================================================= File 6FW98.TXT Detailed results of File and Macro Virus related on-demand scanner tests under Windows 98: ================================================= (Formatted with non-proportional font: Courier) The following 24 products (versions) participated in W-98 tests (for details of related AV producers: see A2SCNLS.txt): -------------------------------------------------------- Products submitted for aVTC test under Windows-98: -------------------------------------------------------- ADO ATR AV3 v: 3.0.304.0 sig: Dec.04,2000 AVG 6 v: 6.220 sig: Dec.11,2000 AVK 10 v: 10,0,0,0 sig: Dec.07,2000 AVP Platinum v: 3.5.311.0 sig: Dec.07,2000 CLE CMD v: 4.60 sig: Dec.11,2000 DRW v: 4.21 (see problems list) DSE FPR v: 3.08b sig: Dec.11,2000 FPW v: 3.08b sig: Dec.11,2000 FSE v: 5.21 sig: Dec.01,2000 INO v: 4.53 Enterprise Ed. sig: Dec.11,2000 MR2 NAV v: 5.01.01 sig: Dec.07,2000 NVC v: 4.86 sig: Dec.01,2000 PAV v: 3.0.132.4 sig: Dec.07,2000 PER v: 6.60 sig: Nov.30,2000 PRO v: 7.0.A11 sig: Dec.09,2000 QHL RAV v: 8.1.001 sig: Dec.11,2000 SCN v: 4.12.0 sig: Dec.04,2000 VSP v: 12.02.2 sig: Dec.11,2000 -------------------------------------------------------- The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (6*10,000) viruses in a testbed with generations of 6 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 6 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- W98.F1: "FileVirus 1": Results of "full" Zoo test for file viruses W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses W98.FA: "Polyfile-Test": Results of Polymorphic test W98.FB: "VKIT Test": Results of VKIT file virus test W98.F3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB W98.F3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and packed with PKZIP, LHA, ARJ and RAR W98.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP W98.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA W98.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ W98.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith RAR W98.F3e: "WinRAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with WinRAR W98.F3f: "CAB-Packed File Viruses": Results of Detection of ITW File Viruses Packed with CAB W98.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" W98.F5 "File Malware": Results of "full" Zoo test for File-related malware W98.M1: "MacroVirus 1": Results of "full" test for macro viruses W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses W98.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB W98.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and with PKZIP, LHA, ARJ, RAR, WinRAR, CAB W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR W98.M3e: "WinRAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with WinRAR W98.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with CAB W98.M4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware W98.S1: "ScriptVirus 1": Results of "full" test for script viruses (VBS, JS etc) W98.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses W98.E1: "Exotic" malware: Results of special test for "exotic" viruses/trojans Table W98.F1: "FileVirus 1": Results of "full" zoo test for file viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 20564 100.0 150703 100.0 ---------------------------------------------------------- ADO 20540 99.9 590 2.9 8 0.0 150594 99.9 AV3 19581 95.2 700 3.4 180 0.9 145285 96.4 AVG 16851 81.9 570 2.8 373 1.8 129336 85.8 AVK 20518 99.8 622 3.0 27 0.1 150530 99.9 AVP 20538 99.9 595 2.9 13 0.1 150582 99.9 CLE 22 0.1 0 0.0 0 0.0 28 0.0 CMD 20110 97.8 51 0.2 60 0.3 148731 98.7 DRW 20260 98.5 582 2.8 211 1.0 149070 98.9 DSE 20349 99.0 622 3.0 21 0.1 150149 99.6 FPR 20111 97.8 24 0.1 59 0.3 148739 98.7 FPW 20108 97.8 24 0.1 59 0.3 148736 98.7 FSE 20507 99.7 95 0.5 18 0.1 150538 99.9 INO 20126 97.9 701 3.4 197 1.0 148367 98.4 MR2 10300 50.1 1766 8.6 861 4.2 72744 48.3 NAV 19308 93.9 1485 7.2 434 2.1 143133 95.0 NVC 20173 98.1 1296 6.3 209 1.0 148196 98.3 PAV 20508 99.7 594 2.9 26 0.1 150475 99.8 PRO 14376 69.9 781 3.8 1547 7.5 103407 68.6 RAV 19239 93.6 786 3.8 554 2.7 139649 92.7 SCN 20515 99.8 639 3.1 4 0.0 150640 100.0 VSP 13355 64.9 2526 12.3 1277 6.2 90992 60.4 ----------------------------------------------------------- Comment: results of several scanners may be influenced