AVLab.pl Analysis of system protection against active online malware – July 2025

[Adrian Ścibor]

Community!

If you've been following us, you've probably noticed that we've published the new results for the July edition of the Advanced In-The-Wild Malware Test.

Let me quote a few changes from our article:

Firstly, developers of the tested security solutions will receive additional extended logs in the form of an event tree with correlated processes, newly created and deleted files, commands executed in the terminal, Internet connections, and other instructions executed by the malware. This will allow for faster and easier analysis of what happened at the point of contact between the malware and the tested security package. These logs can also serve as additional evidence of the lack of response of the antivirus/EDR engine to malware:

As an example, one of the malware samples dropped files into the TEMP folder to initiate malicious activity on the system.

Here, malware queries known DNS providers and lesser-known IP servers in order to use C&C (an attempt to obtain additional instructions from a server controlled by the attacker).

- In addition, at the end of June 2025, we updated our Windows 11 operating systems to the latest versions in order to use the most up-to-date Windows 11 builds during testing.

- Finally, starting with this edition, we are capturing information from even more LOLBINs:

The changelog is updated: Changelog » AVLab Cybersecurity Foundation
The article: Analysis Of System Protection Against Active Online Malware – July 2025 » AVLab Cybersecurity Foundation
The Recent Results web-page: Recent Results » AVLab Cybersecurity Foundation

From the other hand

Additionally, I would like to inform that from 2026 onward, it will be more difficult to obtain the Excellent certificate. Based on historical results, the 99% threshold is too low, so we are considering two options:

1) “Excellent” for 100% only and “Certified” for 99.0-99.9% - the Excellent certificate must remain unique.

2) Raise the threshold to 99.6% minimum for the Excellent certificate. We must allow for a certain margin of error for the requirements of the Microsoft Virus Initiative program. At this phase two clusters will be created:

2.1 solutions in the range 99.6-100 will receive Excellent
2.2 solutions in the range 99-99.5 will receive Certified

If you only award “Excellent” for 100% effectiveness, you are creating an illusion of perfection. Do you agree?

In practice, 100% in a test sometimes does not mean 100% in reality – because a test always has a limited sample set. This may be a coincidence (luck in sample selection) rather than the actual superiority of the product. This is why some people may criticize option 1) because no one can test the entire population of malware or guarantee that there will be no errors in the tests.

We can talk about clustering in another thread so as not to cause confusion here.

I will keep you informed of any changes. The year 2025 will be summarized according to the old rules.[/B]

 

[anirbandutta01]

Community!

If you've been following us, you've probably noticed that we've published the new results for the July edition of the Advanced In-The-Wild Malware Test.

Let me quote a few changes from our article:

Firstly, developers of the tested security solutions will receive additional extended logs in the form of an event tree with correlated processes, newly created and deleted files, commands executed in the terminal, Internet connections, and other instructions executed by the malware. This will allow for faster and easier analysis of what happened at the point of contact between the malware and the tested security package. These logs can also serve as additional evidence of the lack of response of the antivirus/EDR engine to malware:

View attachment 290418
As an example, one of the malware samples dropped files into the TEMP folder to initiate malicious activity on the system.

View attachment 290419
Here, malware queries known DNS providers and lesser-known IP servers in order to use C&C (an attempt to obtain additional instructions from a server controlled by the attacker).

- In addition, at the end of June 2025, we updated our Windows 11 operating systems to the latest versions in order to use the most up-to-date Windows 11 builds during testing.

- Finally, starting with this edition, we are capturing information from even more LOLBINs:

View attachment 290420

The changelog is updated: Changelog » AVLab Cybersecurity Foundation
The article: Analysis Of System Protection Against Active Online Malware – July 2025 » AVLab Cybersecurity Foundation
The Recent Results web-page: Recent Results » AVLab Cybersecurity Foundation

From the other hand

Additionally, I would like to inform that from 2026 onward, it will be more difficult to obtain the Excellent certificate. Based on historical results, the 99% threshold is too low, so we are considering two options:

1) “Excellent” for 100% only and “Certified” for 99.0-99.9% - the Excellent certificate must remain unique.

2) Raise the threshold to 99.6% minimum for the Excellent certificate. We must allow for a certain margin of error for the requirements of the Microsoft Virus Initiative program. At this phase two clusters will be created:

2.1 solutions in the range 99.6-100 will receive Excellent
2.2 solutions in the range 99-99.5 will receive Certified

If you only award “Excellent” for 100% effectiveness, you are creating an illusion of perfection. Do you agree?

