Many antivirus malware protection tests performed round the world were criticized by professionals as they considered them synthetic and far from reality. The first and the main claim was that only some antivirus protection components (such as classical signature detect or heuristics) are tested during the file collection test launch. At the same time, no contribution of other technologies (such as behavioral analysis, HIPS or reputation services, firewall/IDS, HTTP on-the-fly traffic, etc.) is taken into consideration.

The second sound reason is that a real user does not store and launch any old malware on its hard drive. As a rule, only Zero-day samples penetrate there and no antivirus can protect against them.

The work efficiency can also to some extent depend on the penetration method as some antivirus software can eliminate the infection threat at the stage of malware script launch at the web-page, others do that during loaders activation downloaded with exploit, and the third ones do it even later, with the installed malware start.

In this test we analyzed the complex antivirus protection effectiveness to Zero-day malware spread via websites.

We collected links to infected websites from different sources. As a rule, everyone can come across such links in search engines, E-mail, ICQ, Skype and other instant messengers or social networks.

• Methodology of antivirus testing for the detection of Zero-day threats
• Analysis of the test results and awards

Key results of the testing

Award	Products
Platinum Zero-day Protection Award	DefenseWall 2.56
Gold Zero-day Protection Award	Kaspersky Internet Security 2010 Comodo Internet Security 3.9 Trend Micro Internet Security 2009
Silver Zero-day Protection Award	Sophos Anti-Virus 7.6 Safe'n'Sec Personal 3.5 Avira Premium Security Suite 9.0 Norton Internet Security   2009 Avast Antivirus Professional 4.8
Bronze Zero-day Protection Award	Eset Smart Security 4.0 AVG Internet Security 8.5 Microsoft Security Essential 1.0 G-DATA Internet Security  2010
Failed	F-Secure Internet Security 2009 McAfee Internet Security Suite 13 Outpost Security Suite 2009 Panda Internet Security 2010 BitDefender Internet Security 2009 Dr.Web Security Space 5.0

Key results from the antivirus antivirus preformance test in HTML»

Serious efforts of the antivirus industry are focused on proactive methods of antivirus protection, which allow antivirus software to combat malicious programs that have undergone modifications and those that are still unknown. This development trend is the most promising on the market and almost every developer likes to emphasize just how good their proactive defense is.

It should be noted that proactive technologies encompass a wide range of concepts and approaches, and it is impossible to take all of them into account within a single test. In this test we will only compare the heuristic components of antivirus protection (heuristic + generic detection, i.e., extended signatures), without taking into account an analysis of system events (behavior blockers or HIPS).

The results of the test make it possible to conclude how effective a heuristic analyzer is and in which antivirus product this component works better.

As an addendum, a final measurement of the detection level for the collection of malware samples was performed on the updated antivirus software a week after the main test. As a result, the quality of detection for new viruses, as well as the effectiveness of the classical signature-based method of each antivirus program was ascertained in addition to their heuristics.

• Methodology used in testing of proactive antivirus protection »
• Analysis of the test results and awards

Key results of the testing (detection – false alarm)

Award	Products
Gold Proactive Protection Award Download GIF image (500х500px)	Kaspersky Anti-Virus 2009 (61% - 0.01%) Eset Nod32 Anti-Virus 3.0 (61% - 0.02%) BitDefender Antivirus 2009 (60% - 0.04%)
Silver Proactive Protection Award Download GIF image (500х500px)	Avira AntiVir Premium 8.2 (71% - 0.13%) Dr.Web 5.0 (61% - 0.2%) AVG Anti-Virus 8.0 (58% - 0.02%) Avast! Professional Edition 4.8 (53% - 0.03%) Norton Anti-Virus 2009 (52% - 0%) VBA32 Antivirus 3.12 (45% - 0.07%) F-Secure Anti-Virus 2009 (44% - 0.03%)
Bronze Proactive Protection Award Download GIF image (500х500px)	Panda Antivirus 2009 (38% - 0.02%) Trend Micro Internet Security 2009 (37% - 0.04%) Agnitum Outpost Anti-Virus Pro 2009 (33% - 0.07%)
Failed	Sophos Anti-Virus 7.0 (61% - 2.24%)

 Key results from the proactive antivirus protection test in HTML»

Complete results for each antivirus product are available only in HTML (click on the link above).