by the fact that these products had to be rerun when we detected that not all entries had been accessed during first run. In a 1st and possibly a 2nd "post- scan", those files untouched before were explicitly selected for scanning. We stopped after a 2nd postscan but even then, some products had not touched all objects. There is some evidence that this is due to a known problem in the FindFirst/FindNext routines in Windows operating systems which also materialized earlier, though at a lesser extent with a significantly smaller testbed (always for zoo file viruses). Microsoft was made aware of this problem ago but (no correction so far). Table W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 20 100.0 409 100.0 ---------------------------------------------------------- ADO 20 100.0 1 5.0 0 0.0 409 100.0 AV3 20 100.0 1 5.0 0 0.0 409 100.0 AVG 20 100.0 4 20.0 0 0.0 409 100.0 AVK 20 100.0 1 5.0 0 0.0 409 100.0 AVP 20 100.0 1 5.0 0 0.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 20 100.0 0 0.0 0 0.0 409 100.0 DRW 20 100.0 0 0.0 0 0.0 409 100.0 DSE 20 100.0 1 5.0 0 0.0 409 100.0 FPR 20 100.0 0 0.0 0 0.0 409 100.0 FPW 20 100.0 0 0.0 0 0.0 409 100.0 FSE 20 100.0 0 0.0 0 0.0 409 100.0 INO 20 100.0 1 5.0 0 0.0 409 100.0 MR2 12 60.0 1 5.0 1 5.0 332 81.2 NAV 20 100.0 3 15.0 0 0.0 409 100.0 NVC 20 100.0 2 10.0 0 0.0 409 100.0 PAV 20 100.0 1 5.0 0 0.0 409 100.0 PER 14 70.0 0 0.0 2 10.0 235 57.5 PRO 20 100.0 3 15.0 0 0.0 409 100.0 QHL 19 95.0 3 15.0 4 20.0 387 94.6 RAV 20 100.0 3 15.0 2 10.0 404 98.8 SCN 20 100.0 1 5.0 0 0.0 409 100.0 VSP 9 45.0 3 15.0 1 5.0 295 72.1 ----------------------------------------------------------- Table W98.FA: "Polyfile-Test": Results of Polymorphic test ========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Maximum 6 100.0 60000 100.0 ---------------------------------------------------------- ADO 6 100.0 0 0.0 0 0.0 60000 100.0 ATR 0 0.0 0 0.0 0 0.0 0 0.0 AV3 6 100.0 1 16.7 1 16.7 59999 100.0 AVG 6 100.0 0 0.0 0 0.0 60000 100.0 AVK 6 100.0 0 0.0 0 0.0 60000 100.0 AVP 6 100.0 0 0.0 0 0.0 60000 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 6 100.0 1 16.7 0 0.0 60000 100.0 DRW 6 100.0 0 0.0 0 0.0 60000 100.0 DSE 6 100.0 1 16.7 0 0.0 60000 100.0 FPR 6 100.0 1 16.7 0 0.0 60000 100.0 FPW 6 100.0 1 16.7 0 0.0 60000 100.0 FSE 6 100.0 0 0.0 0 0.0 60000 100.0 INO 6 100.0 3 50.0 0 0.0 60000 100.0 MR2 6 100.0 3 50.0 2 33.3 50000 83.3 NAV 6 100.0 1 16.7 0 0.0 60000 100.0 NVC 6 100.0 1 16.7 0 0.0 60000 100.0 PAV 6 100.0 0 0.0 0 0.0 60000 100.0 PER 1 16.7 0 0.0 1 16.7 5000 8.3 PRO 6 100.0 2 33.3 1 16.7 58788 98.0 QHL 6 100.0 0 0.0 5 83.3 49260 82.1 RAV 6 100.0 1 16.7 0 0.0 60000 100.0 SCN 6 100.0 1 16.7 0 0.0 60000 100.0 VSP 6 100.0 2 33.3 4 66.7 57657 96.1 ----------------------------------------------------------- Remark: For 6 polymorphic viruses (with Maltese Amoeba, MTE.Encroacher.B, NATAS, TREMOR, One-Half and Tequila as in the previous test), 10,000 generations each were produced with VTCs dynamic polymorphic generation and test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table W98.FB: "VKIT Test": Results of VKIT file virus test ========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 10706 100.0 104640 100.0 ---------------------------------------------------------- ADO 10706 100.0 1194 11.2 0 0.0 104640 100.0 AV3 10706 100.0 1642 15.3 23 0.2 104595 100.0 AVG 10137 94.7 783 7.3 117 1.1 97780 93.4 AVK 10706 100.0 1194 11.2 0 0.0 104640 100.0 AVP 10706 100.0 1194 11.2 0 0.0 104640 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 10706 100.0 5721 53.4 3 0.0 104636 100.0 DRW 10696 99.9 998 9.3 2 0.0 94587 90.4 DSE 10706 100.0 1168 10.9 0 0.0 104640 100.0 FPR 10706 100.0 1439 13.4 3 0.0 104636 100.0 FPW 10706 100.0 1439 13.4 3 0.0 104636 100.0 FSE 10706 100.0 3 0.0 0 0.0 104640 100.0 INO 10703 100.0 1264 11.8 8 0.1 104592 100.0 MR2 10704 100.0 7519 70.2 1 0.0 104636 100.0 NAV 10696 99.9 638 6.0 120 1.1 103947 99.3 NVC 10704 100.0 6191 57.8 323 3.0 102073 97.5 PAV 10706 100.0 1194 11.2 0 0.0 104640 100.0 PER 2064 19.3 4 0.0 430 4.0 16043 15.3 PRO 9270 86.6 265 2.5 999 9.3 83908 80.2 QHL 182 1.7 0 0.0 87 0.8 941 0.9 RAV 10706 100.0 224 2.1 15 0.1 104498 99.9 SCN 10706 100.0 1168 10.9 0 0.0 104640 100.0 VSP 10638 99.4 5925 55.3 71 0.7 103416 98.8 ----------------------------------------------------------- Remark: A testbed of 10,706 viruses generated with the VKIT virus generator (out of about 14,000 viruses which can be generated) was used to test detection quality. This test was separated from the "normal" file virus test as 1) there is no agreement between AV producers whether viruses from VKIT should be counted just as 1 or as 14,000 different viruses (boasting number of detected viruses to over 40,000), and 2) because of the large size of this special testbed. Table W98.F3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB ================================================================ This includes Viruses detected per packer ------------------------------------------------------------------------- ZIP % LHA % ARJ % RAR % WRAR % CAB % TestBed 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 ------------------------------------------------------------------------- ADO 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 AVG 20 100.0 0 0.0 20 100.0 20 100.0 20 100.0 0 0.0 AVK 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 AVP 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 CMD 20 100.0 20 100.0 20 100.0 0 0.0 0 0.0 20 100.0 DRW 20 100.0 0 0.0 20 100.0 20 100.0 20 100.0 0 0.0 DSE 20 100.0 20 100.0 0 0.0 0 0.0 0 0.0 20 100.0 FPR 20 100.0 0 0.0 20 100.0 20 100.0 20 100.0 0 0.0 FPW 20 100.0 0 0.0 20 100.0 20 100.0 20 100.0 0 0.0 FSE 19 95.0 19 95.0 19 95.0 0 0.0 0 0.0 0 0.0 INO 19 95.0 20 100.0 20 100.0 0 0.0 0 0.0 20 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 NAV 20 100.0 20 100.0 20 100.0 0 0.0 0 0.0 20 100.0 NVC 20 100.0 0 0.0 20 100.0 0 0.0 0 0.0 0 0.0 PAV 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 PER 14 70.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 PRO 20 100.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 QHL 18 90.0 0 0.0 19 95.0 0 0.0 0 0.0 0 0.0 RAV 20 100.0 0 0.0 20 100.0 20 100.0 20 100.0 20 100.0 SCN 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 20 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------------------- Table W98.F3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and packed with PKZIP, LHA, ARJ, RAR, WinRAR, CAB =========================================================================== This includes Viral objects detected per packer ------------------------------------------------------------------------------- ZIP % LHA % ARJ % RAR % WRAR % CAB % TestBed 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 ------------------------------------------------------------------------------- ADO 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 AVG 409 100.0 0 0.0 409 100.0 409 100.0 409 100.0 0 0.0 AVK 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 AVP 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 CMD 409 100.0 409 100.0 409 100.0 0 0.0 0 0.0 409 100.0 DRW 409 100.0 0 0.0 409 100.0 409 100.0 409 100.0 0 0.0 DSE 409 100.0 409 100.0 0 0.0 0 0.0 0 0.0 409 100.0 FPR 409 100.0 0 0.0 409 100.0 409 100.0 409 100.0 0 0.0 FPW 409 100.0 0 0.0 409 100.0 409 100.0 409 100.0 0 0.0 FSE 389 95.1 389 95.1 389 95.1 0 0.0 0 0.0 0 0.0 INO 388 94.9 396 96.8 409 100.0 0 0.0 0 0.0 409 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 NAV 409 100.0 409 100.0 409 100.0 0 0.0 0 0.0 409 100.0 NVC 409 100.0 0 0.0 409 100.0 0 0.0 0 0.0 0 0.0 PAV 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 PER 231 56.5 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 PRO 409 100.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 QHL 378 92.4 0 0.0 388 94.9 0 0.0 0 0.0 0 0.0 RAV 404 98.8 0 0.0 404 98.8 404 98.8 404 98.8 404 98.8 SCN 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 409 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------------------------- Table W98.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under Windows 98: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 20 100.0 409 100.0 ---------------------------------------------------------- ADO 20 100.0 1 5.0 0 0.0 409 100.0 AVG 20 100.0 4 20.0 0 0.0 409 100.0 AVK 20 100.0 0 0.0 0 0.0 409 100.0 AVP 20 100.0 1 5.0 0 0.