App Review The struggle against Ransomware for big name AV continues.

[Khushal]

First it was ESET in a lab test.
Now it is Bugdefender.

 

[Bot]

It’s worth treating posts like that (especially short “look, I bypassed AV X” clips on Reddit) as an anecdote, not evidence that a product is “broken” in general.

Why these “AV bypass” posts happen a lot

• Pentesting goals differ from home-user protection. Many pentest demos assume the attacker already has code execution (sometimes even admin), and the “bypass” is about staying quiet afterward.
• Configuration and product edition matter. Consumer AV vs business endpoint (EDR/XDR) can behave very differently. Even within the same product, toggles like “aggressive,” “cloud protection,” “ransomware remediation,” “tamper protection,” etc. change outcomes.
• Lab/demo conditions are often unrealistic. Demos may rely on disabled modules, exclusions, safe-mode tricks, older builds, lack of network/cloud connectivity, or highly tailored payloads (e.g., custom loaders, LOLBins, signed-but-abused tools).
• Evasion is not the same as “undetected forever.” Some techniques are time-sensitive and get detections quickly once shared.

How to evaluate a claim like “now it’s Bitdefender” safely

• Look for exact versions (product build, Windows version), settings, and whether it’s consumer or enterprise.
• Check whether the technique requires admin/SYSTEM or user-level access. “Bypass” after admin is a very different problem than preventing initial compromise.
• See if there’s a reproducible write-up (steps, telemetry, logs) rather than only a clip.
• If a sample/technique exists, the responsible path is submit to the vendor (most have security reporting channels) and let them analyze it, rather than concluding the product is generally unreliable.

Practical takeaway
These posts are a reminder that no single AV is a silver bullet. The realistic response is layered defense (patching, least privilege, application control where possible, good backup strategy, and cautious macro/script handling), not switching products every time a new “bypass” video appears.

 

[LinuxFan58]

It shows UAC bypass in the start of the video.When malware gets admin rights, security software is always 0-1 behind. Thanks for the video, but it is hard to judge whether this is Bitdefender's fault or Windows.

 

[Andrew999]

Looks like the system was not connected to the internet. If it was connected to the internet the cloud lookup/behaviour detection may have been more effective.

 

[anirbandutta01]

Now it's time to check with other big players, like K. or McAfee. I'm thinking about K7, what happens if K7 was installed on this system during the test.

 

[Parkinsond]

Although I'm not B fan, but I think the video is missing the scene when the tester run the sample as admin, where it is going to bypass most, if not all, of reputable AVs.

Another "tailored" test.

 

[Parkinsond]

Now it's time to check with other big players, like K. or McAfee. I'm thinking about K7, what happens if K7 was installed on this system during the test.

Any "non-comparative" tests, such as Leo tests to incriminate MD, are pointless.
You test product A and say if failed; what if products B,C, and D are going also to fail?

 

[anirbandutta01]

Any "non-comparative" tests, such as Leo tests to incriminate MD, are pointless.
You test product A and say if failed; what if products B,C, and D are going also to fail?

Yes I understand & you're right

 

[Khushal]

Although I'm not B fan, but I think the video is missing the scene when the tester run the sample as admin, where it is going to bypass most, if not all, of reputable AVs.

Another "tailored" test.

He double clicks the executable he didn't even run it as admin

 

[Parkinsond]

He double clicks the executable he didn't even run it as admin

The video does not show either double click or single click and run as admin; just cmd windows poped in our faces.

 

[Khushal]

Looks like the system was not connected to the internet. If it was connected to the internet the cloud lookup/behaviour detection may have been more effective.

He has explained in comments that he does not want easy cloud submission and free signatures. This will sabotage his efforts.

 

[Khushal]

The video does not show either double click or single click and run as admin; just cmd windows poped in our faces.

Rewatch the video at 0:25 minutes the exe is selected and background loading icon also appears.

 

[anirbandutta01]

Hope K. Or McAfee could detect this. Does K7? I don't think so.

 

[Parkinsond]

Rewatch the video at 0:25 minutes the exe is selected and background loading icon also appears.

Second by second shots 25-31:

 

[RansomwareRemediation]

I read below and it says that ALL antiviruses were defeated, Avast, Bitdefender, Kaspersky, Eset, I mean the most important ones. So it's not just Bitdfender, none were saved in that test.

 

[Khushal]

I read below and it says that ALL antiviruses were defeated, Avast, Bitdefender, Kaspersky, Eset, I mean the most important ones. So it's not just Bitdfender, none were saved in that test.

correct but extraordinary claims require extraordinary evidence.

 

[Divergent]

Testing modern security suites offline and via manual execution is a catastrophic failure in methodology because it ignores the Cloud-Native Protection (CPN) and Behavioral Analysis layers that define contemporary defense. By disabling the internet and bypassing the initial delivery phase, the tester is effectively measuring 2005-era signature matching rather than 2026-era automated response and global telemetry.

 

[Parkinsond]

Testing modern security suites offline and via manual execution is a catastrophic failure in methodology because it ignores the Cloud-Native Protection (CPN) and Behavioral Analysis layers that define contemporary defense. By disabling the internet and bypassing the initial delivery phase, the tester is effectively measuring 2005-era signature matching rather than 2026-era automated response and global telemetry.

Actually AVC is doing this in 2025 to audit offline protection vs online protection.
But they do it compartively to be meaningful.

Malware Protection Test March 2025

AV-Comparatives' Consumer Malware Protection Test for March 2025 is now released!

www.av-comparatives.org

 

[Divergent]

Actually AVC is doing this in 2025 to audit offline protection vs online protection.
But they do it compartively to be meaningful.

View attachment 295427

Malware Protection Test March 2025

AV-Comparatives' Consumer Malware Protection Test for March 2025 is now released!

www.av-comparatives.org

AVC does indeed perform offline vs. online testing in their Malware Protection Test but they do it to highlight a vulnerability, not to validate offline execution as a primary protection metric.

AVC’s offline tests are a "Stress Test" designed to show how much a product's security degrades without the cloud. Using this to justify a "malware test" on a desktop is like testing a car's safety by driving it into a wall without the engine running; you might see how the bumper holds up (static signatures), but you've disabled the airbags and ABS (cloud-delivered logic).

 

[devjitdutta2025]

So you’re running malware on a PC which is not connected to the Internet. The Internet and the browser is the major source of infection. By effectively cutting it off you’re disabling 90% of the root source of the malware. The second source will be flash drives or external drives which are likely to contain trojans or worms such as sality rather than these types of malware’s such as ransomware or trojans. Worms like sality can be easily detected and neutralised by most if not all AV’s without any active Internet connection if the database is kept up to date. I personally find this test dubious at best.