18 April 23, 11:25
Quote:Full Report
Introduction
In the Malware Protection Test, malicious files are executed on the system. While in the Real-World Protection Test the vector is the web, in the Malware Protection Test the vectors can be e.g. network drives, USB or cover scenarios where the malware is already on the disk.
Please note that we do not recommend purchasing a product purely on the basis of one individual test or even one type of test. Rather, we would suggest that readers consult also our other recent test reports, and consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows a program to be tested in everyday use before purchase.
In principle, home-user Internet security suites are included in this test. However, some vendors asked us to include their (free) antivirus security product instead.
Tested Products
Information about additional third-party engines/signatures used inside the products: G Data and Total Defense use the Bitdefender engine. TotalAV uses the Avira engine. AVG is a rebranded version of Avast.All products were installed on a fully up-to-date 64-Bit Microsoft Windows 10 system. Products were tested at the beginning of March with default settings and using their latest updates.
- Avast Free Antivirus 23.1
- AVG AntiVirus Free 23.1
- Avira Prime 1.1
- Bitdefender Internet Security 26.0
- ESET Internet Security 16.0
- F-Secure Internet Security 19.0
- G Data Total Security 25.5
- K7 Total Security 17.0
- Kaspersky Standard 21.8
- McAfee Total Protection 26.5
- Microsoft Defender Antivirus 4.18
- Norton Antivirus Plus 22.23
- Panda Free Antivirus 22.0
- Total Defense Essential Antivirus 14.0
- TotalAV Antivirus Pro 5.22
- Trend Micro Internet Security 17.7
Test Procedure
The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The methodology used for each product tested is as follows. Prior to execution, all the test samples are subjected to on-access and on-demand scans by the security program, with each of these being done both offline and online. Any samples that have not been detected by any of these scans are then executed on the test system, with Internet/cloud access available, to allow e.g. behavioural detection features to come into play. If a product does not prevent or reverse all the changes made by a particular malware sample within a given time period, that test case is considered to be a miss. If the user is asked to decide whether a malware sample should be allowed to run, and in the case of the worst user decision system changes are observed, the test case is rated as “user-dependent”.
Detection vs. Protection
The File Detection Test we performed in previous years was a detection-only test. That is to say, it only tested the ability of security programs to detect a malicious program file before execution. This ability remains an important feature of an antivirus product, and is essential for anyone who e.g. wants to check that a file is harmless before forwarding it to friends, family or colleagues.
This Malware Protection Test checks not only the detection rates, but also the protection capabilities, i.e. the ability to prevent a malicious program from actually making any changes to the system. In some cases, an antivirus program may not recognise a malware sample when it is inactive, but will recognise it when it is running. Additionally, a number of AV products use behavioural detection to look for, and block, attempts by a program to carry out system changes typical of malware. Our Malware Protection Test measures the overall ability of security products to protect the system against malicious programs, whether before, during or after execution. It complements our Real-World Protection Test, which sources its malware samples from live URLs, allowing features such as URL blockers to come into play. Both tests include execution of any malware not detected by other features, thus allowing “last line of defence” features to come into play.
One of the significances of cloud detection mechanisms is this: Malware authors are constantly searching for new methods to bypass detection and security mechanisms. Using cloud detection enables vendors to detect and classify suspicious files in real-time to protect the user against currently unknown malware. Keeping some parts of the protection technology in the cloud prevents malware authors from adapting quickly to new detection rules.
TestcasesThe test set used for this test consisted of 10,015 malware samples, assembled after consulting telemetry data with the aim of including recent, prevalent samples that are endangering users in the field. Malware variants were clustered, in order to build a more representative test-set (i.e. to avoid over-representation of the very same malware in the set). The sample collection process was stopped mid of February 2023.
Ranking System
The malware protection rates are grouped by the testers after looking at the clusters built with the hierarchal clustering method (http://strata.uga.edu/software/pdf/clusterTutorial.pdf). However, the testers do not stick rigidly to this in cases where it would not make sense. For example, in a scenario where all products achieve low protection rates, the highest-scoring ones will not necessarily receive the highest possible award.
The number of false positives can also affect a product’s rating. Testers take statistical methods into account when defining false-positives ranges. The FP ranges for the various categories shown below might be adapted when appropriate (e.g. if we change the size of the set of clean files).
...