Every antivirus product or security suite promises to protect you from a variety of security risks and inconveniences. But are they really keeping their promises? By evaluating these products for review, we test their claims in different ways. Each review reflects the results of our tests and our practical experience with the product. This article explains how these tests work.
Of course, not all tests are adequate for each product. Many antivirus utilities offer protection against phishing, but some do not. Most suites include spam filters, but some bypass this feature and some antivirus products add them as a bonus. Whatever functions a particular product offers, we put them to the test.
Real-time antivirus test
Each fully functional antivirus tool includes an on-demand scanner to find and destroy existing malware infections, as well as a real-time monitor to prevent further attacks. In the past, we have maintained a collection of malware-infested virtual machines to test the ability of each product to remove existing malware. Advances in malware encryption have made testing with live malware too dangerous, but we can still apply real-time protection to any product.
Every spring, when most security vendors have completed their annual update cycle, we collect a new collection of malware samples for this test. We’ll start with a stream of the latest malware hosting URLs, download hundreds of samples, and narrow them down to a manageable number.
We analyze each sample with different hand-coded tools. Some of the examples recognize when they run in a virtual machine and refrain from malicious activity. We just don’t use them. We are looking for different types and examples that modify the file system and registry. With a little effort, we reduce the collection to a manageable number and record exactly what system changes each sample makes.
To test the malware blocking capabilities of a product, we downloaded a sample folder from cloud storage. Real-time protection for certain products is activated immediately and removes known malware. If necessary to activate real-time protection, we simply click on each example or copy the collection to a new folder. We observe the number of samples that the antivirus removes from view.
Then we start each remaining sample and see if the antivirus has detected it. We record the total percentage detected, regardless of when it was detected.
Detecting a malware attack is not enough. The antivirus must effectively prevent the attack. A small internal program checks the system to determine if the malware has modified the registry or installed one of its files. For executable files, it is also verified whether one of these processes is actually running. Once the measurement is complete, we stop the virtual machine.
If a product prevents the installation of all executable traces using a malware example, it receives 8, 9, or 10 points, depending on how you have prevented the system from being overloaded with non-executable traces. If you detect malware, but do not prevent the installation of executable components, you get an average credit of 5 points. If one or more malicious processes are actually running despite the attempt to protect the antivirus program, this is only worth 3 points. The average of all these ratings becomes the final rating for product malware blocking.
Test malicious URL blocking
The best time to destroy malware is before it reaches your computer. Many antivirus products can be integrated into your browser and distract you from known malware hosting URLs. If protection is not enabled at this level, it is always possible to remove user data from malware during or immediately after download.
McAfee Antivirus 3 PC 1 YEAR Global is the best antivirus that we have tested. You can get one, if you need.