Take a good look at the results of any antivirus product protection quality test and you are unlikely to see a result of 100% in the test charts. Even the best antivirus solutions are sometimes unable to detect a malicious program the moment it enters a computer. This is hardly surprising, since in recent years the growth in the number of viruses and the speed with which they spread has resembled an avalanche.

But don’t panic – today’s antivirus programs have a variety of tools for combating malicious programs even in the event that they have made their way on to your computer. Keep in mind, though, that malicious programs are good at masking their presence on your system, making the antivirus program’s job even harder.

This is not the first time the Anti-Malware Test Lab has tested antivirus products for their ability to combat malicious programs in just this kind of situation, when they have already penetrated your computer and started their activity, while masking their presence on the system. Will antivirus solutions be able to detect and remove the malicious program without disrupting the system’s operation? This test will show how popular antivirus products cope with this difficult task.

• Methodology used in testing antiviruses for the treatment of active infections »
• Analysis of testing results and awards»

Testing results (October, 2008)

Key results of the testing of antivirus products for the treatment of active infections in HTML»

Complete results for each antivirus product are available only in PDF or Microsoft Excel format:

Complete testing results in PDF format »

Complete testing results in Microsoft Excel format »

Polymorphic malicious programs (also referred to hereafter as viruses) are capable of completely mutating with every new infection, generating multiple samples of themselves.

When scanning files on a computer using the traditional method, antivirus products search for specific traces of a virus – a signature. If the code of a virus that has been assigned a signature is modified, it will no longer be possible to detect it using that signature. A polymorphic virus is capable of performing such modifications to any of its parts.

As a rule, detecting polymorphic viruses makes use of a detection algorithm that is specially developed for each individual virus. The aim of this test is to assess the quality of the special algorithm function in various antivirus products.

Moreover, because polymorphic viruses are the most difficult viruses to detect, the ability to do so reflects the level of professionalism of an antivirus product’s developers. They not only have to analyze the complex variants of the viruses but also develop a reliable procedure and methodology to ensure 100% detection rates.

• Methodology used in testing of polymorphic virus detection »
• Composition of polymorphic virus samples for antivirus detection testing »
• Analysis of testing results and awards»

Latest test results (28/02/2008)

Award	Products
Download GIF image (500х500px)	Avira Antivir Personal Edition Classic 7.06 (31 out of 33 points) F-Secure Anti-Virus 2008 (31 out of 33) Kaspersky Anti-Virus 7.0 (31 out of 33)
Download GIF image (500х500px)	Avast Professional Edition 4.7 (25 out of 33) AVG Anti-Virus Professional Edition 7.5 (22 out of 33) DrWeb 4.44 (21 out of 33) ESET Nod32 Antivirus 3.0 (20 out of 33)
Download GIF image (500х500px)	Microsoft Windows Live OneCare 2.0 Pre-Release (19 out of 33) Trend Micro Antivirus plus Antispyware 2008 (18 out of 33) Symantec Anti-Virus 2008 (17 out of 33) BitDefender Anti-Virus 2008 (16 out of 33) Agnitum Outpost Security Suite Pro 2008 (15 out of 33) Sophos Anti-Virus 7.0 (14 out of 33) Panda Antivirus 2008 (14 out of 33) VBA32 Workstation 3.12.6 (14 out of 33)
Failed	McAfee VirusScan 2008 (11 out of 33)

 Key results from the testing of antivirus software for the detection of polymorphic viruse in HTML»

Complete results for each antivirus product are available only in HTML (click on the link above).

It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this is obvious – they make it possible to hide malicious programs and their components from PC users and antivirus programs. Numerous source codes for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various Trojans or spy programs (spyware/adware, keyloggers, etc.)

There are numerous specialized anti-rootkit products available for the detection and removal of these types of malicious programs. Furthermore, many antivirus developers state that their products include a function to detect active rootkits. 

The aim of this test is to evaluate the ability of the most popular antivirus and anti-rootkit products to detect and remove malicious programs (‘in-the-wild’ samples) that use rootkit technologies and actively circulate over the Internet, as well as checking proactive detection capabilities to detect proof-of-concept rootkits hidden on a system.

It should be noted that although testing of in-the-wild malware samples is of real practical use, there is also a great deal of research value in ascertaining the capabilities of proactive detection when combating the hidden threat of rootkits.

