Advanced Home

How malware infects

How AV protects

Testing protection

home > advanced

Testing Antivirus Protection

The effectiveness of signature-based detection can be tested by scanning tests such as AV-Comparatives' On-Demand Malware Detection tests. In these, malware samples are collected and stored on a hard drive. The signatures of the antivirus program to be tested are updated, and then the program scans the drive; the number of malicous programs detected is noted. NB in tests such as these, the heuristics component of an antivirus program will also be used, so the number of samples detected by signatures may be less than the total number of samples detected. In such tests, the average score is usually about 95%, with the best programs reaching almost 100%. It should be remembered that such tests do not represent the ability of an antivirus program to protect against a brand-new threat being downloaded from a website.

Scanning tests can also be used to test heuristic detection by antivirus programs. The tests are essentially similar to those described above, with one exception: the virus signatures are frozen at a specific date, and then malicious programs are collected that first appeared after this date, meaning that they cannot possibly be identified by specific signatures. The antivirus programs must identify the malware on the basis that it "looks suspicious". Scores in such tests are much more variable than in signature-based tests, ranging from about 30% for the weakest programs to 70% for the strongest.

URL blockers can be tested quite simply by visiting websites known to be distributing malware; if the browser plug-in prevents the page being accessed, the URL blocker has worked. PC Pro magazine include such tests in their reviews of security suites. Results vary from 0% to 50%.

Tests of behavioural detection would be involve deactivating signature/heuristic-based malware detection in an antivirus program, to determine whether a malicious program can be detected on the basis of its behaviour alone. We are not currently aware of any comparative tests being performed solely on behavioural detection.

Whole-product tests assess the ability of an antivirus program or security suite to prevent malware infection by any means. In such tests, an attempt is made to access an infected website, then download and run malware from it. If the process is blocked at any stage, meaning that the computer is protected, the program passes the test. AV-Comparatives' Whole-Product Dynamic tests are an example of this. Results vary from about 75% to 99%. The results indicate that in the programs which do best in such tests, the URL blockers and behavioural detection provide significant extra protection compared to more traditional signature/heuristic detection methods.

 

 

 

 

 

 

 

 

 

Navigate our website:

Intermediate Level	Confidence Tricks	Dangerous Programs	How Big is the Risk?	Antivirus Programs	Safe Surfing	Safe Computer
	Phishing	The Worst Case		G Data	Spam	Security Center
	Email Theft	Rogue Antivirus		Kaspersky	Shopping/Banking	Firewall
	Phone Scams	Email Attachments		Antivir	Protect Your Child	Windows Update
		Bad Websites		NOD32		Antivirus
				Test Results		Other Software
				Other Programs		File Sharing
				PC Power Check		Backup
				Rating AV Programs		Wireless Networks
				AV-Comparatives		Your Child's PC

© Stay Safe on the Internet 2010. All rights reserved. Terms and Conditions | Privacy Policy | Site Map | About Us | Contact Us

Site designed by Alissa J. Robinson