In practice, 100% in a test sometimes does not mean 100% in reality – because a test always has a limited sample set. This may be a coincidence (luck in sample selection) rather than the actual superiority of the product. This is why some people may criticize option 1) because no one can test the entire population of malware or guarantee that there will be no errors in the tests.

We can talk about clustering in another thread so as not to cause confusion here.

I will keep you informed of any changes. The year 2025 will be summarized according to the old rules.[/B]

Glad to see my favourite ESET is there, but why Kaspersky isn't present?

 

[Parkinsond]

Is it logic Quick Heal scores 100% equal to ESET, Norton, and Avast!

 

[Adrian Ścibor]

Glad to see my favourite ESET is there, but why Kaspersky isn't present?

I have already explained before edition that Kaspersky collects a huge amount of logs, even several to several dozen GB per sample. On a monthly basis, this amounts to several hundred GB of data to be transferred to the vendor.

Collecting such a large amount of data significantly affects the number of samples tested per month for all solutions, because the rule here is that only one sample is taken at the same time for all machines with AV/EDR installed.

 

[Trident]

I have already explained before edition that Kaspersky collects a huge amount of logs, even several to several dozen GB per sample. On a monthly basis, this amounts to several hundred GB of data to be transferred to the vendor.

Collecting such a large amount of data significantly affects the number of samples tested per month for all solutions, because the rule here is that only one sample is taken at the same time for all machines with AV/EDR installed.

Are they getting full memory dumps or something...?

 

[Adrian Ścibor]

Is it logic Quick Heal scores 100% equal to ESET, Norton, and Avast!

In this case, logic is irrelevant; only hard technical data matters and evidence based on logs.

 

[Adrian Ścibor]

Are they getting full memory dumps or something...?

The manufacturer requires logs from its tool because it is apparently easier for them to analyze what happened in the system. Kaspersky has this hidden in settings / support / extended logs. Theoretically, this can be limited, e.g., to logs of 500MB maximum per file-log, but tests have shown that the file-log increase to an absurd size, e.g., 10GB. Of course, this has been reported to Kaspersky.

EDIT:
I hope that we will include Kaspersky in our tests again someday, but this requires internal testing to verify it again and consult the vendor.

 

[Parkinsond]

In this case, logic is irrelevant; only hard technical data matters and evidence based on logs.

or might be something related to the competence of testing methodology.

 

[Adrian Ścibor]

or might be something related to the competence of testing methodology.

Or maybe it's because it's not a bad product at all.

It has high detection rates for URLs and known samples, as well as very good detection of malicious changes under the hood after launch. The methodology is the same for everyone. To look for differences, it's worth checking out tests from other companies if QH is included in them.

QH also scored top marks in our banking protection test (2024). I don't think that came out of nowhere. We intend to repeat the test this year.

 

[Parkinsond]

Or maybe it's because it's not a bad product at all.

It has high detection rates for URLs and known samples, as well as very good detection of malicious changes under the hood after launch. The methodology is the same for everyone. To look for differences, it's worth checking out tests from other companies if QH is included in them.

QH also scored top marks in our banking protection test (2024). I don't think that came out of nowhere. We intend to repeat the test this year.

According to the test results and pricing, I would ditch other AVs such as McAfee which costs 40 USD for its lower most tier for Quick heal which only costs 12 USD.

 

[Miravi]

or might be something related to the competence of testing methodology.

AVLab is a Microsoft Virus Initiative partner, Anti-Malware Testing Standards Organization member, and Cyber Transparency Forum auditor. I believe they've earned sufficient credibility since launching in 2019. Take away what you will from each instance of results, but professional antivirus testing is no trifle.

 

[Adrian Ścibor]

According to the test results and pricing, I would ditch other AVs such as McAfee which costs 40 USD for its lower most tier for Quick heal which only costs 12 USD.

I understand. Choose what you think is right for you and good in terms of protection and additional features.

 

[Parkinsond]

AVLab is a Microsoft Virus Initiative partner, Anti-Malware Testing Standards Organization member, and Cyber Transparency Forum auditor. I believe they've earned sufficient credibility since launching in 2019. Take away what you will from each instance of results, but professional antivirus testing is no trifle.

The only nice part is presenting pre-execution vs post-execution detection, nothing more.

 

[Adrian Ścibor]

The only nice part is presenting pre-execution vs post-execution detection, nothing more.

