Here Are the Best Helpers After a Malware Attack
No matter how devastating an attack on a Windows PC: the initial response is to attempt a repair. But which software package is capable of reliably doing so? AV-TEST tested 7 security solutions and 4 special tools.
Users quickly notice when their PCs have been hit by an attack: the computer often slows down, automatically displays and closes windows, you simply know that something's different about the PC. In the worst case, before the computer becomes a willing soldier in a botnet, however, it ought to be checked, malware samples removed and Windows restored. In its repair test, AV-TEST evaluated how well Internet security suites or special tools can find and delete malware, in addition to restoring the system to a clean and secure status. The test ran from October 2019 to the beginning of January 2020.
11 products with 27 or 54 individual tests each
In the elaborate test, the lab tested 7 protection packages and four special tools. Each package was required to identify 27 or 54 selected attackers, remove them and repair their damage. For a realistic routine, the lab uses three test phases:
Test 1: A protection package is installed on an infected Windows system.
That is the classic recovery scenario. The malware and all its components need to be identified and deleted through the use of the protection package, and the system repaired. This means 27 individual tests per package.
Test 2: Existing protection software is briefly shut down to allow for infection.
This phase simulates the case the malware launches after initially not being identified by the protection package. Afterwards, the security suite is reactivated, and an evaluation is performed as to whether the attacker is identified and deleted, and everything is repaired. This means an additional 27 individual tests per product.
Test 3: A special tool is deployed for recovery.
Another classic scenario: After a successful attack, a special tool is used for recovery, usually a bootable recovery CD, DVD or USB stick.
All tests require a relatively high degree of manual labor, as the protection solutions often display individual info windows requiring confirmations. Moreover, every system is checked after the successful attack and repair and it is reset for the next test round.
Clean-up and repair test of protection packages
Protection packages in the repair test
4 special tools in the repair test
The protection packages in the test
- Avast Free Antivirus
- AVG Internet Security
- Avira Antivirus Pro
- Bitdefender Internet Security
- Kaspersky Internet Security
- Microsoft Defender
- NortonLifeLock Norton Security
The 4 special tools tested
- G Data Boot Medium
- Heise Desinfec't 2019
- Kaspersky Virus Removal Tool
- Vipre Security Virus Removal Tool
The special tools, with the exception of Heise Desinfec't 2019, are all available on the Web as free downloads – usually as an ISO file or a ready-to-use rescue stick.
Identify, delete, repair
The routine for the individual test case may sound quite simple – but unfortunately, it isn't always that way. The tables show the results for the 7 protection packages and the 4 rescue tools. The individual values are color-coded according to a traffic light system for better understanding:
- Dark red: the malware is not detected
- Red: active, dangerous malware components are not removed
- Yellow: harmless file remnants are left behind
- Green: the number of completely cleaned systems
The individual clean-up values are marked in the tables. For an easier overview, there is a column for clean-up performance. The lab awards three points for each completely clean system. If only one harmless remnant is overlooked, there are 2 points. For one detected malware threat involving dangerous file remnants left behind, 1 point is awarded. If a malware sample is not detected, no points are awarded. Repair performance is then calculated based on the number of cases examined times 3 points. For the software packages, this formula adds up to 27 instances, times 3 points, for a maximum 81 points, i.e. 100 percent.
Protection packages are valiant first responders
With the best clean-up performance in the test of protection packages, Kaspersky Internet Security defends the upper end of the table, as already seen in the last endurance repair test from AV-TEST. At 98.1%, the result is even a little bit better than the last test. The Norton Security package follows close behind with 96.9%. Both packages overlooked only 3 and 5 instances respectively of benign file remnants, such as text files.
But the packages of Avast, AVG and Microsoft also left behind 8 to 16 cases of harmless data remnants. They do remove all malware samples and components, however.
In the test, Bitdefender and Avira each do not identify the malware and thus cannot remove them. This problem naturally tarnishes the quality of the otherwise reliable rescue protection suites.
Kaspersky Internet Security
NortonLifeLock Norton Security
Avast Free Antivirus
Kaspersky Virus Removal Tool
A tool for all occasions
Also among the tools, Kaspersky with its Virus Removal Tool is leading the top of the table, earning almost a perfect score and clean-up performance of 97.5 percent. There were only two instances in which it did not remove harmless file remnants.
With respect to the other tools, the situation is a bit different. While the tools from G Data and Heise recognize all malware samples, they are not able to remove the active malware component in each case. Both leave harmless remnants in 24 out of 27 cases.
The tool from VIPRE Security cannot truly help in some cases: 4 times it fails to identify the malware sample, 4 times it is not able to remove the active malware component. That represents roughly a third of test cases.
Conclusion: after an attack, things can return to normal
Repairing an infected Windows system is possible. This is shown conclusively by the latest test. Anyone who relies on the appropriate protection suite has a strong partner even in case of a post-infection repair. This is shown especially in the test in which non-detection is simulated and the package is required to show what it can do. In the test, post-infection repair was achieved even by all protection packages. A comforting result. In final analysis, however, the package from Kaspersky remains the standard by which all others are measured.
This impression continues seamlessly in the test of the special tools. Here as well, Kaspersky with its Virus Removal Tool and 97.5 percent clean-up performance demonstrates how a product should function. The tools from G Data and Heise don't do a bad job either, but they do fail in at least one case.
Ransomware – the somewhat different attack
The lab at AV-TEST is continually asked whether ransomware was also evaluated in the repair tests. That is not the case, as active ransomware would encrypt the system and thus traditional system clean-up would not be possible. How well protection packages detect all malware samples, including ransomware, is revealed by the Windows virus protection tests for home users and for business users every 2 months.