AVLab.pl Advanced In-The-Wild Malware Test - Summary 2025 & Product of-the-year 2026

Disclaimer

  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Forum Veteran
Apr 9, 2018
285
3,065
469
Poland
avlab.pl
Hi Community!

We have summarized the entire year in the Advanced In-The-Wild Malware Test. There is so much technical information about our testing procedures, step by step, explaining the algorithms.

The PDF document also contains a graphical summary of the most important information:
  • a table summarizing each manufacturer's participation in the tests with results,
  • the award of the year with an explanation,
  • statistics on threats,
  • and other data.
I encourage you to comment and ask questions. I will try to answer each one.

PS. Welcome to Elastic Defend in tests since January 2026 and also the popular VPN&AV provider since the March 2026 edition, SecureAPlus company as well. All changes will be published soon along with the results for the January 2026 edition.

Introduction to PDF and downloading the report on our website:

avlab.pl

Product of the Year 2026 » AVLab Cybersecurity Foundation

Summary of the Advanced In-The-Wild Malware Test 2025 and Product of the Year 2026 awards for Windows security solutions.
avlab.pl avlab.pl
 
  • +Reputation
  • Like
  • Thanks
Reactions: Mndgs, simmerskool, ErzCrz and 11 others
Adrian Ścibor said:
Hi Community!

We have summarized the entire year in the Advanced In-The-Wild Malware Test. There is so much technical information about our testing procedures, step by step, explaining the algorithms.

The PDF document also contains a graphical summary of the most important information:
  • a table summarizing each manufacturer's participation in the tests with results,
  • the award of the year with an explanation,
  • statistics on threats,
  • and other data.
I encourage you to comment and ask questions. I will try to answer each one.

PS. Welcome to Elastic Defend in tests since January 2026 and also the popular VPN&AV provider since the March 2026 edition, SecureAPlus company as well. All changes will be published soon along with the results for the January 2026 edition.

Introduction to PDF and downloading the report on our website:

avlab.pl

Product of the Year 2026 » AVLab Cybersecurity Foundation

Summary of the Advanced In-The-Wild Malware Test 2025 and Product of the Year 2026 awards for Windows security solutions.
avlab.pl avlab.pl
Click to expand...
Thanks for posting this yearly summary and the PDF report link. For an “in-the-wild” style test, the biggest value for readers is usually not only the final scores/awards, but how reproducible and well-bounded the methodology is, so people can interpret the results correctly.

Methodology details that tend to matter most (and are easy to misunderstand)
  • Exact test window covered by the “entire year” summary (start/end dates), and whether January 2026 results are included or treated separately
  • Product versions/builds tested, engine versions, and whether cloud lookups were allowed/required
  • Default vs hardened configuration (and if hardened, what exact changes were applied)
  • Update policy during a run (allowed to update mid-test or “frozen” versions)
  • Execution chain: delivery vector, initial user context, privilege level, and whether SmartScreen/Mark-of-the-Web was present
  • Network conditions (fully open, partially blocked, simulated enterprise proxy/DNS filtering, etc.)
  • Rerun rules (when a sample fails due to infrastructure issues, when to retry, how many retries)

Scoring / “award of the year” transparency
If the report includes a composite score or award algorithm, readers will usually want to see (at least at a high level):
  • How prevention vs remediation is weighted (block before execution vs detect after execution vs rollback)
  • How “partial” outcomes are counted (e.g., initial execution but later neutralized; persistence blocked but payload ran, etc.)
  • How false positives are handled in the final award (and what qualifies as an FP in your methodology)
  • Whether there’s any minimum participation/coverage requirement for eligibility for the yearly award

Threat corpus and “ground truth” (especially important for in-the-wild)
Without getting into sensitive details, it helps credibility to describe:
  • Where threats were sourced from (broad categories are fine) and how uniqueness/deduplication was done
  • How you ensured the samples were truly malicious (your confirmation steps / “ground truth” approach)
  • How you prevented re-testing near-identical samples that would inflate/deflate certain products’ performance
  • Whether the dataset skews toward certain families (info-stealers, loaders, ransomware, scripts, signed abuse, LOLBins, etc.)

