AVLab.pl Advanced In-The-Wild Malware Test - September 2025

[Adrian Ścibor]

Hi Community!

We have published backend changes and results for the September 2025 edition. You can read more about it in the article: Assessment Of Effectiveness Of Protection Against In-the-wild Threats In The Windows Environment (September 2025) » AVLab Cybersecurity Foundation

Extended logs - example changes:

The recent results are linked in the article at the bottom and here: Recent Results » AVLab Cybersecurity Foundation

We are also preparing a new project for the entire community, which will be released after the new year 2026. It will not be related to AV testing, but rather a service in the context of security, I think it's very useful in today's world

 

[Bot]

Hi Community!

We have published backend changes and results for the September 2025 edition. You can read more about it in the article: Assessment Of Effectiveness Of Protection Against In-the-wild Threats In The Windows Environment (September 2025) » AVLab Cybersecurity Foundation

Extended logs - example changes:

View attachment 292174

The recent results are linked in the article at the bottom and here: Recent Results » AVLab Cybersecurity Foundation

We are also preparing a new project for the entire community, which will be released after the new year 2026. It will not be related to AV testing, but rather a service in the context of security, I think it's very useful in today's world

Thanks for the update, Adrian! Those extended logs look interesting—it's cool to see the backend changes in action for better transparency in the testing process. I'll definitely check out the full article and recent results. Excited to hear more about that upcoming project in 2026; sounds like it could be a game-changer for the community. Keep up the great work!

 

[Trident]

Amazing results from both Check Point and McAfee, specifically in the area of pre-execution protection which is vital.

 

[Captain Awesome]

Very realistic test kudos to @Adrian Ścibor
Mcafee is really improved.
K7 is my current fav. because of their customer support & quick to react to submitted undetected threats.
ESET is my all time 2nd fav after Kaspersky.

 

[ForgottenSeer 114717]

Way to go Comodo 2025!

 

[Divine_Barakah]

Way to go Comodo 2025!

View attachment 292184

So Comodo detected most of the test sample post-execution while almost all the other products showed excellent pre-execution detection.

 

[Jonny Quest]

Way to go Comodo 2025!

View attachment 292184

So Comodo detected most of the test sample post-execution while almost all the other products showed excellent pre-execution detection.

So for F-Secure which did better pre-launch than Comodo, we should probably bash it anyway, right @bazang?
I noticed the same thing as @Divine_Barakah and as @Trident mentioned, I would rather have malware detected pre-launch than post-launch, no matter how effective it can be post.

 

[ForgottenSeer 114717]

So for F-Secure which did better pre-launch than Comodo, we should probably bash it anyway, right @bazang?

Why bash it? Who suggested that F-SECURE should be bashed?

I use F-SECURE by the way on all my devices. It is good enough or me. I then combine it with Windows Security (enterprise) default deny and leave it at that. No worries. No worries even if I use default Windows Home.

Security is not software. It is a process.

I noticed the same thing as @Divine_Barakah and as @Trident mentioned, I would rather have malware detected pre-launch than post-launch, no matter how effective it can be post.

I don't care. One is not vastly superior to the other. But of course it is common sense that blocking execution in the first place is always the best method. For that, the only proven secure way is default deny where the user can not execute anything and they cannot disable the protection because they are a "User that wants to use stuff."

I don't care what anyone says. But.. but... I can't install software I need! I don't want to hear it. The vast majority of installs are entirely unneeded. It's all really people playing with software and they place the rest of us at high risk.

 

[ForgottenSeer 114717]

So Comodo detected most of the test sample post-execution while almost all the other products showed excellent pre-execution detection.

It does not matter. The malware is isolated.

 

[Divine_Barakah]

It does not matter. The malware is isolated.

Maybe. But personally I prefer that malware never runs on my system even in isolated area.

 

[ForgottenSeer 114717]

Maybe. But personally I prefer that malware never runs on my system even in isolated area.

I also prefer that no unauthorized or approved code executes on any of my systems. I configure a Windows baseline and then lock the system down. Not even I can alter it - not even in an administrator account.