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 20 100.0 0 0.0 0 0.0 409 100.0 DRW 20 100.0 0 0.0 0 0.0 409 100.0 DSE 20 100.0 1 5.0 0 0.0 409 100.0 FPR 20 100.0 0 0.0 0 0.0 409 100.0 FPW 20 100.0 0 0.0 0 0.0 409 100.0 FSE 19 95.0 0 0.0 19 95.0 389 95.1 INO 19 95.0 1 5.0 0 0.0 388 94.9 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 20 100.0 3 15.0 0 0.0 409 100.0 NVC 20 100.0 2 10.0 0 0.0 409 100.0 PAV 20 100.0 1 5.0 0 0.0 409 100.0 PER 14 70.0 0 0.0 5 25.0 231 56.5 PRO 20 100.0 3 15.0 0 0.0 409 100.0 QHL 18 90.0 2 10.0 12 60.0 378 92.4 RAV 20 100.0 3 15.0 2 10.0 404 98.8 SCN 20 100.0 1 5.0 0 0.0 409 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 20 100.0 409 100.0 ---------------------------------------------------------- ADO 20 100.0 1 5.0 0 0.0 409 100.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 20 100.0 0 0.0 0 0.0 409 100.0 AVP 20 100.0 1 5.0 0 0.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 20 100.0 1 5.0 0 0.0 409 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSE 20 100.0 1 5.0 0 0.0 409 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 19 95.0 0 0.0 19 95.0 389 95.1 INO 20 100.0 1 5.0 1 5.0 396 96.8 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 20 100.0 3 15.0 0 0.0 409 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 20 100.0 1 5.0 0 0.0 409 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 20 100.0 1 5.0 0 0.0 409 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 20 100.0 409 100.0 ---------------------------------------------------------- ADO 20 100.0 1 5.0 0 0.0 409 100.0 AVG 20 100.0 4 20.0 0 0.0 409 100.0 AVK 20 100.0 0 0.0 0 0.0 409 100.0 AVP 20 100.0 1 5.0 0 0.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 20 100.0 0 0.0 0 0.0 409 100.0 DRW 20 100.0 0 0.0 0 0.0 409 100.0 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPR 20 100.0 0 0.0 0 0.0 409 100.0 FPW 20 100.0 0 0.0 0 0.0 409 100.0 FSE 19 95.0 0 0.0 19 95.0 389 95.1 INO 20 100.0 1 5.0 0 0.0 409 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 20 100.0 3 15.0 0 0.0 409 100.0 NVC 20 100.0 2 10.0 0 0.0 409 100.0 PAV 20 100.0 1 5.0 0 0.0 409 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 19 95.0 3 15.0 3 15.0 388 94.9 RAV 20 100.0 3 15.0 2 10.0 404 98.8 SCN 20 100.0 1 5.0 0 0.0 409 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 20 100.0 409 100.0 ---------------------------------------------------------- ADO 20 100.0 1 5.0 0 0.0 409 100.0 AVG 20 100.0 4 20.0 0 0.0 409 100.0 AVK 20 100.0 0 0.0 0 0.0 409 100.0 AVP 20 100.0 1 5.0 0 0.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 20 100.0 0 0.0 0 0.0 409 100.0 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPR 20 100.0 0 0.0 0 0.0 409 100.0 FPW 20 100.0 0 0.0 0 0.0 409 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 20 100.0 1 5.0 0 0.0 409 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 20 100.0 3 15.0 2 10.0 404 98.8 SCN 20 100.0 1 5.0 0 0.0 409 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.F3e: "WinRAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with WinRAR: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 20 100.0 409 100.0 ---------------------------------------------------------- ADO 20 100.0 1 5.0 0 0.0 409 100.0 AVG 20 100.0 4 20.0 0 0.0 409 100.0 AVK 20 100.0 0 0.0 0 0.0 409 100.0 AVP 20 100.0 1 5.0 0 0.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 20 100.0 0 0.0 0 0.0 409 100.0 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPR 20 100.0 0 0.0 0 0.0 409 100.0 FPW 20 100.0 0 0.0 0 0.0 409 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 20 100.0 1 5.0 0 0.0 409 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 20 100.0 3 15.0 2 10.0 404 98.8 SCN 20 100.0 1 5.0 0 0.0 409 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table W98.F3f: "CAB-Packed File Viruses": Results of Detection of ITW File Viruses Packed with CAB: ============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 20 100.0 409 100.0 ---------------------------------------------------------- ADO 20 100.0 1 5.0 0 0.0 409 100.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 20 100.0 0 0.0 0 0.0 409 100.0 AVP 20 100.0 1 5.0 0 0.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 20 100.0 0 0.0 0 0.0 409 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSE 20 100.0 1 5.0 0 0.0 409 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 20 100.0 1 5.0 0 0.0 409 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 20 100.0 3 15.0 0 0.0 409 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 20 100.0 1 5.0 0 0.0 409 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 20 100.0 3 15.0 2 10.0 404 98.8 SCN 20 100.0 1 5.0 0 0.0 409 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table W98.