Practical publishing suggestions (to make community review easier)
  • Post the PDF version number/date and a short changelog if the file is updated later (so discussions don’t become inconsistent)
  • Provide a SHA-256 checksum for the PDF (helps readers verify they downloaded the exact same document)
  • If possible, publish a minimal “raw results” CSV (even anonymized) so people can validate the graphs/tables independently
  • Include a short “limitations” section (what your test explicitly does NOT measure) to prevent over-interpretation

New vendors (Elastic Defend, SecureAPlus)
For new entries, a short onboarding note in the report usually prevents arguments later:
  • Which SKU/edition was tested
  • How the default policy was chosen (true default, recommended profile, or vendor-provided policy)
  • Any special operational requirements (agent warm-up time, cloud dependency, licensing limits, reboot requirements)

Small clarity note about dates
Because your post mentions “Product of the year 2026” and also “changes will be published soon along with the results for the January 2026 edition” plus “March 2026 edition,” it would help to explicitly state in the PDF and in the thread which exact months/editions are included in the “year summary,” and which are upcoming future editions, using concrete dates (for example: “January 1, 2025 – December 31, 2025” vs “calendar year 2026 to date”).

If you publish the PDF checksum + the exact date range covered by the yearly summary in the first post, the community can review and discuss the results with far fewer misunderstandings.
 
Although Kaspersky is included in the list of products tested in 2025, the test results do not have any reference to Kapsersky!

Capture.JPG
Capture2.JPG
Capture3.JPG
 
  • Like
  • Thanks
Reactions: Dave Russo, simmerskool, Antimalware18 and 4 others
bazang said:
I know you and the others that your work with go out of way to design, implement, and execute tests that are realistic, real-world (ITW and happen in meatspace routinely), well designed, impartial or unbiased, and fair. And I already know that you've quoted and sold tests that turned out to cost you more time and effort, but yet you did not go back to the client(s) and say "Hey, I have to increase the price." In the early days of AVLab you made a lot of sacrifices. You try to add a lot of value for the Euro/Dollar paid by clients.

Years ago, you and I once crossed paths but never actually spoke to each other. I just listened what you stated to others at that time.

You are a credit to the profession (regardless of the various keyboard warriors that discredit your tests and their results).
Click to expand...

Parkinsond said:
Although Kaspersky is included in the list of products tested in 2025, the test results do not have any reference to Kapsersky!
Click to expand...
Don't worry! It's been clarified!
To participate in any annual settlements, you must take the test at least 3 times a year!
Kaspersky did not comply with this rule!

Divine_Barakah said:
A massive difference in remediation time between Norton and Avast?
Click to expand...

Parkinsond said:
And unexplained difference in web protection inspite of using the exact same database!
Click to expand...
Some may think that Avast and Norton are two of the same engines. This is not yet the case; the technologies have not been merged so far.
 
  • Like
  • +Reputation
Reactions: Dave Russo, Miravi, simmerskool and 5 others
Based on the parsed dataset, Bitdefender and McAfee demonstrate the strongest architectural hygiene by prioritizing Pre-Launch blocking. Eset shows the highest reactivity but raises questions regarding metric classification.

Prevention First
McAfee, Bitdefender, and G Data block >94% of threats at the web layer (Pre-Launch). This is the superior hygiene approach, preventing code execution entirely.

Remediation Dependent
Xcitium, Comodo, and Microsoft Defender allow a significant portion (>60-70%) of malware to execute before neutralizing it. While they achieved 100% neutralization in the end, this strategy increases the risk of "residue" (registry fragments, temporary files) left on the system.

Methodology Audit (The "Uniformity" Flaw)
The testing methodology exhibits a High-Entropy Trust Deficit.

Result Uniformity
Almost every vendor cited achieved "100% Neutralization" or "99.9%". In the wild, 100% efficacy across 19 different distinct engines is statistically improbable. This suggests the sample set (2,766 files over 12 months) may be:

Too small (approx. 7 samples per day).

Filtered for "known" threats rather than truly obscure zero-days.

Lacking in polymorphic diversity.

Transparency Delta
The report admits: "This is not a complete list, as some manufacturers participate in testing anonymously... Companies that are interested... are welcome to contact us.".

Critical Risk
This implies survivorship bias. Vendors who failed the test likely opted out of the report, skewing the perception of industry reliability. We are only seeing the winners.

The methodology is VALID but BIASED. It focuses on "In-The-Wild" downloads (URLs) which favors browser-extension heavy AVs. It penalizes AVs that rely on behavioral monitoring (like Microsoft Defender) by forcing them to "remediate" rather than "block," even though the end result (Safe System) is the same.

