================================================== File 6DDOSMAC.TXT DOS.III: Detailed results of Macro Virus Detection of on-demand scanner tests under DOS: ================================================== (Formatted with non-proportional font: Courier) The list of products participating in DOS Macro Virus detection test is summarized in 6BDOSFIL.txt. The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed; in addition, detection of known script (esp. VBS) viruses both in zoo and ITW were tested. Moreover, results for detection of macro viruses in files compressed with 6 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses FDOS.S1: "ScriptVirus 1": Results of "full" Zoo test for script viruses FDOS.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses FDOS.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR FDOS.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW macro viruses and packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR FDOS.M3e: "WinRAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with WinRAR FDOS.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with CAB FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" FDOS.M5: "Macro-Malware": Results of "full" Zoo test for Macro-related malware Table FDOS.M1: "MacroVirus 1": Results of "full" Zoo test for macro viruses: ==================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 6233 100.0 19387 100.0 ---------------------------------------------------------- AVA 5750 92.3 48 0.8 41 0.7 17875 92.2 AVG 6128 98.3 39 0.6 11 0.2 19123 98.6 AVK 6230 100.0 91 1.5 2 0.0 19381 100.0 AVP 6230 100.0 91 1.5 2 0.0 19381 100.0 DRW 6107 98.0 67 1.1 17 0.3 19060 98.3 FPR 6233 100.0 7 0.1 0 0.0 19387 100.0 INO 6188 99.3 86 1.4 7 0.1 19225 99.2 MR2 2752 44.2 199 3.2 75 1.2 8024 41.4 NAV 5844 93.8 82 1.3 15 0.2 18068 93.2 NVC 6219 99.8 67 1.1 7 0.1 19333 99.7 PAV 6230 100.0 91 1.5 2 0.0 19381 100.0 SCN 6233 100.0 53 0.9 0 0.0 19387 100.0 VSP 1 0.0 0 0.0 1 0.0 1 0.0 ---------------------------------------------------------- Table FDOS.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- AVA 146 99.3 10 6.8 4 2.7 1334 99.0 AVG 147 100.0 9 6.1 0 0.0 1347 100.0 AVK 147 100.0 8 5.4 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 INO 146 99.3 9 6.1 0 0.0 1339 99.4 MR2 15 10.2 3 2.0 5 3.4 402 29.8 NAV 139 94.6 10 6.8 0 0.0 1301 96.6 NVC 147 100.0 8 5.4 0 0.0 1347 100.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 SCN 147 100.0 6 4.1 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.S1: "ScriptVirus 1": Results of "full" Zoo test for script viruses: ================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 477 100.0 904 100.0 ---------------------------------------------------------- AVA 143 30.0 2 0.4 19 4.0 344 38.1 AVG 276 57.9 19 4.0 20 4.2 618 68.4 AVK 474 99.4 32 6.7 1 0.2 899 99.4 AVP 476 99.8 32 6.7 1 0.2 901 99.7 DRW 456 95.6 21 4.4 12 2.5 826 91.4 FPR 462 96.9 10 2.1 12 2.5 850 94.0 INO 315 66.0 22 4.6 20 4.2 568 62.8 MR2 406 85.1 52 10.9 31 6.5 699 77.3 NAV 149 31.2 11 2.3 24 5.0 276 30.5 NVC 422 88.5 24 5.0 13 2.7 773 85.5 PAV 476 99.8 32 6.7 1 0.2 901 99.7 SCN 477 100.0 28 5.9 0 0.0 904 100.0 VSP 407 85.3 50 10.5 32 6.7 701 77.5 ---------------------------------------------------------- Table FDOS.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 16 100.0 133 100.0 ---------------------------------------------------------- AVA 16 100.0 1 6.3 5 31.3 121 91.0 AVG 16 100.0 4 25.0 6 37.5 123 92.5 AVK 16 100.0 2 12.5 0 0.0 133 100.0 AVP 16 100.0 2 12.5 0 0.0 133 100.0 DRW 16 100.0 3 18.8 2 12.5 131 98.5 FPR 16 100.0 0 0.0 4 25.0 127 95.5 INO 15 93.8 4 25.0 6 37.5 115 86.5 MR2 14 87.5 3 18.8 8 50.0 108 81.2 NAV 12 75.0 3 18.8 5 31.3 108 81.2 NVC 16 100.0 4 25.0 3 18.8 127 95.5 PAV 16 100.0 2 12.5 0 0.0 133 100.0 SCN 16 100.0 4 25.0 0 0.0 133 100.0 VSP 14 87.5 2 12.5 8 50.0 108 81.2 ---------------------------------------------------------- Table FDOS.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ================================================================ This includes Viruses detected per packer ------------------------------------------------------------------------------ ZIP % LHA % ARJ % RAR % WRAR % CAB % ------------------------------------------------------------------------------ Testbed 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 ------------------------------------------------------------------------------ AVA 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 AVG 147 100.0 0 0.0 147 100.0 147 100.0 147 100.0 0 0.0 AVK 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 AVP 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 DRW 147 100.0 0 0.0 147 100.0 147 100.0 147 100.0 0 0.0 FPR 147 100.0 0 0.0 147 100.0 147 100.0 147 100.0 0 0.0 INO 146 99.3 0 0.0 146 99.3 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 NAV 139 94.6 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 SCN 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------------------------ Table FDOS.