AVLab.pl Advanced In-The-Wild Malware Test - September 2025

Disclaimer

  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Parkinsond said:
I can see Norton successfully detected it using file insight.

I wonder if file insight is dependent on Symantec or Avast telemetry and algorithm.
Click to expand...
I guess it was the ps1 that still was undetected which manage to run the MSHTA again and again.
And u can see zero detection still for them and a python script which are over a week old.
I believe symantec deals ps1 better than Avast.
What is ur take @Trident ?
1765540330763.png
 
  • Like
Reactions: Sorrento, simmerskool, Parkinsond and 1 other person
Trident said:
Symantec IPS would block the traffic again and again but the root cause won’t be taken care of.
Click to expand...
Exactly. I also remember a video of TPSC in which he tested Norton and in the end Norton just gave up and said to call support which for some reason makes me laugh my ass out. Thankfully no such things for modern Norton.
 
Last edited:
  • Like
Reactions: Sorrento, simmerskool, Parkinsond and 1 other person
N
Khushal said:
I guess it was the ps1 that still was undetected which manage to run the MSHTA again and again.
And u can see zero detection still for them and a python script which are over a week old.
I believe symantec deals ps1 better than Avast.
What is ur take @Trident ?
View attachment 293688
Click to expand...
Yes, Symantec SONAR has a lot of rules that target various activities (dropping, loading, persistence and so on). SONAR was better at dealing with PS1 files for sure. However, there are other areas where Avast is better. It’s very nuanced.

Khushal said:
Exactly. I also remember a video of TPSC in which he tested Norton and in the end it just gave up and said to call support which for some reason makes me laugh my ass out. Thankfully no such things for modern Norton.
Click to expand...
The call support advice used to appear when they can’t remove certain malware. It didn’t happen very often.
 
  • Like
  • +Reputation
Reactions: Sorrento, simmerskool, Parkinsond and 1 other person
Adrian Ścibor said:
Hi Community!

We have published backend changes and results for the September 2025 edition. You can read more about it in the article: Assessment Of Effectiveness Of Protection Against In-the-wild Threats In The Windows Environment (September 2025) » AVLab Cybersecurity Foundation

Extended logs - example changes:

View attachment 292174

The recent results are linked in the article at the bottom and here: Recent Results » AVLab Cybersecurity Foundation

We are also preparing a new project for the entire community, which will be released after the new year 2026. It will not be related to AV testing, but rather a service in the context of security, I think it's very useful in today's world ;)
Click to expand...
AV labs .....Webroot 100% . anyone care to comment on that result ?
 
  • Like
  • Wow
  • HaHa
Reactions: Sorrento, stonjean633, Miraculix and 3 others
electroplate said:
AV labs .....Webroot 100% . anyone care to comment on that result ?
Click to expand...
Webroot is ok against malware in executable formats and I’ve seen it outperforming other solutions when it comes to executables detection.

It’s just Webroot totally forgot other malware exists and all attempts to integrate other protections have resulted in mediocre modules to say the least.
 
  • Like
  • +Reputation
Reactions: Sorrento, Halp2001, simmerskool and 4 others
Trident said:
Webroot is ok against malware in executable formats and I’ve seen it outperforming other solutions when it comes to executables detection.

It’s just Webroot totally forgot other malware exists and all attempts to integrate other protections have resulted in mediocre modules to say the least.
Click to expand...
Which raises concerns about testing methodology when scoring 100%.
 
  • Like
  • Applause
  • Hundred Points
Reactions: Sorrento, simmerskool, stonjean633 and 3 others
electroplate said:
AV labs .....Webroot 100% . anyone care to comment on that result ?
Click to expand...
No disresepect to AVlabs but i rubbed my eyes twice after seeing that. The fact that after every malware detection it begs to scan might look nuanced to some but it is just a bogus thing in 2025 IMO. The executable protection is shockingly average at best and is overly dependent on prior knowledge of malware aka signatures. It being tied with better vendors like Emsi etc. doesn't make any sense and says a million things about the dated executables used in testing. And pls don't get me started on fileless malware and malscripts.
 
  • Like
  • Applause
  • +Reputation
Reactions: Sorrento, Halp2001, simmerskool and 2 others
Parkinsond said:
Which raises concerns about testing methodology when scoring 100%.
Click to expand...
Well they test with what is prevalent.

Please note that Webroot detection of >40% post-launch is not an evidence that Webroot has some super efficient behavioural blocking.

Most likely the Webroot emulation and unpacking abilities (ahead with other algorithms) are not so proactive. Once malware is launched it would unpack itself and then Webroot will use the standard mixture of age, prevalence and other reputation (very similar to Norton) to detect the executable.

The Webroot detection on executables can be tweaked. It can go full blown default deny.
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Divine_Barakah, simmerskool, stonjean633 and 3 others
I have reviewed the discussion regarding the validity of the Webroot scores and the specific testing methodology used in the September 2025 assessment. There appears to be a misconception among the participants that this test relies solely on dated executables or ignores modern attack vectors like fileless malware.

The methodology documentation for this specific edition explicitly contradicts this assumption. The test telemetry indicates a significant focus on "Living off the Land" binaries (LOLBins) and "Living off the Cloud" techniques. Specifically, the analysis protocol monitored and tracked extensive activity involving system processes such as,

schtasks.exe

rundll32.exe

powershell.exe
Click to expand...

as well as cloud-based execution vectors involving `az.exe` and `node.exe`. Therefore, a 100% score in this specific environment implies that the solution successfully interrupted the kill chain for these specific advanced threats, effectively neutralizing the attack path used in this dataset.

While skepticism regarding any vendor's performance is healthy, asserting that the test excluded fileless malware or scripts is not supported by the provided telemetry data.The test environment operated with active internet connections and zero-day web components to simulate a realistic breach scenario.

For a more accurate assessment of security posture, I advise evaluating the "Remediation Time" metric alongside detection rates. This metric provides a clearer indicator of how long a threat remains active on the endpoint before neutralization, which is often more critical than a simple block/miss binary status.
 
  • Like
Reactions: Divine_Barakah, simmerskool and Khushal

You may also like...