File Detection Test March 2013
of Malicious Software including false alarm test
|Test Period||March 2013|
|Number of Testcases||136610|
|Online with cloud connectivity|
|False Alarm Test included|
The File Detection Test is one of the most deterministic factors to evaluate the effectiveness of an anti-virus engine. These test reports are released twice a year including a false alarm test. For further details please refer to the methodology documents as well as the information provided on our website. In this test, the following 20 up-to-date Security Products were tested using 136610 prevalent malware samples.
- Kingsoft Antivirus 2013Build: 2013.SP2.0.122400
- ThreatTrack Vipre Antivirus 2013Build: 6.1.5493
Each test system is running on Microsoft Windows 7 64-Bit including a respective security product, which was last updated on the 28th February 2013. The malware sets were frozen on the 22th February 2013. Most products run with highest settings by default. Certain products switch to highest settings automatically when malware is found (e.g. Avast, Symantec, Trend Micro, etc.). This makes it impossible to test against various malware with real “default” settings. In order to get comparable results we set the few remaining products to highest settings or leave them to lower settings – in accordance with the respective vendors. We kindly ask vendors to provide strong settings by default, i.e. set their default settings to highest levels of detection (e.g. AVIRA, Kaspersky, etc.), esp. for scheduled scans or scans initiated by the user. This is usually already the case for on-access scans and/or on-execution scans (e.g. ESET and Kaspersky use higher heuristic settings when files are executed). We allow the few remaining vendors (which do not use highest settings in on-demand scans) to choose to be tested with higher setting as they e.g. use in on-access/on-execution higher settings by default, so the results of the file detection test are closer to the usage in the field (as on-access the settings are higher). We ask vendors to remove paranoid settings inside the user interface which are too high to be ever of any benefit for common users (e.g. AVG, F-Secure, Sophos, etc.). Below are some notes about the settings used (scan all files, scan archives, scan for PUA, scan with cloud, etc. is always being enabled):
AVG, F-Secure, Sophos: asked to get tested and awarded based on their default settings (i.e. without using their advanced heuristics / suspicious detections / thorough scan setting).
AVIRA, Kaspersky: asked to get tested with heuristic set to high/advanced.
On each test system the malware set is scanned. The detections made by the security product are noted and analysed. Although no samples were executed during this test, we considered cases where malware would be recognized on-access, but not on-demand. The test is thus called File Detection Test (as opposed to the earlier On-Demand Tests), as on-access scanning is taken into consideration.
Please note: Several products make use of cloud technologies, which require an active Internet connection. Our tests are performed using an active Internet connection. Users should be aware that detection rates may in some cases be drastically lower if the scan is performed while offline (or when the cloud service is unreachable for various reasons). The cloud should be considered as an additional benefit/feature to increase detection rates (as well as response times and false alarm suppression), and not as a full replacement for local offline detections. Vendors should make sure that users are appropriately warned in the event that the connectivity to the cloud is lost, which may considerably affect the protection provided, and e.g. make an initiated scan useless. While in our test we check whether the cloud services of the respective security vendors are reachable, users should be aware that being online does not necessarily mean that the cloud service of the products they use is reachable/working properly. In fact, sometimes products with cloud functionality have various network issues due to which no cloud security is provided, but the user is not warned. AMTSO has a rudimentary test to verify the proper functionality of cloud-supported products.
The test-set used has been built consulting telemetry data with the aim of including prevalent malware samples from the last weeks/months prior to the test date which are/were endangering users in the field and consisted of 136610 samples. Furthermore, the distribution of families in the test-set has been weighted based on family-prevalence and was build based on Microsoft’s global telemetry data. This means that as more prevalent a malware family is, as more samples from that family are included in the test-set.
Hierarchical Cluster Analysis
This dendrogram shows the results of the cluster analysis. It indicates at what level of similarity the clusters are joined. The red drafted line defines the level of similarity. Each intersection indicates a group.
The malware detection rates are grouped by the testers after looking at the clusters build with the hierarchal clustering method. By using clusters, there are no fixed thresholds to reach, as the thresholds change based on the results. The testers may group the clusters rationally and not rely solely on the clusters, to avoid that if e.g. all products would in future score badly, they do not get high rankings anyway.