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "false positives" under Windows 98: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Maximum 27 100.0 664 100.0 ---------------------------------------------------------- ADO 0 0.0 0 0.0 0 0.0 0 0.0 AV3 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 1 3.7 0 0.0 1 3.7 1 0.2 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 27 non-viral directories and totally 664 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.F5 "File Malware": Results of "full" zoo test for File-related malware under Windows 98: ======================================================== File This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 6250 100.0 12160 100.0 ---------------------------------------------------------- ADO 6005 96.1 397 6.4 44 0.7 11652 95.8 ATR 464 7.4 55 0.9 158 2.5 862 7.1 AV3 3185 51.0 102 1.6 166 2.7 6506 53.5 AVG 3172 50.8 65 1.0 213 3.4 5577 45.9 AVK 6009 96.1 398 6.4 47 0.8 11647 95.8 AVP 6020 96.3 398 6.4 43 0.7 11671 96.0 CMD 5867 93.9 63 1.0 125 2.0 11321 93.1 DSE 5402 86.4 194 3.1 27 0.4 10845 89.2 FPR 5872 94.0 13 0.2 125 2.0 11326 93.1 FPW 5872 94.0 14 0.2 125 2.0 11326 93.1 FSE 6007 96.1 95 1.5 96 1.5 11587 95.3 INO 4797 76.8 115 1.8 279 4.5 9356 76.9 MR2 1781 28.5 97 1.6 217 3.5 2707 22.3 NAV 4053 64.8 139 2.2 322 5.2 7640 62.8 NVC 4965 79.4 405 6.5 196 3.1 9984 82.1 PAV 5912 94.6 376 6.0 71 1.1 11500 94.6 PER 634 10.1 7 0.1 96 1.5 989 8.1 PRO 2074 33.2 56 0.9 281 4.5 3691 30.4 RAV 5042 80.7 215 3.4 194 3.1 9354 76.9 SCN 5653 90.4 214 3.4 28 0.4 11304 93.0 VSP 2745 43.9 153 2.4 159 2.5 4315 35.5 ----------------------------------------------------------- Table W98.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 6233 100.0 19387 100.0 ---------------------------------------------------------- ADO 6228 99.9 91 1.5 1 0.0 19378 100.0 AV3 5967 95.7 51 0.8 44 0.7 18655 96.2 AVG 6128 98.3 42 0.7 11 0.2 19123 98.6 AVK 6230 100.0 91 1.5 1 0.0 19380 100.0 AVP 6230 100.0 91 1.5 1 0.0 19380 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 6233 100.0 72 1.2 0 0.0 19387 100.0 DRW 6107 98.0 67 1.1 17 0.3 19060 98.3 DSE 6229 99.9 53 0.9 1 0.0 19381 100.0 FPR 6233 100.0 7 0.1 0 0.0 19387 100.0 FPW 6233 100.0 7 0.1 0 0.0 19387 100.0 FSE 6233 100.0 0 0.0 1 0.0 19388 100.0 INO 6215 99.7 86 1.4 6 0.1 19334 99.7 MR2 2752 44.2 199 3.2 75 1.2 8024 41.4 NAV 6043 97.0 84 1.3 12 0.2 18717 96.5 NVC 6219 99.8 67 1.1 7 0.1 19333 99.7 PAV 6199 99.5 91 1.5 2 0.0 19278 99.4 PER 4270 68.5 98 1.6 26 0.4 13180 68.0 PRO 4181 67.1 0 0.0 145 2.3 12125 62.5 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 6208 99.6 309 5.0 9 0.1 19310 99.6 SCN 6233 100.0 53 0.9 0 0.0 19387 100.0 VSP 1 0.0 0 0.0 1 0.0 1 0.0 ----------------------------------------------------------- Table W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows 98: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- ADO 147 100.0 8 5.4 0 0.0 1347 100.0 AV3 147 100.0 10 6.8 4 2.7 1339 99.4 AVG 147 100.0 7 4.8 0 0.0 1347 100.0 AVK 147 100.0 8 5.4 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 147 100.0 5 3.4 0 0.0 1347 100.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 DSE 147 100.0 6 4.1 0 0.0 1347 100.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 FPW 147 100.0 0 0.0 0 0.0 1347 100.0 FSE 147 100.0 1 0.7 0 0.0 1347 100.0 INO 147 100.0 9 6.1 0 0.0 1347 100.0 MR2 15 10.2 3 2.0 5 3.4 402 29.8 NAV 147 100.0 11 7.5 0 0.0 1347 100.0 NVC 147 100.0 8 5.4 0 0.0 1347 100.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 PER 114 77.6 16 10.9 0 0.0 1119 83.1 PRO 146 99.3 0 0.0 13 8.8 1315 97.6 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 147 100.0 31 21.1 1 0.7 1346 99.9 SCN 147 100.0 0 0.0 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3V: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ, RAR, WinRAR and CAB: ================================================================ This includes Viruses detected per packer ------------------------------------------------------------------------------ ZIP % LHA % ARJ % RAR % WRAR % CAB % ------------------------------------------------------------------------------ Testbed 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 ------------------------------------------------------------------------------ ADO 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 102 69.4 AVG 147 100.0 0 0.0 147 100.0 147 100.0 147 100.0 0 0.0 AVK 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 AVP 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 146 99.3 CLE 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 CMD 147 100.0 147 100.0 147 100.0 0 0.0 0 0.0 147 100.0 DRW 147 100.0 0 0.0 147 100.0 147 100.0 147 100.0 0 0.0 DSE 147 100.0 147 100.0 0 0.0 0 0.0 0 0.0 147 100.0 FPR 147 100.0 0 0.0 147 100.0 147 100.0 147 100.0 0 0.0 FPW 147 100.0 0 0.0 147 100.0 147 100.0 147 100.0 0 0.0 FSE 146 99.3 146 99.3 146 99.3 0 0.0 0 0.0 0 0.0 INO 147 100.0 147 100.0 147 100.0 0 0.0 0 0.0 147 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 NAV 147 100.0 147 100.0 147 100.0 0 0.0 0 0.0 147 100.0 NVC 147 100.0 0 0.0 147 100.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 PER 114 77.6 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 PRO 146 99.3 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 QHL 135 91.8 0 0.0 135 91.8 0 0.0 0 0.0 0 0.0 RAV 147 100.0 0 0.0 147 100.0 147 100.0 147 100.0 147 100.0 SCN 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 147 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------------------------ Table W98.M3F: "Comparison of Detection Rate of Packed Viral Objects": Results of Detection Rate of objects infected with ITW file viruses and with PKZIP, LHA, ARJ, RAR, WinRAR, CAB ======================================================================= This includes Viral objects detected per packer ------------------------------------------------------------------------------- ZIP % LHA % ARJ % RAR % WRAR % CAB % ------------------------------------------------------------------------------- Testbed 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 ------------------------------------------------------------------------------- ADO 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 983 73.0 AVG 1347 100.0 0 0.0 1347 100.0 1347 100.0 1347 100.0 0 0.0 AVK 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1269 94.2 AVP 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1254 93.1 CLE 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 CMD 1347 100.0 1347 100.0 1347 100.0 0 0.0 0 0.0 1347 100.0 DRW 1347 100.0 0 0.0 1347 100.0 1347 100.0 1347 100.0 0 0.0 DSE 1347 100.0 1347 100.0 0 0.0 0 0.0 0 0.0 1347 100.0 FPR 1347 100.0 0 0.0 1347 100.0 1347 100.0 1347 100.0 0 0.0 FPW 1347 100.0 0 0.0 1347 100.0 1347 100.0 1347 100.0 0 0.0 FSE 1200 89.1 1200 89.1 1200 89.1 0 0.0 0 0.0 0 0.0 INO 1347 100.0 1298 96.4 1347 100.0 0 0.0 0 0.0 1347 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 NAV 1347 100.0 1346 99.9 1347 100.0 0 0.0 0 0.0 1347 100.0 NVC 1347 100.0 0 0.0 1347 100.0 0 0.0 0 0.0 0 0.0 PAV 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1318 97.8 PER 1119 83.1 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 PRO 1315 97.6 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 QHL 1194 88.6 0 0.0 1196 88.8 0 0.0 0 0.0 0 0.0 RAV 1346 99.9 0 0.0 1346 99.9 1346 99.9 1346 99.9 1346 99.9 SCN 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 0 0.0 ------------------------------------------------------------------------------- Table W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows 98: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- DO 147 100.0 8 5.4 0 0.0 1347 100.0 AVG 147 100.0 7 4.8 0 0.0 1347 100.0 AVK 147 100.0 0 0.0 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 147 100.0 5 3.4 0 0.0 1347 100.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 DSE 147 100.0 6 4.1 0 0.0 1347 100.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 FPW 147 100.0 0 0.0 0 0.0 1347 100.0 FSE 146 99.3 0 0.0 146 99.3 1200 89.1 INO 147 100.0 9 6.1 0 0.0 1347 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 147 100.0 11 7.5 0 0.0 1347 100.0 NVC 147 100.0 8 5.4 0 0.0 1347 100.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 PER 114 77.6 16 10.9 0 0.0 1119 83.1 PRO 146 99.3 0 0.0 13 8.8 1315 97.6 QHL 135 91.8 18 12.2 14 9.5 1194 88.6 RAV 147 100.0 31 21.1 1 0.7 1346 99.9 SCN 147 100.0 0 0.0 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- ADO 147 100.0 8 5.4 0 0.0 1347 100.