Many Windows Services are disable. Virtually every single Windows LOLBin is disabled. Windows Security is set to the maximum level for a highest threat environment - which sometimes blocks even Microsoft software.

Contrary to any claim whatsoever that such a system is unusable and inconvenient, that's just straight up ignorance of the facts and/or inexperienced claim - if not a lie for the purposes of an agenda of falsely claiming that certain security software offers superior ease-of-use and convenience. Complete poppycock BS marketing and hype to attract buyers.

I don't play with software. I don't do downloads and execute. I don't download untrusted, unreviewed mobile code and execute it.

My Windows 11 configuration is the same as any absolute default-deny UK GCHQ system.

Do I test and review software? Yes. I do. In a hardened VMWare virtual machine on its own separate NIC and network.

All of the system baseline creation and rebuild is done via automation scripts and pipelines or else via a pre-baselined and configured Windows image for clean install. Either way is speedy and trivial to do.

The real threat nowadays is not malware or even PUA/PUPs on local host. It is hacked 3rd party payment card processors and breached supply chain websites - which all the security on your local system cannot stop any of that. A person has to know what they can do to stop that sort of thing - which is not globally universal. It varies from global region to region and nation to nation.

 

[Divine_Barakah]

I also prefer that no unauthorized or approved code executes on any of my systems. I configure a Windows baseline and then lock the system down. Not even I can alter it - not even in an administrator account.

Many Windows Services are disable. Virtually every single Windows LOLBin is disabled. Windows Security is set to the maximum level for a highest threat environment - which sometimes blocks even Microsoft software.

Contrary to any claim whatsoever that such a system is unusable and inconvenient, that's just straight up ignorance of the facts and/or inexperienced claim - if not a lie for the purposes of an agenda of falsely claiming that certain security software offers superior ease-of-use and convenience. Complete poppycock BS marketing and hype to attract buyers.

I don't play with software. I don't do downloads and execute. I don't download untrusted, unreviewed mobile code and execute it.

My Windows 11 configuration is the same as any absolute default-deny UK GCHQ system.

Do I test and review software? Yes. I do. In a hardened VMWare virtual machine on its own separate NIC and network.

All of the system baseline creation and rebuild is done via automation scripts and pipelines or else via a pre-baselined and configured Windows image for clean install. Either way is speedy and trivial to do.

The real threat nowadays is not malware or even PUA/PUPs on local host. It is hacked 3rd party payment card processors and breached supply chain websites - which all the security on your local system cannot stop any of that. A person has to know what they can do to stop that sort of thing - which is not globally universal. It varies from global region to region and nation to nation.

That's just security Vs convenience thing. It is not a lie that a default deny is inconvenient. You said it yourself that this kind of setup sometimes "blocks Microsoft software", so that is inconvenient and not hassle-free.

Personally I prefer a balance between security and usability. I am using the device to do my study and work and I don't want to devote most of my time hardening my system and fixed the issues that might occur due to such setups.

A mix of a good security product and good browsing habits is all I need. But I do understand that some users prefer more restrictive setups, but it is an overkill for me.

 

[Parkinsond]

It is not a lie that a default deny is inconvenient.

If it is usable, MS would apply it by default and save the headache of accusation of improper security of its OS.

 

[ForgottenSeer 114717]

That's just security Vs convenience thing. It is not a lie that a default deny is inconvenient. You said it yourself that this kind of setup sometimes "blocks Microsoft software", so that is inconvenient and not hassle-free.

That's a people problem. "Inconvenience" only exists in the minds of hoomans; "inconvenience" does not exist in The Universe.

A blocked Microsoft application update perhaps one (1) or two (2) times per year is not inconvenient. And it is trivial to allow the blocked updates with just a few minutes of time.

When you download that PDF for study purposes, execute it, and it encrypts your system - and you lose some or all of your work because you thought you made adequate backups but you really didn't - well - that's how people learn how not to do stuff.

Most people just want to download and execute stuff, which reviewing your posts confirms you are one of that type.

 

[Divine_Barakah]

That's a people problem. "Inconvenience" only exists in the minds of hoomans; "inconvenience" does not exist in The Universe.

