Testing by AV-Comparatives in March 2021 reveals the best antivirus solutions for Windows 10. Anti-malware testing included a detection rate check with the launch of unrecognized threats and a false positive test.
Introduction
Malware Protection Test involves executing malicious files on the system. While the Internet is the main vector of attacks in dynamic antivirus testing, vectors in the anti-malware test can be, for example, network drives, USB drives, or scenarios in which malware is already on the disk.
Please note that the lab does not recommend purchasing an antivirus solution based solely on individual test data. Users must consider other factors as well: cost, usability, compatibility, and support. Installing a trial version of the antivirus allows you to conduct testing in everyday use, and based on this experience, make a decision to purchase.
The testing involved mainly complex antiviruses designed mainly for home users. However, some vendors have insisted on testing their free antivirus software.
In the first half of 2021, the test suite consisted of 10,013 malware samples. Many malicious instances were collected after preliminary telemetry data collection in order to identify the latest widespread threats that pose a serious threat to users. Different variants of malware were grouped together to create a balanced test case (i.e. avoid over-presenting the same malware sample in a suite). The sampling process ended at the end of February 2021.
Tested antiviruses
All antiviruses were installed on a fully updated Microsoft Windows 10 Pro 64-bit system. All products were tested at the beginning of March. Each antivirus has received the latest updates and has been tested with default settings.
- Avast Free Antivirus
- AVG Free Antivirus
- AVIRA Antivirus Pro
- Bitdefender Internet Security
- ESET NOD32 Internet Security
- G Data Internet Security
- K7 Total Security
- Kaspersky Internet Security
- Malwarebytes Premium
- McAfee Total Protection
- Microsoft Defender Antivirus
- NortonLifeLock Norton 360
- Panda Free Antivirus
- Total AV Total Security
- Total Defense Essential Antivirus
- Trend Micro Internet Security
- VIPRE Advanced Security
Information about additional third-party engines/signatures used inside the products: G DATA, Total Defense, and VIPRE all use the Bitdefender engine. TotalAV uses the AVIRA engine. AVG is a rebrand of Avast.
Methodology
Malware Protection Test evaluates the ability of antivirus software to resist the infection of a system with malicious files before they run, during execution, and after. Each antivirus was tested using a single methodology. Prior to execution, all test samples were subjected to on-demand checks that were performed while connected to the Internet and without access to the network. Those. the samples that were not found during these checks were run in the test system - and access to the Internet was organized so that the behavioral analysis functions could fully work. If the antivirus did not prevent infection or undo malicious changes made by a specific malicious sample, then the product was considered to have failed in this test scenario. If the antivirus asked the user whether it was necessary to allow the launch of a dangerous program or block the object, then the wrong decision led to the infection of the system. This test case was considered to be “User dependent”, i.e. action on the threat depends on the user's decision.
Online and offline detection levels
Many of the tested antiviruses use cloud-based protection technologies, such as reputation services or cloud signatures, which cannot be accessed without an active Internet connection. By performing on-demand scans online (with Internet access) and offline (without Internet access), the test clearly demonstrates the dependence of each product on cloud security components. As a result, we can conclude how effective protection is provided by the antivirus if there is no Internet connection. AV-Comparatives recommends that vendors whose products are very tightly tied to cloud technologies warn users about the loss of an active connection because this fact can seriously affect the quality of the protection provided.
The laboratory has published the detection levels of the tested antiviruses in both online and offline scanning modes:
Detection or Protection
Table designations
- Blocked - blocked threats
- User dependent - action on the threat depends on the user's decision
- Compromised - missed threats
- Protection rate - general protection level
Percentage missed threats (less is better)
The test suite used contained 10,013 recent/prevalent malware samples from the last few weeks/months.
Click on the graph to go to AV-Comparatives website for detailed information on each product. |
Legend on the chart
- Blocked - Blocked threats
- User dependent (Decision,%) - action on the threat depends on the user's decision
- Compromised (%) - missed threats
- False Positives - false positives
Results (Table)
Vendors | Block% | Decision % | Skip% | False |
---|---|---|---|---|
Avast | 99.99 | 0 | 0.01 | 1 |
AVG | 99.99 | 0 | 0.01 | 1 |
Avira | 99.98 | 0 | 0.02 | 2 |
Bitdefender | 100 | 0 | 0 | 4 |
ESET | 99.9 | 0 | 0.1 | 0 |
G DATA | 99.98 | 0 | 0.02 | 2 |
K7 | 99.96 | 0 | 0.17 | 46 |
Kaspersky | 99.96 | 0 | 0.05 | 1 |
Malwarebytes | 99.94 | 0 | 0.06 | 46 |
McAfee | 100 | 0 | 0 | 6 |
Microsoft | 99.85 | 0 | 0.15 | 4 |
NortonLifeLock | 100 | 0 | 0 | 22 |
Panda | 99.98 | 0 | 0.02 | 65 |
Total AV | 99.98 | 0 | 0.02 | 1 |
Total defense | 99.99 | 0 | 0.01 | 9 |
Trend Micro | 98.97 | 0 | 1.03 | 3 |
VIPRE | 100 | 0 | 0 | 4 |
False Positives
An antivirus that shows a high percentage of threat detection but suffers from false positives is not always better than an antivirus that detects fewer malicious files but generates fewer false alarms.
Anti-malware test
The File Detection Test, which has been conducted in recent years, only included the detection of malicious files. It allowed us to assess the ability of tested antiviruses to detect malicious samples before launching. This ability remains a very important feature of antivirus software, which allows you to make sure a file is safe before sending it to friends, relatives or work colleagues.
This Malware Protection Test takes into account not only the detection rates of the programs involved but also their defensive capabilities, such as the ability to prevent malicious changes to the system by malware. In some cases, an antivirus program may not detect a malicious sample if it is in an inactive state, but it instantly identifies the threat at startup. In addition, many antivirus programs use behavioral analysis to monitor and block unwanted system changes that are usually inherent in malicious applications. This information complements the results of the Real-World Protection Test, which uses real public URLs as the source of malware. In this case, web filters and other web protection components can take effect. The Malware Protection Test simulates a situation where malware comes from a local source, such as a local network or a removable USB flash drive. Both tests involve launching malware that has not been identified by the protection functions to give a last line of defense a chance.
One important aspect of cloud detection mechanisms is this: malware authors are constantly looking for new ways to bypass detection and protection mechanisms. The use of cloud protection allows vendors to detect and classify suspicious files in real-time in order to protect against the latest unknown types of threats. Placing parts of the detection engine in the cloud makes it harder for malware authors to quickly adapt to new detection rules.
Testing reward level
AV-Comparatives assigns rating awards to tested antivirus products based on threat detection and false positives. Since the report contains not only the final ratings but the threat detection levels themselves, advanced users may be less concerned about false positives and can rely solely on the level of protection.
0 Comments