Detection rate. The following table answers to the most commonly asked question about scanners: "How many viruses does that scanner detect?" Date: 19-Jul-1994 ================================================================================ | Scanner | Number of File | Number of Boot ! Number (%) | Number of (%) | | Codename: | Viruses (%): | Viruses (%): ! of Inf. Files: | Inf. Boots: | |===========+================+================+================+===============| | Total: | 4,235 (100 %) | 358 (100 %) ! 16,259 (100 %) | 645 (100 %) | |===========+================+================+================+===============| | AIDSTEST | 975 ( 23 %) | 185 ( 52 %) ! 4,850 ( 30 %) | 416 ( 65 %) | |-----------+----------------+----------------+----------------+---------------| | AVAST | 3,613 ( 85 %) | 326 ( 91 %) ! 14,774 ( 91 %) | 608 ( 94 %) | |-----------+----------------+----------------+----------------+---------------| | AVK | 2,554 ( 60 %) | 277 ( 77 %) ! 11,075 ( 68 %) | 530 ( 82 %) | |-----------+----------------+----------------+----------------+---------------| | AVP | 4,143 ( 98 %) | n/a ! 16,084 ( 99 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | AVSCAN | 3,385 ( 80 %) | 344 ( 96 %) ! 14,150 ( 87 %) | 631 ( 98 %) | |-----------+----------------+----------------+----------------+---------------| | BRM_SCAN | 4,141 ( 98 %) | 353 ( 99 %) ! 16,024 ( 99 %) | 640 ( 99 %) | |-----------+----------------+----------------+----------------+---------------| | CHKBOOT | n/a | 355 ( 99 %) ! n/a | 642 ( 99 %) | |-----------+----------------+----------------+----------------+---------------| | CPAV | n/a | n/a ! n/a | n/a | |-----------+----------------+----------------+----------------+---------------| | CURE | n/a | n/a ! n/a | n/a | |-----------+----------------+----------------+----------------+---------------| | FINDVIRUS | 4,038 ( 95 %) | 352 ( 98 %) ! 15,855 ( 98 %) | 637 ( 99 %) | |-----------+----------------+----------------+----------------+---------------| | F-PROT | 4,025 ( 95 %) | 340 ( 95 %) ! 15,717 ( 97 %) | 627 ( 97 %) | |-----------+----------------+----------------+----------------+---------------| | I-MASTER | 3,207 ( 76 %) | 235 ( 66 %) ! 13,237 ( 81 %) | 476 ( 74 %) | |-----------+----------------+----------------+----------------+---------------| | IBMAV/DOS | 3,599 ( 85 %) | 340 ( 95 %) ! 14,548 ( 89 %) | 624 ( 97 %) | |-----------+----------------+----------------+----------------+---------------| | MSAV | n/a | n/a ! n/a | n/a | |-----------+----------------+----------------+----------------+---------------| | NAV | 2,747 ( 65 %) | n/a ! 12,585 ( 77 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | NORMAN | n/a | n/a ! n/a | n/a | |-----------+----------------+----------------+----------------+---------------| | PCVP | 2,877 ( 68 %) | 225 ( 63 %) ! 12,687 ( 78 %) | 471 ( 73 %) | |-----------+----------------+----------------+----------------+---------------| | SCAN | 3,350 ( 79 %) | 302 ( 84 %) ! 14,253 ( 88 %) | 576 ( 89 %) | |-----------+----------------+----------------+----------------+---------------| | SCAN2 | 3,018 ( 71 %) | 277 ( 77 %) ! 12,279 ( 76 %) | 544 ( 84 %) | |-----------+----------------+----------------+----------------+---------------| | SWEEP | 3,773 ( 89 %) | 334 ( 93 %) ! 15,273 ( 94 %) | 618 ( 96 %) | |-----------+----------------+----------------+----------------+---------------| | TBSCAN | 3,966 ( 94 %) | n/a ! 15,739 ( 97 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | UTSCAN | 3,808 ( 90 %) | n/a ! 15,018 ( 92 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | V-CARE | 875 ( 21 %) | n/a ! 4,599 ( 28 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | VB-LITE | n/a | n/a ! 9,256 ( 57 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | VDS | 2,088 ( 49 %) | n/a ! 9,763 ( 60 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | VET | 3,255 ( 77 %) | 312 ( 87 %) ! 13,609 ( 84 %) | 592 ( 92 %) | |-----------+----------------+----------------+----------------+---------------| | VIRC | 647 ( 15 %) | n/a ! 3,210 ( 20 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | VIRUSCOPE | 2,661 ( 63 %) | n/a ! 12,100 ( 74 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | VIRUSBUST | 2,131 ( 50 %) | n/a ! 