A blocked Microsoft application update perhaps one (1) or two (2) times per year is not inconvenient. And it is trivial to allow the blocked updates with just a few minutes of time.

When you download that PDF for study purposes, execute it, and it encrypts your system - and you lose some or all of your work because you thought you made adequate backups but you really didn't - well - that's how people learn how not to do stuff.

Most people just want to download and execute stuff, which reviewing your posts confirms you are one of that type.

So anyone who disagrees with your approach is the problem right?

Well, I download bunch of PDFs. I first upload them to VT and my security product is running in the background. I also have the protection provided by my PDF software. I also have secure DNS enabled systemwide. I also have system backups in case anything goes wrong. This setup is usable. Every single security approach might fail one day, so I prefer to live my life and get my work done.

Wanting a working system without any issues or hindrances is not a problem. Hardening the system to the point that breaks things or requiring constant modifications (blocking and unblocking stuff and looking for the cause of the block) is a problem. Power users can use that because it is fun for them or they can deal with any issues easily. Some people are paranoid and I do understand them. If default-deny is the "perfect" and "most usable" approach we would have seen every single product using that approach by default. Why do you think Kaspersky for example does not enable it by default?

 

[ForgottenSeer 114717]

If it is usable, MS would apply it by default and save the headache of accusation of improper security of its OS.

Microsoft Security advises:

1. Disabling or uninstalling all unneeded Windows Services
2. Disabling or uninstalling all unneeded applications
3. Disabling all unneeded LOLBins
4. Disabling or uninstalling all unneeded features

It's all the Principle of Least Functionality and it is up to the user to research it and learn how to do it.

Windows OS is shipped as a general OS that is not pre-configured at the level of security that is a best practice that Microsoft Security recommends. That is the system owner's responsibility.

Microsoft has no accountability or responsibility to protect anyone, but every single time it makes a very solid effort to secure and protect people from themselves, those people whine and complain about "inconvenience." It has done far, far more to protect all Windows users than any other company.

There's a large faction within Microsoft that wants to entirely exit the consumer market because of the headache that people are, but that's going never happen because M$ makes bank off of whiny, complaining, ignorant, stupid users.

 

[ForgottenSeer 114717]

So anyone who disagrees with your approach is the problem right?

It has nothing to do with what I believe. What I stated are all facts.

People are the problem. ALWAYS.

Well, I download bunch of PDFs. I first upload them to VT and my security product is running in the background. I also have the protection provided by my PDF software. I also have secure DNS enabled systemwide. I also have system backups in case anything goes wrong. This setup is usable. Every single security approach might fail one day, so I prefer to live my life and get my work done.

Yeah. I know all about it. Multiple times over the years "students' who "downloaded bunches of PDFs" reported here at MT that their systems got encrypted, breached, and some even lost all their work - and every last one of them had a "top" AV or security solution installed - default allow. Not one was using what would have prevented that - default deny and continuous, isolated backups (if not continuous and isolated, then expect data loss).

Wanting a working system without any issues or hindrances is not a problem. Hardening the system to the point that breaks things or requiring constant modifications (blocking and unblocking stuff and looking for the cause of the block) is a problem. Power users can use that because it is fun for them or they can deal with any issues easily. Some people are paranoid and I do understand them. If default-deny is the "perfect" and "most usable" approach we would have seen every single product using that approach by default. Why do you think Kaspersky for example does not enable it by default?

There are no breakages or anything requiring constant modifications.

So you are over-exaggerating the problem and making it something that is not reality.

People, companies, governments out there use very highly hardened systems and typically there is a trivial issue that is fixed within minutes perhaps once or twice per year.

None of this requires:

1. The person to be a power user
2. Paranoia

Default-deny does work, but it is people who are not willing to adhere to the rules. So again, people are ALWAYS the problem.

Microsoft wants to impose and enforce Windows S+ Mode, but it makes too much money from the status quo - which means all the money it makes fixing all the problems created by "Users that want to use stuff" and their infected, damaged systems. People who want convenience are a MASSIVE profit center for Microsoft - and thousands of other companies out there. Y'all make us rich.

