Endurance Test: Windows Rescue after a Virus Attack
No user wants to simply abandon their well-configured Windows system in the aftermath of a malware attack. And no one has to either! From January to December 2018, AV-TEST launched countless attacks on Windows systems in the lab and rescued them with security packages and special tools. Here is the result:
In the laboratory, every user's worst nightmare occurred hundredfold: Windows is overrun by malware that becomes embedded in the system. Afterwards, the lab examined whether Internet security suites or special tools could liquidate the intruders and restore the systems to a clean and secure condition. The sophisticated laboratory test was conducted from January to December 2018 in 4 major test rounds. The experts evaluated 7 protection packages and 5 special tools in more than 830 individual tests.
Strong tools to the rescue
In an endurance test, the laboratory vetted the protection packages and tools in various real-life scenarios:
In the first test, the protection packages were installed after a (single) attack, and the experts examined whether the malware, with all its dangerous and harmless components, had been removed.
During the second test, a protection package was installed, then briefly deactivated. The lab then copied a malware sample onto the system and launched it. Finally, the protection software was reactivated. This procedure recreates the situation where malware initially has gone undetected and is now only noticed after the fact.
The third test with the special tools was carried out only on already infected systems, as this always involves bootable rescue CDs, DVDs or USB sticks with their own operating system, usually Linux-based.
Following each individual test, i.e. 830 instances, the rescued Windows system was compared bit by bit with the previous back-up of a reference system. This enabled the testers to quickly discover whether or not the system was 100 percent rescued and cleaned. There was potential for innocuous file remnants or even dangerous components from the attacker. In the worst case, a protection application or tool would fail to detect a malware threat. All these post-rescue conditions were recorded in the lab individually in the tables.
7 Internet security suites put to the test
- Avast Free Antivirus
- Avira Antivirus Pro
- Bitdefender Internet Security
- Kaspersky Internet Security
- Malwarebytes Premium
- Symantec Norton Security
- Windows Defender Antivirus
The 5 special tools tested
- Bitdefender Rescue Disk
- Heise Desinfec't 2018
- Kaspersky Virus Removal Tool
- Microsoft Safety Scanner
- Vipre Virus Removal Tool
The special tools are all available on the Web as free downloads – usually as an ISO file or a ready-to-use rescue stick.
The result: Help is on the way!
The test tables provide a clear overview of the results for the 7 protection packages and the 5 rescue tools. The individual values are highlighted in color for a better overview:
- Dark red: the malware was not detected
- Red: the active, dangerous malware components were not removed
- Yellow: harmless file remnants were left behind
- Green: the number of completely cleaned systems
In the last columns, the lab recorded the clean-up performance in points and percentages. For each totally cleaned system, the laboratory awarded 3 points. If only one harmless remnant was overlooked, there were only 2 points. For one detected malware threat for which dangerous file remnants were still left behind, only 1 point was awarded. If nothing was detected at all, then no points were earned. Clean-up performance was then calculated based on the number of cases examined times 3 points. For the software packages, this formula adds up to 88 cases times 3 points = 264 points – the maximum point score, i.e. 100 percent.
Good protection suites in an emergency
In the 7 security suites tested, there are 3 first place rankings with clean-up performance of 97.7 percent each in 88 test cases: Avast Free Antivirus, Avira Antivirus Pro and Bitdefender Internet Security. They each rendered 82 systems absolutely clean and left only harmless file remnants in 6 cases. That's almost perfect performance.
Kaspersky Internet Security did indeed clean 97.7 percent of the 88 cases, yet the individual result was different. Thus, Kaspersky Lab was able to totally clean up 84 systems, overlooking harmless data file remnants on only 2 systems. However, the overall results were dampened when, for 2 systems, dangerous file remnants were unable to be cleaned up.
Symantec Norton Security showed a similar result. This protection package also detected all attackers in 88 cases, yet was unable to clean up all dangerous components in 2 systems. Otherwise a top performance: harmless file remnants in 6 instances and 80 completely clean systems.
Windows Defender and Malwarebytes Premium both had the same problem: They each missed at detecting 2 out of 88 cases. In addition, Defender experienced one, Malwarebyte two instances where dangerous file remnants were overlooked. The remainder of the test delivered impressive results for both solutions.
Tools that really help in an emergency
In the test involving the 5 special tools, the outcome revealed slightly mixed results, as with the security suites. The Kaspersky Removal Tool and the Bitdefender Rescue Disk detected the malware in all 44 test cases. However, in one instance, both tools were unable to completely delete the dangerous components. Kaspersky's tool finished with the best overall score of 97.7 percent for cleaning performance, with 42 totally clean systems and 1 system with harmless file remnants. Following close behind is the tool from Bitdefender with a success rate of 96.2 percent: 40 clean systems and 3 instances of annoying file remnants.
The Heise tool Desinfec't 2018 also detected all the malware samples, yet with 34 cases it overlooked a vast number of harmless file remnants and was thus able to scour only 8 systems totally clean. In 2 other instances, the tool was not able to delete harmful data components.
The Microsoft Safety Scanner had complete misses for 3 malware samples, and for the Vipre Virus Removal Tool, that figure even reached 6 out of 44 tests. Add to this the fact that in the case of both tools, there were additional dangerous file remnants they were unable to remove. The tool from Microsoft did manage to help in 39 cases, and the tool from Vipre in 33 out of 44 tests.
There is help after an attack
The test indicates that a user with an infected system does not have to give up hope. In the endurance test, the protection suites from Avast, Avira and Bitdefender demonstrated that they are capable of ridding the systems from malware and cleaning up everything afterwards. For all of them, only a few harmless file remnants remained.
For the special tools, the result is a bit different, yet still offers tremendous assistance in an emergency. The tools from Kaspersky and Bitdefender achieved clean-up performance of over 96 percent in the test. They were unable to delete the active components in only one instance. A look into the test journals reveals that they had difficulties with different malware. In practice, this means that using both tools in sequence can thus achieve the very best results.
Special case of ransomware
In the endurance test from January to December 2018, ransomware was not among the malware samples. This is because active ransomware generally encrypts all the data immediately. Protection software or tools can indeed identify and delete ransomware attackers, but traditional clean-up is not possible; the data is too heavily encrypted. That is why everyone needs to be reminded to make backups on external hard drives. And don't forget: When backups are completed, detach the external hard drive from the PC, otherwise the backup drive will be encrypted along with the system.