This website uses cookies to ensure you get the best experience on our website.
Please note that by continuing to use this site you consent to the terms of our Privacy and Data Protection Policy .
Some of our partner services are located in the United States. According to the case law of the European Court of Justice, there is currently no adequate data protection in the USA. There is a risk that your data will be controlled and monitored by US authorities. You cannot bring any effective legal remedies against this.
Accept

Malware Protection Test September 2024

Date September 2024
Language English
Last Revision October 10th 2024

File Detection Test with Execution including false alarm test


Release date 2024-10-15
Revision date 2024-10-10
Test Period September 2024
Number of Testcases 10078
Online with cloud connectivity checkbox-checked
Update allowed checkbox-checked
False Alarm Test included checkbox-checked
Platform/OS Microsoft Windows

Introduction

In the Malware Protection Test, malicious files are executed on the system. While in the Real-World Protection Test the vector is the web, in the Malware Protection Test the vectors can be e.g. network drives, USB or cover scenarios where the malware is already on the disk.

Please note that we do not recommend purchasing a product purely on the basis of one individual test or even one type of test. Rather, we would suggest that readers consult also our other recent test reports, and consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows a program to be tested in everyday use before purchase.

In principle, home-user Internet security suites are included in this test. However, some vendors asked us to include their (free) antivirus security product instead.

Tested Products

Most current versions available at the time of testing.

Information about additional third-party engines/signatures used inside the products: G Data and Total Defense use the Bitdefender engine. F-Secure and TotalAV use the Avira engine. AVG use the Avast engine.

Test Procedure

The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The methodology used for each product tested is as follows. Prior to execution, all the test samples are subjected to on-access and on-demand scans by the security program, with each of these being done both offline and online. Any samples that have not been detected by any of these scans are then executed on the test system, with Internet/cloud access available, to allow e.g. behavioural detection features to come into play. If a product does not prevent or reverse all the changes made by a particular malware sample within a given time period, that test case is considered to be a miss. If the user is asked to decide whether a malware sample should be allowed to run, and in the case of the worst user decision system changes are observed, the test case is rated as “user-dependent”.

Detection vs. Protection

The File Detection Test we performed in previous years was a detection-only test. That is to say, it only tested the ability of security programs to detect a malicious program file before execution. This ability remains an important feature of an antivirus product, and is essential for anyone who e.g. wants to check that a file is harmless before forwarding it to friends, family or colleagues.

This Malware Protection Test checks not only the detection rates, but also the protection capabilities, i.e. the ability to prevent a malicious program from actually making any changes to the system. In some cases, an antivirus program may not recognise a malware sample when it is inactive, but will recognise it when it is running. Additionally, a number of AV products use behavioural detection to look for, and block, attempts by a program to carry out system changes typical of malware. Our Malware Protection Test measures the overall ability of security products to protect the system against malicious programs, whether before, during or after execution. It complements our Real-World Protection Test, which sources its malware samples from live URLs, allowing features such as URL blockers to come into play. Both tests include execution of any malware not detected by other features, thus allowing “last line of defence” features to come into play.

One of the significances of cloud detection mechanisms is this: Malware authors are constantly searching for new methods to bypass detection and security mechanisms. Using cloud detection enables vendors to detect and classify suspicious files in real-time to protect the user against currently unknown malware. Keeping some parts of the protection technology in the cloud prevents malware authors from adapting quickly to new detection rules.

In addition, it’s worth noting that the effectiveness of antivirus products may vary between different scanning methods. For instance, some few products might detect certain threats in an offline on-demand scan but miss them during an online on-access or even on-execution scan. This might be due to potentially more aggressive heuristics employed by the local on-demand scan engine while being offline. Therefore, incorporating regular offline on-demand scans into one’s security routine may be beneficial under certain circumstances and certain products. Additionally, evaluating the aggressiveness and false positive rates of these detections is crucial; FP rates can be higher while being offline, as whitelisting via cloud is not available. Moreover, it could be advantageous if such vendors would provide transparency regarding whether certain detections occur exclusively during offline on-demand scans due to more aggressive scanning and missing cloud-validation.

Testcases

The test set used for this test consisted of 10,078 malware samples, assembled after consulting telemetry data with the aim of including recent, prevalent samples that are endangering users in the field. Malware variants were clustered, in order to build a more representative test-set (i.e. to avoid over-representation of the very same malware in the set). The sample collection process was stopped mid of August 2024. All products were installed on a fully up-to-date 64-Bit Microsoft Windows 10 system. Products were tested at the beginning of March with default settings and using their latest updates.

Ranking System

The malware protection rates are grouped by the testers after looking at the clusters built with the hierarchal clustering method (http://strata.uga.edu/software/pdf/clusterTutorial.pdf). However, the testers do not stick rigidly to this in cases where it would not make sense. For example, in a scenario where all products achieve low protection rates, the highest-scoring ones will not necessarily receive the highest possible award.

