These days you don't have to download a Trojan to get infested by malware. Drive-by downloads and other sneaky techniques can infest your computer just because you surfed to a malicious or hacked site. To evade detection, the bad guys often configure their nasty code so it doesn't attack every visitor. It might attack one visitor in ten, or only trigger once for a given block of IP addresses. Researchers at Dennis Technology Labs take these tactics into account when testing antivirus software with a test system that ensures each product gets hit by precisely the same attack. It's meant to be as close as you can come to a real user's experience.
Every day for two months, the researchers select newly-discovered malicious sites and use a capture/replay system to present each of ten antivirus products with the exact same scenario. The number of products is low because this test is seriously labor-intensive. After two months of testing, they collect and analyze the results to produce a quarterly report.
Nine products remain the same from quarter to quarter (though Webroot replaces Bitdefender starting this quarter). The tenth slot goes to a rotating guest product. For the first quarter of 2015, Panda Free Antivirus was the guest.
Scoring Protection
The best antivirus protection stops the attack before it ever reaches your computer—this kind of complete defense earns three points. If the malware launches but then gets detected and cleaned up, that's still worth a point. And if the cleanup is complete, with no dangerous traces left, that's worth another point. A product that fails to detect the malware, or lets it damage the test system, loses five points. With 100 samples, the possible scores range from 300 to minus 500.
Final certification ratings incorporate both the detection test and a separate very detailed test that examines how successfully the antivirus products refrain from blocking or warning about valid programs. The false positives test takes into account each sample's prevalence and also distinguishes degrees of bad behavior. Wiping out a valid program and reporting it as malware is worse than asking the user whether to block or allow it, for example. For full details, see the Dennis Technology Labs website.
Certification Levels
Depending on their performance in the two halves of this test, products can earn certification at five levels: AAA, AA, A, B, or C. Panda squeaked by with C-level certification. Kaspersky, Norton, ESET, Avast, and Trend Micro managed AAA. Of all the products tested, only Microsoft didn't earn at least a C.
Webroot hasn't been officially included before, but in a test commissioned last year it took AAA certification. It is worth noting that Webroot's handling of new, unknown malware differs from most. If a process isn't recognized as good or bad, Webroot journals all its actions and submits them for cloud analysis. Later, if this analysis reveals the process is malicious, Webroot uses the journal to reverse everything the process did. Alas, at the last minute Dennis Labs researchers determined they hadn't fully accounted for this unusual detection style in the current test, so Webroot's results had to be pulled.
As always, I salute the researchers that perform these onerous tests in order to help consumers determine just which antivirus is the most effective. I only wish this particular test could include more of the popular antivirus utilities.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