9,250 ( 57 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | VIS | 2,457 ( 58 %) | n/a ! 10,578 ( 65 %) | n/a | |-----------+----------------+----------------+----------------+---------------| | VPCSCAN | 2,906 ( 69 %) | 254 ( 71 %) ! 12,680 ( 80 %) | 518 ( 80 %) | |-----------+----------------+----------------+----------------+---------------| | XSCAN | 2,964 ( 70 %) | 304 ( 85 %) ! 12,965 ( 80 %) | 570 ( 88 %) | ================================================================================ Explanation of the different columns: 1) "Scanner Codename" is the code name of the scanner as listed in the file SCANNERS.TXT. 2) "Number of File Viruses (%)" is the number of different file infecting *viruses* in the virus collection used during the tests, which have been detected by the particular scanner. Their percentage from the full set of viruses in the collection used for the tests is given in parenthesis. We define two viruses as being different if they differ in at least one bit in their non-modifiable parts. For the variably encrypted viruses, the virus body has to be decrypted before the comparison is to be performed. For the polymorphic viruses, additionally the part of the virus which is modified during the replication process has to be ignored. 3) "Number of Boot Viruses (%)" is the number of different boot sector *viruses* from the collection used for the test that the scanner detects. This field is analogous to field 2, only it lists boot sector viruses, not file infecting viruses. 4) "Number (%) of Inf. Files" is the number of *files* infected with file-infecting viruses from the test set, which are detected by that particular scanner as being infected. The percentage of those files from the full set of files is given in parenthesis. We often have more than one infected file per virus, but not all viruses are represented by the same number of files, so this number does not give a good impression of the real detection rate of the scanner. It is included here only for completeness. Of course, it still *does* provide some information - usually the better a scanner is, the more files it will detect as infected. 5) "Number of (%) Inf. Boots" is the number of infected boot sectors in the test set that the scanner detects as infected. This field is analogous to filed 4, only it lists infected boot sectors, not files. 6) We interpret those results in the following way: - detection rate above 90% - the scanner is "excellent" - detection rate of 80-90% - the scanner is "good enough" - detection rate of 70-80% - the scanner is "not good enough" - detection rate of 60-70% - the scanner is "rather bad" - detection rate of 50-60% - the scanner is "very bad" - detection rate below 50% - the scanner is "useless" Quality of the detection. The following table provides information about the quality of the detection. Date: 19-Jul-1994 ============================================================================== | Scanner | Number of | Unreliable | Unreliable | Multiple | | Codename: | Diff. Reports: | Detections: | Idenifications: | Detections: | |=============+================+=============+=================+=============| | Total: | 4,235+358 | 0+0 | 0+0 | 0+0 | |=============+================+=============+=================+=============| | AIDSTEST | 631+97 | 45+4 | 41+0 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | AVAST | 2,305+174 | 23+2 | 242+1 | 365+29 | |-------------+----------------+-------------+-----------------+-------------| | AVK | 1,315+70 | 98+10 | 64+1 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | AVP | 3,171+n/a | 16+n/a | 88+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | AVSCAN | 1,796+198 | 18+0 | 119+2 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | BRM_SCAN | 2,569+166 | 8+0 | 80+0 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | CHKBOOT | n/a+1 | n/a+0 | n/a+0 | n/a+0 | |-------------+----------------+-------------+-----------------+-------------| | CPAV | n/a+n/a | n/a+n/a | n/a+n/a | n/a+n/a | |-------------+----------------+-------------+-----------------+-------------| | CURE | n/a+n/a | n/a+n/a | n/a+n/a | n/a+n/a | |-------------+----------------+-------------+-----------------+-------------| | FINDVIRUS | 3,641+339 | 19+0 | 115+4 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | F-PROT | 3,792+253 | 30+1 | 88+4 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | I-MASTER | 1,164+68 | 32+1 | 54+0 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | IBMAV/DOS | 2,270+212 | 30+9 | 61+1 | 48+14 | |-------------+----------------+-------------+-----------------+-------------| | MSAV | n/a+n/a | n/a+n/a | n/a+n/a | n/a+n/a | |-------------+----------------+-------------+-----------------+-------------| | NAV | 1,674+n/a | 107+n/a | 296+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | NORMAN | n/a+n/a | n/a+n/a | n/a+n/a | n/a+n/a | |-------------+----------------+-------------+-----------------+-------------| | PCVP | 1,498+95 | 69+1 | 66+0 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | SCAN | 1,654+79 | 70+9 | 65+1 | 288+1 | |-------------+----------------+-------------+-----------------+-------------| | SCAN2 | 1,803+117 | 200+3 | 165+0 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | SWEEP | 2,670+234 | 27+2 | 107+0 | 0+2 | |-------------+----------------+-------------+-----------------+-------------| | TBSCAN | 1,460+n/a | 57+n/a | 77+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | UTSCAN | 2,169+n/a | 47+n/a | 44+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | V-CARE | 246+n/a | 124+n/a | 22+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | VB-LITE | 993+n/a | n/a+n/a | n/a+n/a | n/a+n/a | |-------------+----------------+-------------+-----------------+-------------| | VDS | 860+n/a | 115+n/a | 103+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | VET | 1,488+162 | 37+2 | 65+0 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | VIRC | 358+n/a | 30+n/a | 32+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | VIRUSCOPE | 1,846+n/a | 133+n/a | 72+n/a | 277+n/a | |-------------+----------------+-------------+-----------------+-------------| | VIRUSBUSTER | 1,033+n/a | 112+n/a | 40+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | VIS | 1,407+n/a | 51+n/a | 79+n/a | 0+n/a | |-------------+----------------+-------------+-----------------+-------------| | VPCSCAN | 1,599+128 | 88+1 | 97+1 | 0+0 | |-------------+----------------+-------------+-----------------+-------------| | XSCAN | 1,359+80 | 53+1 | 38+1 | 10+0 | ============================================================================== Explanation of the different columns: 1) "Scanner Codename" is the code name of the scanner as listed in the file SCANNERS.TXT. 2) "Number of Diff. Reports" is the number of different *names* reported by the particular scanner during the test. Compared with the number of *viruses* that the scanner detects, this gives, to some extent, an idea about how well the scanner distinguishes between the different virus variants. 3) "Unreliable Detections" is the number of viruses which the particular scanner does not detect reliably. Our definition of unreliable detection is that at least one sample of the virus *is* detected and at least one sample of the virus is *not* detected. If all samples of the virus are detected, then is is counted as reliable detection. If no samples of the virus are detected, then the scanner does not detects the virus at all. In some sense, the unreliable detections are more dangerous than the cases when the scanner misses the virus completely, because an unreliable detection lulls the user into a false sense of security. Needless to say, *only* the reliable detections are counted as "Number of Viruses" in the first table. 4) "Unreliable Identifications" is the number of cases when the particular scanner detects the virus reliably, but does not report all replicants of the virus with one and the same name. This number provides some information about how well the scanner is able to identify the particular virus. Viruses which are not identified reliably will almost certainly cause problems during disinfection. 5) "Multiple Detections" is the number of cases when the particular scanner reports more than one virus in a file but only a single virus is present. 6) The results in each column are presented as ffff+bbb, the first number refers to the file infectors and the second - to the boot sector infectors.