The number of false positives can also affect a product’s rating. Testers take statistical methods into account when defining false-positives ranges. The FP ranges for the various categories shown below might be adapted when appropriate (e.g. if we change the size of the set of clean files).

  Protection Rate Clusters/Groups
(given by the testers after consulting statistical methods)
  4 3 2 1
Very few (0-1 FP)
Few (2-10 FP’s)
TESTED STANDARD ADVANCED ADVANCED+
Many (11-20 FP’s) TESTED TESTED STANDARD ADVANCED
Very many (21-40 FP’s) TESTED TESTED TESTED STANDARD
Remarkably many (over 40 FP’s) TESTED TESTED TESTED TESTED

Offline vs. Online Detection Rates

Many of the products in the test make use of cloud technologies, such as reputation services or cloud-based signatures, which are only reachable if there is an active Internet connection. By performing on-demand and on-access scans both offline and online, the test gives an indication of how cloud-dependent each product is, and consequently how well it protects the system when an Internet connection is not available. We would suggest that vendors of highly cloud-dependent products should warn users appropriately in the event that the connectivity to the cloud is lost, as this may considerably affect the protection provided. While in our test we check whether the cloud services of the respective security vendors are reachable, users should be aware that merely being online does not necessarily mean that their product’s cloud service is reachable/working properly.

For readers’ information and due to frequent requests from magazines and analysts, we also indicate how many of the samples were detected by each security program in the offline and online detection scans.

  OFFLINE
Detection Rate
ONLINE
Detection Rate
ONLINE
Protection Rate
False
Alarms
Avast 94.3% 95.8% 99.93% 4
AVG 94.3% 95.8% 99.92% 4
Avira 90.3% 95.7% 99.96% 15
Bitdefender 94.3% 99.98% 5
ESET 88.0% 95.1% 99.94% 2
F-Secure 90.3% 95.1% 99.98% 17
G Data 95.0% 99.96% 3
Kaspersky 87.2% 89.4% 99.95% 1
McAfee 68.4% 97.1% 99.94% 13
Microsoft 68.8% 83.2% 99.84% 8
Norton 79.0% 97.3% 99.96% 32
Panda 36.6% 77.6% 99.25% 28
Quick Heal 39.1% 79.8% 97.58% 5
TotalAV 90.3% 95.1% 99.98% 13
Total Defense 94.3% 99.97% 5
Trend Micro 59.8% 88.8% 96.12% 1

Test Results

Total Online Protection Rates (clustered in groups):

Please consider also the false alarm rates when looking at the protection rates below.

BlockedUser dependentCompromisedProtection Rate
[Blocked % + (User dependent % / 2)]
Cluster
Bitdefender10076-299.98%1
F-Secure 10076- 299.98% 1
TotalAV 10076- 299.98% 1
Total Defense 10075- 399.97% 1
Avira 10074- 499.96% 1
G Data 10074- 499.96% 1
Norton 10074- 499.96% 1
Kaspersky 10073- 599.95% 1
McAfee 10073- 599.95% 1
ESET 10072- 699.94% 1
Avast 10071- 799.93% 1
AVG 10070- 899.92% 1
Microsoft 10062- 1699.84% 2
Panda 10002- 7699.25% 3
Quick Heal 9834- 24497.58% 4
Trend Micro 9687- 39196.12% 4

The test-set used contained 10078 samples collected in the last few weeks.

False Positive (False Alarm) Test Result

In order to better evaluate the quality of the file detection capabilities (ability to distinguish good files from malicious files) of anti-virus products, we provide a false alarm test. False alarms can sometimes cause as much trouble as a real infection. Please consider the false alarm rate when looking at the detection rates, as a product which is prone to false alarms may achieve higher detection rates more easily. In this test, a representative set of clean files was scanned and executed (as done with malware).

1.Kaspersky, Trend Micro1very few FPs
2.ESET2 few FPs
3.G DATA3
4.Avast, AVG4
5.Bitdefender, Quick Heal, Total Defense5
6.Microsoft8
7.McAfee, TotalAV13 many FPs
8.Avira15
9.F-Secure17
10.Panda28 very many FPs
11.Norton32

Details about the discovered false alarms (including their assumed prevalence) can be seen in the separate report available at: False Alarm Test September 2024.

A product that is successful at detecting a high percentage of malicious files but suffers from false alarms may not be necessarily better than a product which detects fewer malicious files, but which generates fewer false alarms.

Award levels reached in this Malware Protection Test

AV-Comparatives provides ranking awards, which are based on levels of false positives as well as protection rates. As this report also contains the raw detection rates and not only the awards, expert users who may be less concerned about false alarms can of course rely on the protection rate alone. Details of how the awards are given can be found on the previous page.

* these products got lower awards due to false alarms

Copyright and Disclaimer

This publication is Copyright © 2024 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.

For more information about AV-Comparatives and the testing methodologies, please visit our website.

AV-Comparatives
(October 2024)