80 100.0 80 100.0 80 100.0 80 100.0 FWN 80 100.0 0 0.0 0 0.0 80 100.0 INO 80 100.0 80 100.0 80 100.0 0 0.0 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 80 100.0 80 100.0 80 100.0 0 0.0 NOD 80 100.0 0 0.0 80 100.0 80 100.0 NVC 0 0.0 0 0.0 80 100.0 0 0.0 PAV 80 100.0 80 100.0 80 100.0 80 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 0 0.0 77 96.3 0 0.0 RAV 80 100.0 80 100.0 80 100.0 0 0.0 SCN 80 100.0 80 100.0 0 0.0 0 0.0 SWP 80 100.0 0 0.0 80 100.0 80 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------------- Table WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows NT: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 80 100.0 2 2.5 0 0.0 672 100.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 80 100.0 4 5.0 1 1.3 647 96.3 INO 80 100.0 0 0.0 0 0.0 672 100.0 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 10 12.5 12 15.0 625 93.0 RAV 80 100.0 13 16.3 4 5.0 667 99.3 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 80 100.0 0 0.0 3 3.8 594 88.4 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 80 100.0 3 3.8 0 0.0 672 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 78 97.5 3 3.8 3 3.8 646 96.1 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 80 100.0 1 1.3 0 0.0 672 100.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPW 80 100.0 1 1.3 0 0.0 672 100.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 80 100.0 0 0.0 0 0.0 672 100.0 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 80 100.0 4 5.0 0 0.0 672 100.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 80 100.0 5 6.3 0 0.0 672 100.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 77 96.3 10 12.5 12 15.0 625 93.0 RAV 80 100.0 14 17.5 1 1.3 670 99.7 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 80 100.0 672 100.0 ---------------------------------------------------------- ANT 0 0.0 0 0.0 0 0.0 0 0.0 ATD 80 100.0 4 5.0 0 0.0 672 100.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 80 100.0 0 0.0 0 0.0 672 100.0 AVK 80 100.0 4 5.0 0 0.0 672 100.0 AVP 80 100.0 4 5.0 0 0.0 672 100.0 AVX 80 100.0 17 21.3 1 1.3 669 99.6 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 80 100.0 2 2.5 0 0.0 672 100.0 ESA 78 97.5 0 0.0 77 96.3 78 11.6 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 80 100.0 3 3.8 0 0.0 672 100.0 FWN 80 100.0 4 5.0 0 0.0 672 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 80 100.0 5 6.3 0 0.0 672 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 80 100.0 4 5.0 0 0.0 672 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 80 100.0 3 3.8 2 2.5 669 99.6 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows NT: ================================================================= False This includes Virus ---- unreliably ---- Files Scanner Alarm identified detected detected ---------------------------------------------------------- Maximum 26 100.0 329 100.0 ---------------------------------------------------------- ANT 15 57.7 0 0.0 15 57.7 36 10.9 ATD 2 7.7 0 0.0 2 7.7 4 1.2 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 7.7 0 0.0 2 7.7 4 1.2 AVX 25 96.2 0 0.0 25 96.2 129 39.2 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 21 80.8 0 0.0 21 80.8 94 28.6 ESA 2 7.7 0 0.0 2 7.7 4 1.2 FPW 1 3.8 0 0.0 1 3.8 2 0.6 FSE 1 3.8 0 0.0 1 3.8 2 0.6 FWN 24 92.3 0 0.0 24 92.3 174 52.9 INO 13 50.0 0 0.0 13 50.0 22 6.7 MKS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 2 7.7 0 0.0 2 7.7 2 0.6 PAV 2 7.7 0 0.0 2 7.7 4 1.2 PRO 1 3.8 0 0.0 1 3.8 1 0.3 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 24 92.3 0 0.0 24 92.3 104 31.6 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.M5: "Macro-Malware": Results of "full" test for Macro-related malware under Windows NT: ========================================================= Macro This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 260 100.0 394 100.0 ---------------------------------------------------------- ANT 181 69.6 2 0.8 2 0.8 294 74.6 ATD 257 98.8 0 0.0 0 0.0 391 99.2 AVA 212 81.5 3 1.2 4 1.5 317 80.5 AVG 203 78.1 2 0.8 4 1.5 303 76.9 AVK 257 98.8 0 0.0 0 0.0 391 99.2 AVP 252 96.9 0 0.0 0 0.0 386 98.0 AVX 245 94.2 7 2.7 2 0.8 377 95.7 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 260 100.0 4 1.5 0 0.0 394 100.0 DRW 204 78.5 1 0.4 4 1.5 316 80.2 ESA 148 56.9 0 0.0 10 3.8 238 60.4 FPW 260 100.0 1 0.4 0 0.0 394 100.0 FSE 260 100.0 1 0.4 0 0.0 394 100.0 FWN 255 98.1 6 2.3 0 0.0 389 98.7 INO 253 97.3 4 1.5 3 1.2 384 97.5 MKS 226 86.9 0 0.0 4 1.5 351 89.1 NAV 214 82.3 1 0.4 3 1.2 319 81.0 NOD 250 96.2 0 0.0 2 0.8 381 96.7 NVC 248 95.4 7 2.7 2 0.8 364 92.4 PAV 257 98.8 0 0.0 0 0.0 391 99.2 PRO 64 24.6 0 0.0 5 1.9 107 27.2 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 248 95.4 14 5.4 5 1.9 373 94.7 SCN 259 99.6 4 1.5 0 0.0 393 99.7 SWP 247 95.0 2 0.8 4 1.5 377 95.7 VSP 1 0.4 0 0.0 0 0.0 1 0.3 -----------------------------------------------------------