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ======================================================================== This includes Viral objects detected per packer ------------------------------------------------------------------------------- ZIP % LHA % ARJ % RAR % WRAR % CAB % ------------------------------------------------------------------------------- Testbed 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 ------------------------------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 AVG 1347 100.0 0 0.0 1347 100.0 1347 100.0 1347 100.0 0 0.0 AVK 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1269 94.2 AVP 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1317 97.8 DRW 1347 100.0 0 0.0 1347 100.0 1347 100.0 1347 100.0 0 0.0 FPR 1347 100.0 0 0.0 1347 100.0 1347 100.0 1347 100.0 0 0.0 INO 1339 99.4 0 0.0 1339 99.4 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 NAV 1301 96.6 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 PAV 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1269 94.2 SCN 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------------------------- Table FDOS.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 147 100.0 9 6.1 0 0.0 1347 100.0 AVK 147 100.0 8 5.4 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 INO 146 99.3 9 6.1 0 0.0 1339 99.4 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 139 94.6 10 6.8 0 0.0 1301 96.6 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 SCN 147 100.0 6 4.1 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 147 100.0 8 5.4 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 SCN 147 100.0 6 4.1 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 147 100.0 9 6.1 0 0.0 1347 100.0 AVK 147 100.0 8 5.4 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 INO 146 99.3 9 6.1 0 0.0 1339 99.4 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 SCN 147 100.0 6 4.1 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 147 100.0 9 6.1 0 0.0 1347 100.0 AVK 147 100.0 8 5.4 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 SCN 147 100.0 6 4.1 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3e: "WinRAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with WinRAR: =================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 147 100.0 9 6.1 0 0.0 1347 100.0 AVK 147 100.0 8 5.4 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 SCN 147 100.0 6 4.1 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with CAB: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 147 100.0 7 4.8 7 4.8 1269 94.2 AVP 147 100.0 7 4.8 7 4.8 1317 97.8 DRW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 7 4.8 7 4.8 1269 94.2 SCN 147 100.0 6 4.1 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table FDOS.M4: "False Positive" macro virus detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives": ============================================================== False This includes Virus ---- unreliably ---- Files Scanner Alarm identified detected detected ---------------------------------------------------------- Maximum 26 100.0 329 100.0 ---------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 7.7 0 0.0 2 7.7 4 1.2 DRW 21 80.8 0 0.0 21 80.8 94 28.6 FPR 1 3.8 0 0.0 1 3.8 2 0.6 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 13 50.0 0 0.0 13 50.0 20 6.1 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NVC 3 11.5 0 0.0 3 11.5 5 1.5 PAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table FDOS.M5: "Macro-Malware": Results of "full" Zoo Test for Macro-related malware: ===================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 403 100.0 627 100.0 ---------------------------------------------------------- AVA 320 79.4 3 0.7 4 1.0 483 77.0 AVG 323 80.1 1 0.2 5 1.2 523 83.4 AVK 400 99.3 0 0.0 0 0.0 624 99.5 AVP 400 99.3 0 0.0 0 0.0 624 99.5 DRW 335 83.1 3 0.7 3 0.7 542 86.4 FPR 402 99.8 2 0.5 0 0.0 621 99.0 INO 365 90.6 4 1.0 5 1.2 575 91.7 MR2 139 34.5 6 1.5 2 0.5 214 34.1 NAV 291 72.2 2 0.5 4 1.0 456 72.7 NVC 399 99.0 10 2.5 2 0.5 606 96.7 PAV 400 99.3 0 0.0 0 0.0 624 99.5 SCN 402 99.8 5 1.2 0 0.0 625 99.7 VSP 1 0.2 0 0.0 0 0.0 1 0.2 -----------------------------------------------------------