MENU
December 10, 2025 | Text: Markus Selinger | Antivirus for Windows
  • Share:

Advanced testing: confronting malware lurking in seemingly harmless software

Cyberattackers are always coming up with new and creative methods to take users by surprise. They constantly modify their codes to be able to once again conceal malware components that had previously been detected. The variety of their methods is immense, which means it is not always easy for detection systems to probe for them. AV-TEST examines with its series of ATP tests whether protection software for consumer users and corporate users can keep pace with these developments. The lab uses the latest ransomware and infostealers in the tests, subjecting Windows systems to the latest techniques used by these attackers. Each attack on the 19 security programs in the test is examined and recorded step by step. Many of the system watchdogs performed well in all aspects of the test. However, there were a few cases where the malware reigned victorious – fortunately not that often.

Protection packages in the ATP test – which security solution for Windows provides the best defense against ransomware and infostealers
Protection packages in the ATP test

– which security solution for Windows provides the best defense against ransomware and infostealers

zoom

Ransomware and infostealers consistently top the list of the most dangerous malware in circulation. For cybercriminals this means that encrypting or stealing data – and then blackmailing their victims – is a highly lucrative endeavor. The latest studies have shown that, after years of decline, the number of attacks from these two malware groups are on the rise again in 2025. The hacker groups have become highly specialized in specific industries and have, in some cases, divided up these industries amongst themselves. Several of these groups exclusively target the healthcare sector, such as Qilin, SafePay, RansomHub and Medusa. Other groups dominate in the areas of critical infrastructure and finance, such as Akira, DragonForce and Play.

Security software needs to be able to defend systems against the sophisticated attacks from all of these groups, including the most dangerous malware like ransomware and infostealers. 19 security products for consumer users and corporate users prove their mettle under Windows in the latest Advanced Threat Protection (ATP) test from September to October 2025. 

19 security solutions in the Advanced Threat Protection test

The lab examined all products subjecting them to 10 real-world attack scenarios and documented each step of the malware attack. It is important to note that even when a malware escapes immediate detection or is only detected while executing its attack, there are secondary protection modules that are able to form an integrated line of defense. In this manner, it is still possible to protect a system despite the headstart that the malware received. 

The line-up of protection products for consumer users in the ATP test included: Avast, AVG, Avira, Kaspersky, McAfee, Microsoft, Norton and TotalAV. And the solutions for corporate users in the latest test included the following vendors: Avast, Bitdefender, HP Security, Huawei, Kaspersky (with two versions), Microsoft, Microworld, Qualys, Rakeen and Trellix.

Security packages for consumer users in the ATP test

Here are the results for the 8 protection packages for consumer users in the Advanced Threat Protection test under Windows 10

zoom ico
Security solutions for companies put to the ATP test

The ATP test reveals the 7 out of 11 tested solutions for corporate users that performed flawlessly

zoom ico

1

Security packages for consumer users in the ATP test

2

Security solutions for companies put to the ATP test

Each security product in the test needs to provide protection against 5 samples of ransomware and 5 samples of infostealers. Each recorded step in the detection process earns a specific number of points. This means up to 3 points for ransomware, and for infostealers up to 4 points. Half points are also awarded if a product is capable of mounting a partial defense against an attack. Each product can ultimately earn up to 35 points for its protection score in the test. 

As already mentioned, the 10 malware samples used by the lab in the test employ one or more attack techniques for their overall attack – sometimes they even combine techniques. For example, they may conceal code or disguise files, masquerading them as legitimate applications. A special method of attack in this test is the following:

Misuse of Node.js: Node.js is an open-source, cross-platform JavaScript runtime environment that lets developers execute JavaScript code outside of a web browser. It is widely used by developers and is highly trusted. However, Node.js modules can contain obfuscated native code, as well. It then runs with the same privileges as the application, enabling it to execute anything that the normal program could do on the system. Antivirus scanners and analysts have a difficult time detecting and checking this code because it does not appear as normal JavaScript. If malware is embedded, it can lurk in the seemingly harmless application, picking out passwords, stealing data or encrypting files at will.

The testers employ Node.js modules in the test in order to upload the shell code and mimic the behavior of infostealers and ransomware. These modules are either compiled as Single Executable Applications (SEA) and executed using the command line of Node.js or embedded in an actual Electron app (Discord). Once embedded in Discord, a well-known and trustworthy software, the code can be executed making detection extremely difficult.

The 10 test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example, “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how the malware infection occurs and impacts systems. 

