NOD32 or AntiVirusKit? Look at Anti-Virus Comparative test.

[Jake Dodd]

Whether or not a program runs depends on the software environment, such
as a DOS session, no matter how that environment is created. DOS programs
running under Windows are in a DOS environment as far as the program is
concerned.

Just because a given piece of malware can be executed in a 16-bit DOS
shell (or in pure DOS mode) does that necessarily make it DOS
malware?

No. For a program to qualify as malware, more than the ability to execute
must be taken into account. This is because malice is based on the overall
functioning of the program not just it's ability to execute. If the data is not
there to be altered, then the environment may support the execution but not
the malice. Calling something malware depends on the existence of several
suitable instances of the environment capable of realizing the malicious action.
So just because it isn't malware on your computer doesn't mean it should
not a called malware in general.

What if it's intent is to affect some aspect of the
overlying Windows OS? Is it still appropriate to catagorize it as DOS
malware?

Intent? Well...it either does or it doesn't affect something. If it does...

Yes, because at the very least it is making unwanted changes from within
the DOS environment.

....and if it doesn't, and if there are enough environments where it could,
it should still be classified as DOS malware.

If a given piece of malware is (somehow) catagorized as "DOS" based,
but if it's also a worm (it's got to be something, a worm, virus, etc)
then shouldn't it be put in the "Worm" catagory (and to hell with the
"DOS" label) ?

No, a DOS program functioning as a worm component is still a DOS
program. Just as a trojan dropper that drops a worm body should
still be called a trojan dropper rather than a worm, and be detected
by the dropper code rather than the dropped code (which is probably
encrypted or encoded anyway).

And again if it's really DOS based, but it's not a virus, a worm, a
back-door, a trojan, a macro or script, then what is it?

You just don't like the way they dumped them all together under the
DOS malware label. This is no different than saying Linux malware,
Mac malware, Windows malware, or as they did "other OS viruses/
malware" without further subdividing malware types or even software
environments.

 

[Virus Guy]

No. For a program to qualify as malware, more than the ability to
execute must be taken into account.

We're already assuming it's malware.

Now we're debating whether it makes sense to put something under a
"DOS" catagory just because it executes in a DOS shell or DOS
environment.

I bring up a hypothetical example of a DOS program that alters the
Windows registry or alters some DLL/INI file, with the intent of
changing some aspect or behavior of the over-lying Windows OS, and
would have no effect if the computer either doesn't have Windows
installed or is never booted into Windows. Would it still be correct
to put such malware under the "DOS" catagory?

Shouldn't a requirement of "DOS" malware be that it must cause some
harmful or negative effect on a computer operating only in "DOS" mode,
and only target DOS programs and operations?

 

[Ian Kenefick]

In additions to your comments, how many of the viruses tested are "In
The Wild"?

I'm not sure I understand your intent when asking this question. I
doubt you are just being lazy and not visiting
http://www.av-comparatives.org/seiten/ergebnisse_2006_02.php for the
answer. Are you trying to make a point?

 

[Virus Guy]

http://www.av-comparatives.org/seiten/ergebnisse/methodology.pdf

Have a look at the FAQ section, particulary these:

20, 26, 29, 32, 40, 44, 45, 71,

Item 32 clarifies that DOS viruses are indeed those designed for DOS
prior to widespread adoption of Windows (perhaps pre-Win95 era).
That's my take on the description found in answer 32. Answer 34 says
that DDos is listed under "other malware".

The answer in 40 is rather weak. If he has the names that correspond
with the samples, then posting the names would do no harm (and a
garantee of accuracy in the names isin't needed).

In 26, he says that using md5 is cheating (if md5 analysis works, then
why penalize it to the extent of removing such AV software from your
testing platform?)

 

[Guest]

.... because adding a filechecksum of a replicating virus sample does
not help to protect the users, it would just boost up results in tests
an no real & respected AV company would do that, as it is considered
cheating.
.... only the AV companies are allowed to receive the malware logs etc.

 

[Virus Guy]

... because adding a filechecksum of a replicating virus sample
does not help to protect the users, it would just boost up
results in tests an no real & respected AV company would do
that, as it is considered cheating.

If no two copies of a replicating virus is the same, then how can an
AV company generate an MD5 hash for a file that they've never seen nor
are likely to ever see? Unless they generate MD5's specifically for
samples given to them by av-comparatives (in which case why give them
examples of replicating viruses that are part of your test samples?)

... only the AV companies are allowed to receive the malware logs
etc.

Who's talking about logs?

A list of malware names is not the same as a log.

 

[Jake Dodd]

We're already assuming it's malware.

Then of course, if it "works" in DOS it is DOS malware.

Now we're debating whether it makes sense to put something under a
"DOS" catagory just because it executes in a DOS shell or DOS
environment.

Of course it does.

I bring up a hypothetical example of a DOS program that alters the
Windows registry or alters some DLL/INI file, with the intent of
changing some aspect or behavior of the over-lying Windows OS, and
would have no effect if the computer either doesn't have Windows
installed or is never booted into Windows. Would it still be correct
to put such malware under the "DOS" catagory?

Yes, it realizes it's function in DOS. The fact that it modifies data that
is part of some other OS doesn't matter.

