Comparison Test of Anti-Virus-Software 2002-03 (Unix products) of the
University of Magdeburg and GEGA IT-Solutions GbR (http://www.av-test.org)
Copyright (c) 2002 Andreas Marx <amarx@gega-it.de>

Last Update: 2002-05-13 (Data: 2002-04-22)


Note (2002-04-22): The test of the ITW virus detection was performed using
the WildList 11/2001 (including Win32/Bady.C, even if it is a backdoor).


AVIR-FB
H+BEDV Datentechnik
AntiVir/FreeBSD

Comments:
- Installation via TGZ archive using an install script (sh)
- German and English language versions can be chosen via the command-line
- Update: the name of the signature database (antivir.vdf) is stored in a
  ZIP archive in capital letters, but the scanner requires it to be in
  lowercase
- No guard or daemon is available
- The help function of the command line version documents the parameters
  and return codes well, but there is no man page available

Missed ITW viruses:
- On-Demand: all boot viruses, VBS/VBSWG.Y (2x)

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (FreeBSD 4.4-Release with ufs file system
  on a P-III 800, 256 MB RAM without X running) using parameters
  "- all files s z -r2 R-S": 626 seconds


MCAF-FB
Network Associates
UVScan

Comments:
- Program is available as tar.Z archive, once unpacked a script installs
  the scanner in the /usr/local/uvscan directory
- Updating is possible trouble-free either via ZIP or TAR archives
- Documentation is included as PDF file in the installation archive
- No daemon or guard is available
- Information about command-line parameters can only be found in the
  documentation, the scanner simply gives a list of available parameters
  without any indication of function
- Updates: an update script can be found in the documentation, but it is
  not included as a file, therefore we gave it a "-" here
- Scanner has no report file option (this must be created by manually
  redirecting), it has no introduction (version number etc., but it is
  optionally available using the "--version" switch) and no scan summary
  (this can be specified by including an optional parameter "--summary")
- By intention, macro virus infected documents are not deleted when using
  "--delete" parameter, though this is possible by use of the undocumented
  "-/!delete" 
- Parameter "--floppya" and "--floppyb" to scan disks do not work
  correctly - boot viruses will not be found
- Hint: if one wishes to exclude paths or files by means of "--exclude",
  one must specify a file in which the paths and/or extension exclusions
  are listed, rather than passing them directly on the command-line (it is
  rather confusing, what <file> means)
- Report files: using the undocumented option "--html" log files can be
  generated in HTML format (but due to the fact it's undocumented, we gave
  it a "-" here)
- If one does not pay attention to include the correct number of "-"
  characters, an undesired function may be specified - for instance,
  "--mime" scans all MIME archives (e-mail in EML format) but "-mime" moves
  all infected files in the quarantine folder "ime"
- Man page available, return codes are documented

Missed ITW viruses:
- On-Demand: all boot viruses

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (FreeBSD 4.4-Release with ufs file system
  on a P-III 800, 256 MB RAM without X running) using parameters
  "--secure -r --mime --summary": 1590 seconds


RAVP-FB
GeCAD
Reliable Anti-Virus (RAV)

Comments:
- Installation via TGZ archive (using pkg_add), path ($PATH) has to be
  extended manually
- Program requires a path to the scan engine (/usr/local/rav8/rave), it has
  to be specified at each scan with the parameter "-RP" or an environment
  variable "rave" has to be created
- Configuration file (and registration key in the registered version) is
  stored in the user's home directory
- A separately installable daemon is available, but no guard
- Combining several different action parameters is not possible (only one
  option can be specified, like always uses delete or disinfect, if this is
  not possible, nothing happens)
- Man page is available, return codes are documented

Missed ITW viruses:
- On-Demand: Win32/Nimda.A (1x EML)

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (FreeBSD 4.4-Release with ufs file system
  on a P-III 800, 256 MB RAM without X running) using parameters
  "-H=on -A -M": 924 seconds


SOPH-FB
Sophos
Anti-Virus (Sweep)

Comments:
- Installation: program in TAR archive, contains install script, requires
  user and group "sweep" to be created prior to installation
- Updates are delivered monthly on CD-ROM, between this, ITW virus
  detection updates can be downloaded as ZIP archive (available as
  required)
- "Intercheck" daemon available, but no guard
- Functional range of the On-Demand scanner: quarantine function available,
  this changes the rights of the infected file to current user/group/"r--"
  or a selected choice of group/users/rights
- If user requests interactive mode (e.g. confirmations) this input of the
  action specified is not displayed
- Report file: details of user/group/rights can be shown by using
  "--show-file-details"
- File viruses cannot be disinfected, but only deleted
- Man page is available, return codes of the scanner are well documented

Missed ITW viruses:
- (All viruses found)

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (FreeBSD 4.4-Release with ufs file system
  on a P-III 800, 256 MB RAM without X running) using parameters
  "-f -nb -all -archive": 1999 seconds


AVIR-OB
H+BEDV Datentechnik
AntiVir/OpenBSD

Comments:
- Installation via TGZ archive using an install script (sh)
- German and English language versions can be chosen via the command-line
- Update: the name of the signature database (antivir.vdf) is stored in a
  ZIP archive in capital letters, but the scanner requires it to be in
  lowercase
- Program requires libc.so.26.2, but in the current tested OpenBSD version
  libc.so.28.0 is included (work-around: create a symbolic link to the new
  version)
- No guard or daemon is available
- The help function of the command line version documents the parameters
  and return codes well, but there is no man page available

Missed ITW viruses:
- On-Demand: all boot viruses, VBS/VBSWG.Y (2x)

