Last week, I had criticized Jan Monsch’s tests on how well antivirus engines detected viruses inside of variants of Word files, since he had relied on a fake EICAR signature for his testing (Jan was trying to see if viruses could evade antivirus programs by embedding themselves into RTF files, XML documents, and the like).
Jan is a good guy and to his credit (unlike others), he took the critique well and we started a discussion. After a series of follow-up emails with Andreas Marx and me, Jon created a new test with a real, live virus (Netsky), and the test results are interesting to observe. Basically, here is how virus engines fared by file format (I’ve edited his table for clarity):
(It’s worth noting that these document types are not being used as an attack vector for viruses at this time.)
Link to the full PDF here.