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 147 100.0 0 0.0 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 147 100.0 5 3.4 0 0.0 1347 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSE 147 100.0 6 4.1 0 0.0 1347 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 146 99.3 0 0.0 146 99.3 1200 89.1 INO 147 100.0 9 6.1 5 3.4 1298 96.4 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 147 100.0 11 7.5 1 0.7 1346 99.9 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 147 100.0 0 0.0 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- ADO 20 100.0 1 5.0 0 0.0 409 100.0 AVG 20 100.0 4 20.0 0 0.0 409 100.0 AVK 20 100.0 0 0.0 0 0.0 409 100.0 AVP 20 100.0 1 5.0 0 0.0 409 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 20 100.0 0 0.0 0 0.0 409 100.0 DRW 20 100.0 0 0.0 0 0.0 409 100.0 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPR 20 100.0 0 0.0 0 0.0 409 100.0 FPW 20 100.0 0 0.0 0 0.0 409 100.0 FSE 19 95.0 0 0.0 19 95.0 389 95.1 INO 20 100.0 1 5.0 0 0.0 409 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 20 100.0 3 15.0 0 0.0 409 100.0 NVC 20 100.0 2 10.0 0 0.0 409 100.0 PAV 20 100.0 1 5.0 0 0.0 409 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 19 95.0 3 15.0 3 15.0 388 94.9 RAV 20 100.0 3 15.0 2 10.0 404 98.8 SCN 20 100.0 1 5.0 0 0.0 409 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- ADO 147 100.0 8 5.4 0 0.0 1347 100.0 AVG 147 100.0 7 4.8 0 0.0 1347 100.0 AVK 147 100.0 0 0.0 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 FPW 147 100.0 0 0.0 0 0.0 1347 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 147 100.0 31 21.1 1 0.7 1346 99.9 SCN 147 100.0 0 0.0 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3e: "WinRAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with WinRAR: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- ADO 147 100.0 8 5.4 0 0.0 1347 100.0 AVG 147 100.0 7 4.8 0 0.0 1347 100.0 AVK 147 100.0 0 0.0 0 0.0 1347 100.0 AVP 147 100.0 8 5.4 0 0.0 1347 100.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DRW 147 100.0 8 5.4 0 0.0 1347 100.0 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPR 147 100.0 0 0.0 0 0.0 1347 100.0 FPW 147 100.0 0 0.0 0 0.0 1347 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 8 5.4 0 0.0 1347 100.0 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 147 100.0 31 21.1 1 0.7 1346 99.9 SCN 147 100.0 0 0.0 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table W98.M3f: "CAB-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with CAB: =============================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 147 100.0 1347 100.0 ---------------------------------------------------------- ADO 102 69.4 6 4.1 3 2.0 983 73.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 147 100.0 0 0.0 7 4.8 1269 94.2 AVP 146 99.3 7 4.8 8 5.4 1254 93.1 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 147 100.0 5 3.4 0 0.0 1347 100.0 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSE 147 100.0 6 4.1 0 0.0 1347 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 147 100.0 9 6.1 0 0.0 1347 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 147 100.0 11 7.5 0 0.0 1347 100.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 147 100.0 7 4.8 7 4.8 1318 97.8 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 147 100.0 31 21.1 1 0.7 1346 99.9 SCN 147 100.0 0 0.0 0 0.0 1347 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table W98.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows 98: ===================================================================== False This includes Virus ---- unreliably ---- Files Scanner Alarm identified detected detected ----------------------------------------------------------- Maximum 26 100.0% % % 329 100.0% ----------------------------------------------------------- ADO 2 7.7 0 0.0 2 7.7 4 1.2 AV3 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 21 80.8 0 0.0 21 80.8 94 28.6 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPR 1 3.8 0 0.0 1 3.8 2 0.6 FPW 1 3.8 0 0.0 1 3.8 2 0.6 FSE 1 3.8 0 0.0 1 3.8 2 0.6 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 13 50.0 0 0.0 13 50.0 20 6.1 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NVC 3 11.5 0 0.0 3 11.5 5 1.5 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PER 2 7.7 0 0.0 2 7.7 3 0.