Shouldn't a requirement of "DOS" malware be that it must cause some
harmful or negative effect on a computer operating only in "DOS" mode,
and only target DOS programs and operations?

It does, at the very least it modifies files. This is the unwanted effect that
makes it malware. If it drops files it is a dropper.Extending classification
based on what happens next will get you nowhere fast. A DOS malware
that uses debug to load a textfile and convert it to a comfile germ that in
turn launches a PE search and infect virus should still be called a DOS
malware because it only ran in DOS. The malware spawned by this should
be classified each on their own dependencies ending with the PE file virus.

 

[* * Chas]

I'm not sure I understand your intent when asking this question. I
doubt you are just being lazy and not visiting
http://www.av-comparatives.org/seiten/ergebnisse_2006_02.php for the
answer. Are you trying to make a point?

I visited the site and over the years, I've read similar reports from
the Virus Research Unit at the University of Tampere and others. I have
a lot more faith in the University of Tampere's results than from a site
that has advertisements for AV software. The Norton AV ad isn't showing
up today but it was there the other day.

The POINT that I was making was how many of the 474,759 different
malware programs that they claimed to have tested for were "In the Wild"
and how many were zoo objects?

I think that this is a valid inquiry!

Chas.

 

[Ian Kenefick]

I visited the site and over the years, I've read similar reports from
the Virus Research Unit at the University of Tampere and others. I have
a lot more faith in the University of Tampere's results than from a site
that has advertisements for AV software. The Norton AV ad isn't showing
up today but it was there the other day.

The POINT that I was making was how many of the 474,759 different
malware programs that they claimed to have tested for were "In the Wild"
and how many were zoo objects?

I think that this is a valid inquiry!

Agreed. It's worth noting that in order for a product to qualify for
this testing it must first be able to detect 100% of ITW samples. I
assume (I am searching through their forum as I speak) that ITW
samples are used in the actual comparative itself since it's taken as
a given that they are detected anyways. Correct me if I am wrong. I've
seen AV-Comparative admin post in USENET recently. Perhaps he is
reading this and can shed light on your question.

 

[Art]

Agreed. It's worth noting that in order for a product to qualify for
this testing it must first be able to detect 100% of ITW samples. I
assume (I am searching through their forum as I speak) that ITW
samples are used in the actual comparative itself since it's taken as
a given that they are detected anyways. Correct me if I am wrong. I've
seen AV-Comparative admin post in USENET recently. Perhaps he is
reading this and can shed light on your question.

In reading through :
http://www.av-comparatives.org/seiten/ergebnisse/methodology.pdf

I saw nothing about qualifying a product for testing on the basis of
it first being able to detect 100% ITW. His qualification is that
every scanner must detect at least 80% of zoo samples. He defines
"zoo" as not being on a (current?) official ITW list but points out
that many zoo malwares are widespread (and I presume some are in
circulation and doing damage. I know there have been glaring examples
of this in the past. The moral is to take ITW with a huge grain of
salt, and a couple of shots of booze )

Interestingly, he points out that a number of his samples (many given
to him by av vendors) were sent by malware authors to the vendors and
some to him. So some samples used are strictly "lab malwares" that
_may_ never have or never will be seen outside the av community. Yet,
he feels they should be detected. Now, there's a debateable topic!
I understand his attitude. After all, _some_ may be unleashed by the
authors on the public at any time as well. Some may leak out of the av
community.

I'm still puzzled at the huge # of DOS malwares used in the subect
test. And where, **Chas, did you see that 474,759 figure of malwares
tested?

One thing I thought was interesting in the PDF file is the plot
showing the exponential increase in malwares being detected. I thought
that is the case but I've never seen data supporting my supposition.
But something is fishy there. The plot shows the total # of malwares
being detect now at about 200,000 ... but that's about the same as
the # of DOS malwares _alone_ in the subject test. Doesn't make any
sense

Art

http://home.epix.net/~artnpeg

 

[* * Chas]

I'm still puzzled at the huge # of DOS malwares used in the subect
test. And where, **Chas, did you see that 474,759 figure of malwares
tested?

One thing I thought was interesting in the PDF file is the plot
showing the exponential increase in malwares being detected. I thought
that is the case but I've never seen data supporting my supposition.
But something is fishy there. The plot shows the total # of malwares
being detect now at about 200,000 ... but that's about the same as
the # of DOS malwares _alone_ in the subject test. Doesn't make any
sense

Art

Art,

http://www.av-comparatives.org/seiten/ergebnisse_2006_02.php

I the first column on the left - On-demand detection of virus/malware -
at the bottom there is the following tabulation:

Total with DOS viruses/malware 474,759

Chas.

 

[Art]

Art,

http://www.av-comparatives.org/seiten/ergebnisse_2006_02.php

I the first column on the left - On-demand detection of virus/malware -
at the bottom there is the following tabulation:

Total with DOS viruses/malware 474,759

Thanks Chas. Dunno why I glossed over that. Wow! Nearly a half million
samples! And some scanners detecting practically all of them! I don't
think the av vendors are claiming detection of anywhere near that
many. It certainly does raise questions about many duplicate samples
being used in the test ... among some other questions.

Art

http://home.epix.net/~artnpeg