How do you think we can improve the tests to make them more interesting? What data would you like to see from the tests in the files that are available for download to the community? (apart from LOLBINs, per-sample protection comparisons in CSVs)

 

[lostpass]

I bet Banifu Sniper will get 100% on the AVLab test.

 

[ForgottenSeer 94738]

I can't comment on AVLab's testing methods, as I lack the necessary expertise. However, I find it confusing for an uninformed user how differently some AV programs perform in different users' tests. This doesn't make it any easier to decide which program to use.

 

[cartaphilus]

I have already explained before edition that Kaspersky collects a huge amount of logs, even several to several dozen GB per sample. On a monthly basis, this amounts to several hundred GB of data to be transferred to the vendor.

Collecting such a large amount of data significantly affects the number of samples tested per month for all solutions, because the rule here is that only one sample is taken at the same time for all machines with AV/EDR installed.

Did Russia finally said "fck it might as well do what US accused us of"? I mean wtf GB of data? What is this an AV or a BitTorrent client?

 

[Andy Ful]

How do you think we can improve the tests to make them more interesting? What data would you like to see from the tests in the files that are available for download to the community? (apart from LOLBINs, per-sample protection comparisons in CSVs)

It would be welcome to change the testing methodology to something like SE Labs.

These include widespread malware attacks and more sophisticated intrusions that do not rely on obvious warning signs. The way we test remains transparent, consistent and publicly documented. We explore anti-malware marketing vs. reality

The first part would remain as usual (or fewer samples to save time).
The second part should include evasive threats (scripts, scriptlets, 1-hour FUDs, etc.), possibly modified in-the-wild samples.
For example (June 2025):

 

[IceMan7]

Community!

If you've been following us, you've probably noticed that we've published the new results for the July edition of the Advanced In-The-Wild Malware Test.

Let me quote a few changes from our article:

Firstly, developers of the tested security solutions will receive additional extended logs in the form of an event tree with correlated processes, newly created and deleted files, commands executed in the terminal, Internet connections, and other instructions executed by the malware. This will allow for faster and easier analysis of what happened at the point of contact between the malware and the tested security package. These logs can also serve as additional evidence of the lack of response of the antivirus/EDR engine to malware:

View attachment 290418
As an example, one of the malware samples dropped files into the TEMP folder to initiate malicious activity on the system.

View attachment 290419
Here, malware queries known DNS providers and lesser-known IP servers in order to use C&C (an attempt to obtain additional instructions from a server controlled by the attacker).

- In addition, at the end of June 2025, we updated our Windows 11 operating systems to the latest versions in order to use the most up-to-date Windows 11 builds during testing.

- Finally, starting with this edition, we are capturing information from even more LOLBINs:

View attachment 290420

The changelog is updated: Changelog » AVLab Cybersecurity Foundation
The article: Analysis Of System Protection Against Active Online Malware – July 2025 » AVLab Cybersecurity Foundation
The Recent Results web-page: Recent Results » AVLab Cybersecurity Foundation

From the other hand

Additionally, I would like to inform that from 2026 onward, it will be more difficult to obtain the Excellent certificate. Based on historical results, the 99% threshold is too low, so we are considering two options:

1) “Excellent” for 100% only and “Certified” for 99.0-99.9% - the Excellent certificate must remain unique.

2) Raise the threshold to 99.6% minimum for the Excellent certificate. We must allow for a certain margin of error for the requirements of the Microsoft Virus Initiative program. At this phase two clusters will be created:

2.1 solutions in the range 99.6-100 will receive Excellent
2.2 solutions in the range 99-99.5 will receive Certified

If you only award “Excellent” for 100% effectiveness, you are creating an illusion of perfection. Do you agree?

In practice, 100% in a test sometimes does not mean 100% in reality – because a test always has a limited sample set. This may be a coincidence (luck in sample selection) rather than the actual superiority of the product. This is why some people may criticize option 1) because no one can test the entire population of malware or guarantee that there will be no errors in the tests.

We can talk about clustering in another thread so as not to cause confusion here.

I will keep you informed of any changes. The year 2025 will be summarized according to the old rules.[/B]

Will there be more AV solutions in these tests?
I don't see Fsecure, Avira, AVG, Bitdefender and McAfee.
And if they don't, why not?And if they don't, why not?


You've already mentioned Kaspersky, so it's clear why there aren't any.

 

[cofer123]

Did Russia finally said "fck it might as well do what US accused us of"? I mean wtf GB of data? What is this an AV or a BitTorrent client?

I agree that some clarification and evidence on this would be nice.