(given by the testers after consulting statistical methods)
|Very few (0-2 FPs)|
Few (3-15 FP's)
|Many (16-50 FPs)|
|Very many (51-100 FPs)|
|Crazy many (over 100 FPs)|
The test-set used contained 136610 recent/prevalent samples from the last few weeks/months. We estimate the remaining error margin on the final percentages to be below 0.2%.
Total detection rates (clustered in groups)
Please consider also the false alarm rates when looking at the file detection rates below.
|2.||Avira, Tencent, Kingsoft||99.6%|
|5.||Bitdefender, BullGuard, eScan, Emsisoft, Panda||99.3%|
|8.||AVG, Trend Micro||98.4%|
Graph of missed samples (lower is better)
The graph below shows the test results against a “out-of-box” malware detection provided by Microsoft Windows. In Windows 8, this is provided by Windows Defender, which is pre-installed by default with the operating system. The equivalent in Windows 7 is Microsoft Security Essentials, which is not pre-installed, but can easily be added for free as an option via the Windows Update service. We use this to compare the value of this feature – i.e. static malware detection – provided to users of third-party Anti-Virus solutions. This comparisons will from now on be provided also in other tests, like e.g. monthly for our Real-World Protection Tests (for products participating in public main test-series) available on our website.
False Positive (False Alarm) Test Result
In order to better evaluate the quality of the file detection capabilities (distinguish good files from malicious files) of anti-virus products, we provide a false alarm test. False alarms can sometimes cause as much trouble as a real infection. Please consider the false alarm rate when looking at the detection rates, as a product which is prone to false alarms achieves higher detection rates more easily.
|1.||Fortinet||5||none / very few FPs|
|2.||Kaspersky, Sophos||6||few FPs|
|4.||Bitdefender, BullGuard, ESET||9|
|9.||AhnLab, G DATA||19|
|10.||AVG, eScan||21||many FPs|
Details about the discovered false alarms (including their assumed prevalence) can be seen in a separate report available at: http://www.av-comparatives.org/wp-content/uploads/2013/03/avc_fp_mar2013.pdf
A product that is successful at detecting a high percentage of malicious files but suffers from false alarms may not be necessarily better than a product which detects less malicious files but which generates fewer false alarms.
The following chart shows the combined file detection rates and false alarms.
Award levels reached in this File Detection Test
AV-Comparatives provides ranking awards. As this report also contains the raw detection rates and not only the awards, expert users that e.g. do not care about false alarms can rely on that score alone if they want to. The awards are not only based on detection rates – also false positives found in our set of clean files are considered.
* these products got lower awards due to false alarms
Information about additional third-party engines/signatures used inside the products: BullGuard, Emsisoft, eScan and F-Secure are based on the Bitdefender engine, while Kingsoft and Tencent are based on the AVIRA eninge. Qihoo is based on the AVIRA and Bitdefender engine. The tested version of G DATA (2013) was based on the Avast and Bitdefender engines. G DATA 2014 is based on the Bitdefender engine; the results in this report of G DATA 2013 are not applicable to G DATA 2014.
Microsoft Security Essentials is currently considered as a baseline and therefore tested out-of-competition, due to which it is not included in the awards page. The score of Microsoft Security Essentials would be equivalent to TESTED. We additionally tested also Windows Defender included in Windows 8 (we observed the same results as achieved by Security Essentials under Windows 7).
We added Symantec Norton in this test, even if they did not apply for being included into our test-series, as the results have been highly demanded by our readers and the press.
Even if we deliver various tests and show different aspects of anti-virus software, users are advised to evaluate the software by themselves and form their own opinions about them. Test data or reviews just provide guidance on some aspects that users cannot evaluate by themselves. We encourage readers to additionally consult other independent test results provided by various well-known and established independent testing organizations, in order to get a better overview about the detection and protection capabilities of the various products over different test scenarios and various test-sets. A list of various reputable testing labs can be found on our website.
Copyright and Disclaimer
This publication is Copyright © 2013 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.
For more information about AV-Comparatives and the testing methodologies, please visit our website.