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (OpenBSD 3.0-Generic with ffs file system
  on a P-III 800, 256 MB RAM without X running) using parameters
  "-allfiles -s -z -r2 -rs": 511 seconds


RAVP-OB
GeCAD
Reliable Anti-Virus (RAV)

Comments:
- Installation via TGZ archive (using pkg_add), path ($PATH) has to be
  extended manually
- Program requires a path to the scan engine (/usr/local/rav8/rave), it has
  to be specified at each scan with the parameter "-RP" or an environment
  variable "rave" has to be created
- Configuration file (and registration key in the registered version) is
  stored in the user's home directory
- A separately installable daemon is available, but no guard
- Combining several different action parameters is not possible (only one
  option can be specified, like always uses delete or disinfect, if this is
  not possible, nothing happens)
- Man page is available, return codes are documented

Missed ITW viruses:
- On-Demand: Win32/Nimda.A (1x EML)

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (OpenBSD 3.0-Generic with ffs file system
  on a P-III 800, 256 MB RAM without X running) using parameters
  "-H=on -A -M": 768 seconds


MCAF-SL
Network Associates
UVScan

Comments:
- Program is available as tar.Z archive, once unpacked a script installs
  the scanner in the /usr/local/uvscan directory
- Updating is possible trouble-free either via ZIP or TAR archives
- Documentation is included as PDF file in the installation archive
- No daemon or guard is available
- Information about command-line parameters can only be found in the
  documentation, the scanner simply gives a list of available parameters
  without any indication of function
- Updates: an update script can be found in the documentation, but it is
  not included as a file, therefore we gave it a "-" here
- Scanner has no report file option (this must be created by manually
  redirecting), it has no introduction (version number etc., but it is
  optionally available using the "--version" switch) and no scan summary
  (this can be specified by including an optional parameter "--summary")
- By intention, macro virus infected documents are not deleted when using
  "--delete" parameter, though this is possible by use of the undocumented
  "-/!delete" 
- Parameter "--floppya" and "--floppyb" to scan disks do not work
  (according to the documentation these switches works only on IA32 systems, 
  however, why are they offered under Solaris systems, too?)
- Hint: if one wishes to exclude paths or files by means of "--exclude",
  one must specify a file in which the paths and/or extension exclusions
  are listed, rather than passing them directly on the command-line (it is
  rather confusing, what <file> means)
- Report files: using the undocumented option "--html" log files can be
  generated in HTML format (but due to the fact it's undocumented, we gave
  it a "-" here)
- If one does not pay attention to include the correct number of "-"
  characters, an undesired function may be specified - for instance,
  "--mime" scans all MIME archives (e-mail in EML format) but "-mime" moves
  all infected files in the quarantine folder "ime"
- Man page is not available, return codes are not documented

Missed ITW viruses:
- On-Demand: all boot viruses

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (Solaris 8/Sparc on a Sun Ultra 10 Elite
  3D (UltraSparc IIi 333 MHz), 256 MB RAM running X) using parameters
  "--secure -r --mime --summary": 2868 seconds


SOPH-SL
Sophos
Anti-Virus (Sweep)

- Installation: program in TAR archive, contains install script, requires
  user and group "sweep" to be created prior to installation
- Updates are delivered monthly on CD-ROM, between this, ITW virus
  detection updates can be downloaded as ZIP archive (available as
  required)
- "Intercheck" daemon available, but no guard
- Functional range of the On-Demand scanner: quarantine function available,
  this changes the rights of the infected file to current user/group/"r--"
  or a selected choice of group/users/rights
- If user requests interactive mode (e.g. confirmations) this input of the
  action specified is not displayed
- Report file: details of user/group/rights can be shown by using
  "--show-file-details"
- File viruses cannot be disinfected, but only deleted
- Man page is available, return codes of the scanner are well documented

Missed ITW viruses:
- On-Demand: all boot viruses

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (Solaris 8/Sparc on a Sun Ultra 10 Elite
  3D (UltraSparc IIi 333 MHz), 256 MB RAM running X) using parameters
  "-f -nb -all -archive": 1652 seconds


TMIC-SL
Trend Micro
Vscan (ISVW) 

Comments:
- Only the command line scanner "vscan" was tested, which is a part of the
  much larger "InterScan VirusWall" package
- Installation is via TAR archive, which includes documentation (PDF, TXT),
  as well as an installation RPM
- Update can be performed using a ZIP or TAR archive
- The current scan engine for Unix 5.600 is clearly older than the Windows
  version 5.630 of 2001-10-25
- Defaults in the scanner are apparently completely ignored if any
  parameters are specified, so all required parameters should be specified
  (especially "-a")
- By default the scanner will scan 20 levels of archives ("-y20"), but on
  the command-line this value can be adjusted to a maximum of 9 levels only
- The report is available as CSV file (output can also be redirected from
  the screen), however, the specified options cannot easily be found, e.g.
  renamed files only at the extension of the last entry, "D" for "Delete"
  etc., on screen this information won't be displayed at all
- Access/ rights control: error message if file cannot be read (no "r..")
  "*** Scan error -94, file <filename>" is not very meaningful
- Man page is not included, return codes are not documented

Missed ITW viruses:
- On-Demand: all boot viruses, Win32/Sircam.A (1x LNK)

Scan speed / performance On-Demand - best possible settings:
- Scan time of non-infected files (Solaris 8/Sparc on a Sun Ultra 10 Elite
  3D (UltraSparc IIi 333 MHz), 256 MB RAM running X) using parameters
  "-a -c1 -c2 -nl -r -s -u -za -y9 -sd": 1366 seconds

### END OF FILE ###
