========================================== File 7EVAL-W32.txt Comparison of File, Macro and Script Virus and Malware detection under W32 platforms (Windows 98, Windows NT, Windows 2000) ========================================== Formatted with non-proportional font (Courier) Content of this file: ********************************************************************** Eval WW32: Comparison of Wdetection behaviour for W32 platforms ********************************************************************** Eval W32.01: Background of this evaluation Eval W32.02: Test Hypothesis Eval W32.03: Results of comparison Eval W32.SUM Grading AV products concerning W32-harmonical behaviour ********************************************************************** This part of VTC "2001-04" test report evaluates the detailed results as given in section (file): 6MCMP32.TXT Comparison of detection rates for W32 platforms W32.01 Background of this evaluation: ------------------------------------- With the fast deployment of new versions of Microsoft Windows-32 (in past 5 years from W-NT to W-95, W-98, W-2000 and soon W-XP), both customers needing protection nd producers of security-enhancing software (esp. AntiVirus and AntiMalware) can only cope with the pace when they essentially re-use engines prepared for previous W32 platforms and simply "adapt" them to the intrinsics of the new platforms. Otherwise, "rewriting" the resp. software would consume too much time and efforts, and customers would receive "adapted" products only with some delay. AV/AM testers cannot determine the characteristics of the algorithms in scanning engines, either in following legal objectives (which, in most Copyright laws, prohibit reverse-engineering of proprietory code, except for specific reasons such as collecting evidence for a court case or teaching related techniques, as in Hamburg university IT Security curriculum), or for shere complexity of related code (and in many cases, for unsufficient professional knowledge of testers). It is therefore worthwhile to analyse whether those AV/AM products versions of which are available for all W32 platforms behave EQUALLY concerning detection and identification of viral and malicious code. W32.02 Test Hypothesis: ----------------------- We assume that those products which participate for all W32 platforms (WNT, W98 and W2k) for ALL categories shall yield INDENTICAL results. We call product behaviour following this hypothesis "W32-harmonical". W32.03 Results of comparison: ----------------------------- The "Test Hypothesis" is in practice only VALID for a minority of W32 scanners, as the following comparison show: Equal detection of zoo file viruses: 5 (of 17) products of zoo file viral objects: 4 (of 17) products of ITW file viruses: 16 (of 17) products of ITW file viral objects: 15 (of 17) products of ITW file malware: 5 (of 17) products In this category, the following 4 products yield identical results in all referenced categories: AVK,FPR,FPW,NAV Equal detection of zoo macro viruses: 14 (of 17) products of zoo macro viral objects: 10 (of 17) products of ITW macro viruses: ALL 17 (of 17) products of ITW macro viral objects: ALL 17 (of 17) products of ITW macro malware: 13 (of 17) products In this category, the following 7 products yield identical results in all referenced categories: AVG,AVK,CMD,FPR,FPW,NAV,NVC,PRO Equal detection of zoo script viruses: 12 (of 17) products of zoo script viral objects: 9 (of 17) products of ITW script viruses: 14 (of 17) products of ITW script viral objects: 9 (of 17) products In this category, the following 8 products yield EQUAL results in all referenced categories: AVK,CMD,FPW,FSE,NVC,PER,SCN,VSP ************************************************************************* Findings W32.1: Few W-32 scanners perform equally on W-NT/W-NT/W-2k in ALL categories and can be called "W32-harmonical". When looking at specific categories only, about half of products can be regarded as "W32-harmonical" for macro and script viruses and malware. ************************************************************************* For ALL categories, the following *2* W32 scanners (of 17) yield identical results on ALL platforms: AVK,FPW --------------------------------------------------------- The following W32 scanners yield identical results for all file (zoo,ITW) viruses/malware: AVK,FPR,FPW,NAV The following *7* W32 scanners yield identical results for all macro (zoo,ITW) viruses/malware: AVG,AVK,CMD,FPR,FPW,NAV,NVC,PRO The following *8* products yield identical results for all script (zoo,ITW) viruses/malware: AVK,CMD,FPW,FSE,NVC,PER,SCN,VSP ************************************************************************* W32.SUM: Grading AV products concerning W32-harmonical behaviour: ----------------------------------------------------------------- The following grid is used to grade W32 products concerning their ability for IDENTICAL detection for ALL categories on ALL W32 platforms: A "perfect" W32-harmonical product will yield IDENTICAL results for all 3 categories (file, macro, script virus/malware). Grading W32 products according to identical detection rates: ============================================================ Test category: "Perfect" --- ----------------------------------------------------------- W32 identical detection AVK,FPW --- =========================================================== ************************************************************ "Perfect" W32-harmonical AntiVirus products: 1st place: AVK,FPW ( 2 points) ************************************************************ "Perfect" W32-harmonical AntiMalware products: 1st place: AVK,FPW ( 2 points) ************************************************************