People are lazy.

 

[LinuxFan58]

Useable is not an absolute hard value. What is useable for one is unusable for another user.

Mister Be runs as standard user with SAC enabled and blocking LolBins (everywhere as standard user) and scripts in user folders. When he wants to try out software he launches a VM.

Mister Ce runs as admin, runs Avast with Comodo firewall and containment enabled. He knows the Comodo sandbox is not as solid as VM, but launches unknown programs with confidence because there are few/no bypasses in the wild which exploit the known weaknesses of Comodo.

Mister De runs as admin with Kaspersky ultimate and trust the superb AV and BB will deal with any threat he might encounter considering his safe hex practises.

Add your favourite security combo ... it all depends what you do with your PC.

@Divine_Barakah Also remember bazang is the fuzzy logic alter ego of Bot programmed to spice up discussion. Lets not derail this thread.

Just lookup what bazang means in the urban dictionary

 

[Parkinsond]

Microsoft Security advises:

1. Disabling or uninstalling all unneeded Windows Services
2. Disabling or uninstalling all unneeded applications
3. Disabling all unneeded LOLBins
4. Disabling or uninstalling all unneeded features

Windows is stuffed with non-essential apps which are uninstallable, so NO, Windows does not advice to do so.
MS can simple make all the non-essential services for OS loading disabled, and let the user to enable whichever he/she needs, if they actually adviced to do so.

It would be kind to submit the link for such recommendations for further reading.

 

[ForgottenSeer 114717]

Windows is stuffed with non-essential apps which are uninstallable, so NO, Windows does not advice to do so.

1. Most everything on Windows is uninstallable - just not always through the "Uninstall" option.
2. Microsoft Security does advise to uninstall and disable as much as possible - one has to be a paying enterprise or government client to get the detailed version of all that guidance - but on Microsoft Learn there is guidance that states the same, just not in great detail.
3. Microsoft Security recommends NIST SP 800-53 and other security frameworks, including Governance, Risk Management, and Compliance frameworks such as 800-171R2. There's many. For instance, in NIST SP 800-171R2 and R3 it requires the firewall be configured for absolute default deny (which it is not, allows PnP, auto-creates rules upon software installs, and is highly insecure overall for "convenience"). In R2 it requires either default deny whitelisting or blacklisting for all software. In R3 absolute default deny whitelisting-only is required - requiring only reviewed, approved, and authorized software to be installed; all else "*" = blocked.

MS can simple make all the non-essential services for OS loading disabled, and let the user to enable whichever he/she needs, if they actually adviced to do so.

It could, if people were willing to pay for a complete Windows OS re-code/re-write. However, Windows OS as it exists now was not built originally with security in mind at all. Slowly Microsoft added security and consumer-demanded features. It prioritized consumer-demanded features over security. One crap code layer was built over-top of an underlying crap code layer to accomplish this all over the decades. So now, it would be extremely difficult to unravel all of that.

So one thing is cost. It is more economical for M$ to create a single Windows OS image that contains all versions and editions. When you install Windows Enterprise LTSC - it is using the same OS image that OEMs use to install Windows Home or enterprises use to install Pro or Enterprise and universities to install Education. The differences are in what is activated during the install.

The other thing is that - at least for consumers - Microsoft is not going to let them do much of anything because it knows - as everybody else with lots of industry experience knows - that allowing consumers to make any decisions just results in a whole lot of problems. Microsoft knows that it would be best for the world to lock users out of the OS, but it is a public corporation whose first duty is generating profit for shareholders.

People (consumers) are the reason that Microsoft charges a minimum of $75 USD for any form of service ticket beyond the basic support that it provides for free - which is very minimal. The $75 USD fee minimum is a deterrent to people requesting support and wasting Microsoft's staff time.

It would be kind to submit the link for such recommendations for further reading.

Here's a courtesy link to get you started on your self-learning journey:

Security baselines guide

Learn how to use security baselines in your organization.

learn.microsoft.com

Don't try the "provide links otherwise it ain't true" argument. It's all out there. People have to put forth the large amount of effort to find it and learn it.