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware under Windows 98: =============================================================== Macro This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 403 100.0 627 100.0 ---------------------------------------------------------- ADO 399 99.0 0 0.0 0 0.0 623 99.4 ATR 0 0.0 0 0.0 0 0.0 0 0.0 AV3 329 81.6 3 0.7 5 1.2 497 79.3 AVG 323 80.1 1 0.2 5 1.2 523 83.4 AVK 400 99.3 0 0.0 0 0.0 624 99.5 AVP 400 99.3 0 0.0 0 0.0 624 99.5 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 402 99.8 6 1.5 0 0.0 621 99.0 DRW 334 82.9 3 0.7 3 0.7 541 86.3 DSE 392 97.3 5 1.2 0 0.0 615 98.1 FPR 402 99.8 2 0.5 0 0.0 621 99.0 FSE 403 100.0 2 0.5 0 0.0 627 100.0 INO 378 93.8 5 1.2 1 0.2 600 95.7 MR2 139 34.5 6 1.5 2 0.5 214 34.1 NAV 306 75.9 4 1.0 2 0.5 491 78.3 NVC 399 99.0 10 2.5 2 0.5 606 96.7 PAV 400 99.3 0 0.0 0 0.0 624 99.5 PER 234 58.1 4 1.0 9 2.2 369 58.9 PRO 208 51.6 0 0.0 8 2.0 303 48.3 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 391 97.0 24 6.0 5 1.2 604 96.3 SCN 402 99.8 5 1.2 0 0.0 625 99.7 VSP 1 0.2 0 0.0 0 0.0 1 0.2 ----------------------------------------------------------- Table W98.S1: "ScriptVirus 1": Results of "full" Zoo test for script viruses: ================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 477 100.0 904 100.0 ---------------------------------------------------------- ADO 476 99.8 32 6.7 2 0.4 898 99.3 ATR 13 2.7 0 0.0 6 1.3 15 1.7 AV3 143 30.0 2 0.4 19 4.0 344 38.1 AVG 276 57.9 16 3.4 18 3.8 621 68.7 AVK 476 99.8 41 8.6 1 0.2 901 99.7 AVP 476 99.8 32 6.7 3 0.6 897 99.2 CLE 30 6.3 0 0.0 16 3.4 55 6.1 CMD 462 96.9 1 0.2 12 2.5 850 94.0 DRW 456 95.6 21 4.4 12 2.5 826 91.4 DSE 477 100.0 28 5.9 0 0.0 904 100.0 FPR 462 96.9 10 2.1 12 2.5 850 94.0 FPW 462 96.9 10 2.1 14 2.9 846 93.6 FSE 477 100.0 22 4.6 3 0.6 899 99.4 INO 442 92.7 46 9.6 12 2.5 831 91.9 MR2 406 85.1 52 10.9 31 6.5 699 77.3 NAV 260 54.5 25 5.2 22 4.6 506 56.0 NVC 422 88.5 24 5.0 13 2.7 773 85.5 PAV 476 99.8 31 6.5 4 0.8 895 99.0 PER 105 22.0 0 0.0 31 6.5 214 23.7 PRO 194 40.7 3 0.6 40 8.4 371 41.0 RAV 405 84.9 46 9.6 28 5.9 697 77.1 SCN 477 100.0 28 5.9 0 0.0 904 100.0 VSP 407 85.3 50 10.5 32 6.7 701 77.5 ---------------------------------------------------------- Table W98.S2: "ScriptVirus 2": Results of "In-The-Wild" test for script viruses: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 16 100.0 133 100.0 ---------------------------------------------------------- ADO 16 100.0 2 12.5 1 6.3 130 97.7 ATR 3 18.8 0 0.0 3 18.8 5 3.8 AV3 16 100.0 1 6.3 5 31.3 121 91.0 AVG 16 100.0 4 25.0 6 37.5 124 93.2 AVK 16 100.0 6 37.5 0 0.0 133 100.0 AVP 16 100.0 2 12.5 1 6.3 131 98.5 CLE 6 37.5 0 0.0 4 25.0 25 18.8 CMD 16 100.0 0 0.0 4 25.0 127 95.5 DRW 16 100.0 3 18.8 2 12.5 131 98.5 DSE 16 100.0 4 25.0 0 0.0 133 100.0 FPR 16 100.0 0 0.0 4 25.0 127 95.5 FPW 16 100.0 0 0.0 6 37.5 123 92.5 FSE 16 100.0 3 18.8 3 18.8 128 96.2 INO 16 100.0 5 31.3 1 6.3 132 99.2 MR2 14 87.5 3 18.8 8 50.0 107 80.5 NAV 16 100.0 8 50.0 2 12.5 129 97.0 NVC 16 100.0 4 25.0 3 18.8 127 95.5 PAV 16 100.0 2 12.5 1 6.3 131 98.5 PER 13 81.3 0 0.0 8 50.0 82 61.7 PRO 16 100.0 0 0.0 9 56.3 108 81.2 RAV 16 100.0 4 25.0 5 31.3 115 86.5 SCN 16 100.0 4 25.0 0 0.0 133 100.0 VSP 14 87.5 2 12.5 8 50.0 108 81.2 ---------------------------------------------------------- Table W98.E1: "Exotic Malware": Results of special test for exotic viruses: ================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 115 100.0 274 100.0 ---------------------------------------------------------- ADO 98 85.2 2 1.7 7 6.1 227 82.8 ATR 0 0.0 0 0.0 0 0.0 0 0.0 AV3 9 7.8 0 0.0 1 0.9 46 16.8 AVG 6 5.2 0 0.0 0 0.0 46 16.8 AVK 104 90.4 3 2.6 0 0.0 252 92.0 AVP 104 90.4 3 2.6 0 0.0 252 92.0 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 76 66.1 1 0.9 4 3.5 129 47.1 DRW 43 37.4 1 0.9 4 3.5 149 54.4 DSE 80 69.6 8 7.0 2 1.7 219 79.9 FPR 76 66.1 1 0.9 4 3.5 129 47.1 FPW 76 66.1 1 0.9 4 3.5 129 47.1 FSE 106 92.2 6 5.2 1 0.9 254 92.7 INO 33 28.7 2 1.7 1 0.9 133 48.5 MR2 2 1.7 0 0.0 1 0.9 2 0.7 NAV 24 20.9 1 0.9 5 4.3 101 36.9 NVC 75 65.2 2 1.7 5 4.3 150 54.7 PAV 92 80.0 2 1.7 1 0.9 232 84.7 PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 2 1.7 0 0.0 2 1.7 2 0.7 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 85 73.9 3 2.6 6 5.2 184 67.2 SCN 81 70.4 8 7.0 2 1.7 220 80.3 VSP 30 26.1 0 0.0 11 9.6 94 34.3 ----------------------------------------------------------