• Methodology used in this antivirus/anti-rootkit software testing »
• Selection of malware and proof-of-concept rootkits for this testing »
• Analysis of testing results and awards»

Summary of anti-rootkit testing results (24/01/2008)

Award	Products
Gold Anti-Rootkit Protection Award Download GIF image (500х500px)	Rootkit Unhooker 3.7 (7.5 out of 8 points) GMER 1.0 (7 out of 8) Kaspersky Anti-Virus 7.0 (6.5 out of 8) Avira Rootkit Detection 1.0 (6.5 out of 8)
Silver Anti-Rootkit Protection Award Download GIF image (500х500px)	AVG Anti-Rootkit 1.1 (5.5 out of 8) Panda AntiRootkit 1.08 (5.5 out of 8) Sophos Anti-Rootkit 1.3.1 (5.5 out of 8) Dr.Web 4.44 (5 out of 8) Trend Micro RootkitBuster 1. (5 out of 8)
Bronze Anti-Rootkit Protection Award Download GIF image (500х500px)	Symantec Anti-Virus 2008 (4.5 out of 8) F-Secure Anti-Virus 2008 (4 out of 8) McAfee Rootkit Detective 1.1 (3.5 out of 8)
Failed	BitDefender Antivirus 2008 (3 out of 8) McAfee VirusScan Plus 2008 (1.5 out of 8) ESET NOD32 Anti-Virus 3.0 (1 out of 8) Trend Micro Antivirus plus Antispyware 2008 (1 out of 8)

Key test results for detection and removal of rootkits by antivirus/anti-rootkit software in HTML»

Complete results for each antivirus product are available only in PDF or Microsoft Excel format:

Complite testing results in PDF format »

Rootkits description in PDF format »

Complete testing results in Microsoft Excel format »

The industry has recently witnessed a shift in emphasis to so-called proactive methods of antivirus protection, which allow antivirus software to combat malicious programs that have undergone modifications and those that are as yet unknown. This development trend is the most promising on the market and almost every developer likes to emphasize just how good their proactive defense is.

There are even attempts to contrast the newer proactive technologies with the older reactive technologies that use signature-based methods to detect malware and that require continuous and rapid updates of antivirus databases.

The concept of proactive protection is, of course, extremely attractive: a virus hasn’t even appeared and already there is protection against it. But the question arises as to just how effective these technologies are.

It should be noted that proactive technologies encompass a broad range of concepts and approaches, and including them all within the framework of a single test is simply not feasible. In this test we will only compare the heuristic components of antivirus protection (heuristic + generic detection, i.e., extended signatures), without taking into account an analysis of system events (behavior blockers or HIPS).

The results of the test make it possible to say how effective a heuristic analyzer is and in which antivirus product this component performs the best.

As an addendum, a final measurement of the detection level for the collection of malware samples was performed on the updated antivirus software a week after the main test. As a result, the quality of detection for new viruses, as well as the effectiveness of the classical signature-based method of each antivirus program was ascertained in addition to their heuristics. 

• Methodology used in testing of proactive antivirus protection »

Latest test results (14/01/2008)

Award	Products
Gold Proactive Protection Award Download GIF image (500х500px)	Avira AntiVir Personal Edition Premium 7.0 (71%) BitDefender Antivirus 2008 (65%)
Silver Proactive Protection Award Download GIF image (500х500px)	ESET NOD32 Anti-Virus 3.0 (59%) Dr.Web 4.44 (57%) Sophos Anti-Virus 7.0 (56%) Avast! Professional Edition 4.7 (52%) VBA32 Antivirus 3.12 (48%) Kaspersky Anti-Virus 7.0 (45%) McAfee VirusScan Plus 2008 (43%)
Bronze Proactive Protection Award Download GIF image (500х500px)	Symantec Anti-Virus 2008 (38%) AVG Anti-Virus Professional Edition 7.5 (37%) F-Secure Anti-Virus 2008 (36%) Trend Micro Antivirus plus Antispyware 2008 (30%) Panda Antivirus 2008 (20%)
Failed	Agnitum Outpost Security Suite 2008 (12%)

 Key results from the proactive antivirus protection test in HTML»

Complete results for each antivirus product are available only in HTML (click on the link above).