Defending the Methodology
The small sample size (2,766) allows for deep forensic verification of each infection case, ensuring that "100% neutralization" is a verified fact (no residue), rather than a statistical guess used in bulk testing (e.g., AV-Comparatives dealing with 10k+ samples).

Defending Microsoft
Microsoft Defender's low Web-Layer score (31%) and high Runtime score (68.9%) is a feature, not a bug. It leverages the OS kernel to watch behavior, opting for high-certainty behavioral kills over potentially false-positive heavy URL blocking.

Outcome Summary

Winner (Performance)
Bitdefender & McAfee (Best Prevention).

Winner (Speed)
Eset (Fastest Reaction).

Loser (Latency)
Webroot (Dangerously slow remediation).

Methodology Check
Survivorship bias present (losers hidden). Sample size low. "100% scores" highly suspicious of non-challenging sample sets.
 
  • Like
  • Applause
  • Thanks
Reactions: Dave Russo, RansomwareRemediation, Miravi and 7 others
Thanks for the post mate.

Given AVLab’s requirement for 99.6% protection sustained across multiple editions, I’m curious whether the report’s scoring model implicitly favors pre-execution web blocking over post-execution behavioral remediation.

Does the methodology weight initial access prevention differently than runtime containment and rollback? Maybe that could influence how vendors prioritize architectural design (network filtering vs behavioral engines vs EDR-style remediation)?
 
  • Like
  • +Reputation
Reactions: Miravi, simmerskool, Halp2001 and 3 others
Parkinsond said:
So how they score the exact points on AVC?
Is Norton still using Symantec engine?
Click to expand...
You need to ask AVC; unfortunately, I don't know their exact methodology.
Parkinsond said:
I wonder why Kaspersky did not participate in all tests!
Cannot be for a financial obstacle.
Click to expand...
This has been explained many times: Kaspersky requires us to collect a huge amount of logs, which for a single sample can sometimes weigh several GB, significantly affecting the delay in testing for all machines (testing all AVs per sample).
Divergent said:
Defending Microsoft
Microsoft Defender's low Web-Layer score (31%) and high Runtime score (68.9%) is a feature, not a bug. It leverages the OS kernel to watch behavior, opting for high-certainty behavioral kills over potentially false-positive heavy URL blocking.
Click to expand...
We do not add any negative points for blocking at the Post-Launch level. This is purely theoretical information for the community. On the other hand, we could also choose not to share the protection, but narrow it down to one general result, which would cause less confusion, but would it really be beneficial?
 
  • Like
  • +Reputation
Reactions: simmerskool, Halp2001, Miraculix and 1 other person
Adrian Ścibor said:
This has been explained many times: Kaspersky requires us to collect a huge amount of logs, which for a single sample can sometimes weigh several GB, significantly affecting the delay in testing for all machines (testing all AVs per sample).
Click to expand...
Just remove Kaspersky and other AVs from the "honor board" of tested products, and keep only those which fulfilled the criteria to have their results dispalyed.
 
  • Like
Reactions: Adrian Ścibor, Miraculix and Khushal
Khushal said:
Not sure removing it will be right as they will say we are not unwilling to perform all tests.
Click to expand...
And keeping it on the board of tested AVs without showing its collective results may be misinterpreted as Kaspersky "failed" to achieve any score.
 
Adrian Ścibor said:
You need to ask AVC; unfortunately, I don't know their exact methodology.

This has been explained many times: Kaspersky requires us to collect a huge amount of logs, which for a single sample can sometimes weigh several GB, significantly affecting the delay in testing for all machines (testing all AVs per sample).

We do not add any negative points for blocking at the Post-Launch level. This is purely theoretical information for the community. On the other hand, we could also choose not to share the protection, but narrow it down to one general result, which would cause less confusion, but would it really be beneficial?
Click to expand...
Your own report assigns Microsoft Defender a 31% score in the Web Layer. You have visualized the penalty yourself. By categorizing 69% of the threats as "missed" by the browser and "caught" by the kernel, you have proven that the browser layer failed 69% of the time. You cannot publish a failing grade (31%) and then claim the grade implies no penalty.
 
  • Like
Reactions: simmerskool

You may also like...