01
zoom ico
02
zoom ico
03
zoom ico
04
zoom ico
05
zoom ico
06
zoom ico
07
zoom ico
08
zoom ico
09
zoom ico
10
zoom ico

1

01

2

02

3

03

4

04

5

05

6

06

7

07

8

08

9

09

10

10

8 consumer user products in the ATP test

The 8 products examined for consumer users come from the following vendors: Avast, AVG, Avira, Kaspersky, McAfee, Microsoft, Norton and TotalAV. Each one of these vendors, with the exception of the last one, has reason to be excited about the results. After all, the lab awarded the full score of 35 points to 7 of the vendors in the ATP test in terms of the protection score, because they all successfully detected and defended against 10 attacks each.

The only one to reach its limits with one ransomware sample was TotalAV with its product Antivirus Pro. It managed to detect the malware; however, it couldn’t completely stop it – enabling the attack to be launched. In the end, TotalAV had to admit a partial defeat, because several files were encrypted. For this, the lab awarded it only 2 out of 3 points. Since the other 9 test cases ran smoothly, TotalAV ultimately attained a score of 33 out of 35 points in terms of protection.

All tested products for consumer users were awarded the AV-TEST “Advanced Certified” certificate, as they achieved at least 75 percent of the maximum 35 points (26.5 points) in the test.

11 corporate user products in the ATP test

The result of the 11 endpoint solutions for companies shows there is still room for improvement for some of the vendors. The 7 solutions from Avast, Bitdefender, Huawei, Kaspersky (two versions), Microsoft and Microworld delivered excellent defense against the attackers in all 10 scenarios, earning them the full score of 35 points for their protection score.

On the other hand, HP Security, Qualys and Rakeen detected all 10 attackers, although they did encounter some issues. For example, HP Security and Qualys each detected one infostealer, but they were not able to completely stop it. The infostealer collected data and even extracted a small part of it and uploaded it to the Internet, which led to a deduction in points: 2.5 instead of 4 points. Both products received a protection score of 33.5 points in the end.

Rakeen ran into a similar situation with one ransomware. It managed to detect it; however, it couldn’t completely stop it. Some of the active components were able to spread to other parts of the system and encrypt individual files. In this case, the product only earned 0.5 out of 3 points possible, attaining a total score of 32.5 points in terms of protection.

The product having the greatest difficulties in the test was from Trellix. One infostealer waltzed in completely undetected and wreaked havoc. In the end, the data the malware was looking for was extracted and all 4 points were lost. What’s more, the product was able to detect – but not completely block – a ransomware sample. The end result was that some data was encrypted and an additional 2.5 points were lost. Bottom line: Trellix earned 28.5 out of 35 possible points.

Two conditions must be met in order for a solution for corporate users to receive the “Advanced Approved Endpoint Protection” certification: They need to achieve the required 75 percent (at least 26.5 points) out of 35 points for the protection score in the test and regularly participate in the bimonthly Windows tests. For this reason, all products received the certificate, with the exception of Huawei, which has not regularly participated in the tests.

The ATP test reveals more than simple malware detection

Nearly every one of the vendors with protection products for consumer users attained the top score of 35 points for protection: Avast, AVG, Avira, Kaspersky, McAfee, Microsoft and Norton. 

On the other hand, the situation looked much different with the solutions for corporate users. Here, only 7 out of 11 tested solutions managed to hit the top score and receive the full 35 points: Avast, Bitdefender, Huawei, Kaspersky (with both versions), Microsoft and Microworld. Coming in close behind with 33.5 points were the solutions from HP Security and Qualys.

The Advanced Threat Protection test – or ATP test, for short – demonstrates that high quality protection products are capable of more than just malware detection and malware blocking. And just like the test showed, even when products do not completely block the malware, they still provide ample protection ensuring that the system is not completely lost. This can mean a huge advantage for consumer users, but for corporate users, this difference can determine whether the company sinks or swims in a critical situation.

Consumer Users 10/2025

Free Antivirus
Internet Security
Internet Security for Windows
Premium
Total Protection
Defender Antivirus (Consumer)
Norton 360
TotalAV

Corporate Solutions 10/2025

Ultimate Business Security
Business Security Enterprise
Wolf Security
HiSec Endpoint
Endpoint Security
Small Office Security
Defender Antivirus (Enterprise)
eScan Enterprise EDR
Endpoint Protection
AV
Endpoint Security

Social Media

We want to stay in touch with you! Now there is an easy way to receive regular updates on the latest news and test releases.