February 04, 2020 | Repair tests for Windows
  • Share:

Here Are the Best Helpers After a Malware Attack

No matter how devastating an attack on a Windows PC: the initial response is to attempt a repair. But which software package is capable of reliably doing so? AV-TEST tested 7 security solutions and 4 special tools.

Repair test under Windows 10

7 security suites and 4 special tools in the recovery test

zoom

Users quickly notice when their PCs have been hit by an attack: the computer often slows down, automatically displays and closes windows, you simply know that something's different about the PC. In the worst case, before the computer becomes a willing soldier in a botnet, however, it ought to be checked, malware samples removed and Windows restored. In its repair test, AV-TEST evaluated how well Internet security suites or special tools can find and delete malware, in addition to restoring the system to a clean and secure status. The test ran from October 2019 to the beginning of January 2020.

11 products with 27 or 54 individual tests each

In the elaborate test, the lab tested 7 protection packages and four special tools. Each package was required to identify 27 or 54 selected attackers, remove them and repair their damage. For a realistic routine, the lab uses three test phases:

Test 1: A protection package is installed on an infected Windows system.

That is the classic recovery scenario. The malware and all its components need to be identified and deleted through the use of the protection package, and the system repaired. This means 27 individual tests per package.

Test 2: Existing protection software is briefly shut down to allow for infection.

This phase simulates the case the malware launches after initially not being identified by the protection package. Afterwards, the security suite is reactivated, and an evaluation is performed as to whether the attacker is identified and deleted, and everything is repaired. This means an additional 27 individual tests per product.

Test 3: A special tool is deployed for recovery.

Another classic scenario: After a successful attack, a special tool is used for recovery, usually a bootable recovery CD, DVD or USB stick. 

All tests require a relatively high degree of manual labor, as the protection solutions often display individual info windows requiring confirmations. Moreover, every system is checked after the successful attack and repair and it is reset for the next test round.

Clean-up and repair test of protection packages

The security suites were tested for their clean-up performance in two scenarios

zoom ico
Protection packages in the repair test

Kaspersky Internet Security and Norton Security lead the test table as the most reliable packages

zoom ico
4 special tools in the repair test

The tool from Kaspersky is the best by far in terms of rescue and repair

zoom ico

1

Clean-up and repair test of protection packages

2

Protection packages in the repair test

3

4 special tools in the repair test

The protection packages in the test

The 4 special tools tested

The special tools, with the exception of Heise Desinfec't 2019, are all available on the Web as free downloads – usually as an ISO file or a ready-to-use rescue stick.

Identify, delete, repair

The routine for the individual test case may sound quite simple – but unfortunately, it isn't always that way. The tables show the results for the 7 protection packages and the 4 rescue tools. The individual values are color-coded according to a traffic light system for better understanding:

  • Dark red: the malware is not detected
  • Red: active, dangerous malware components are not removed
  • Yellow: harmless file remnants are left behind
  • Green: the number of completely cleaned systems

The individual clean-up values are marked in the tables. For an easier overview, there is a column for clean-up performance. The lab awards three points for each completely clean system. If only one harmless remnant is overlooked, there are 2 points. For one detected malware threat involving dangerous file remnants left behind, 1 point is awarded. If a malware sample is not detected, no points are awarded. Repair performance is then calculated based on the number of cases examined times 3 points. For the software packages, this formula adds up to 27 instances, times 3 points, for a maximum 81 points, i.e. 100 percent.

Protection packages are valiant first responders

With the best clean-up performance in the test of protection packages, Kaspersky Internet Security defends the upper end of the table, as already seen in the last endurance repair test from AV-TEST. At 98.1%, the result is even a little bit better than the last test. The Norton Security package follows close behind with 96.9%. Both packages overlooked only 3 and 5 instances respectively of benign file remnants, such as text files.

But the packages of Avast, AVG and Microsoft also left behind 8 to 16 cases of harmless data remnants. They do remove all malware samples and components, however.

In the test, Bitdefender and Avira each do not identify the malware and thus cannot remove them. This problem naturally tarnishes the quality of the otherwise reliable rescue protection suites.

Kaspersky Internet Security

The suite shows the best performance of all protection packages in the clean-up and repair test

zoom ico
NortonLifeLock Norton Security

The suite achieves excellent results in the repair test and leaves harmless file remnants only five times

zoom ico
Avast Free Antivirus

The free protection package always removes the malware samples and their dangerous components

zoom ico
Kaspersky Virus Removal Tool

The recovery tool from Kaspersky shows the best performance by far in the repair test:
97.5 percent clean-up performance

zoom ico

1

Kaspersky Internet Security

2

NortonLifeLock Norton Security

3

Avast Free Antivirus

4

Kaspersky Virus Removal Tool

A tool for all occasions

Also among the tools, Kaspersky with its Virus Removal Tool is leading the top of the table, earning almost a perfect score and clean-up performance of 97.5 percent. There were only two instances in which it did not remove harmless file remnants.

With respect to the other tools, the situation is a bit different. While the tools from G Data and Heise recognize all malware samples, they are not able to remove the active malware component in each case. Both leave harmless remnants in 24 out of 27 cases.

The tool from VIPRE Security cannot truly help in some cases: 4 times it fails to identify the malware sample, 4 times it is not able to remove the active malware component. That represents roughly a third of test cases.

Conclusion: after an attack, things can return to normal

Repairing an infected Windows system is possible. This is shown conclusively by the latest test. Anyone who relies on the appropriate protection suite has a strong partner even in case of a post-infection repair. This is shown especially in the test in which non-detection is simulated and the package is required to show what it can do. In the test, post-infection repair was achieved even by all protection packages. A comforting result. In final analysis, however, the package from Kaspersky remains the standard by which all others are measured.

This impression continues seamlessly in the test of the special tools. Here as well, Kaspersky with its Virus Removal Tool and 97.5 percent clean-up performance demonstrates how a product should function. The tools from G Data and Heise don't do a bad job either, but they do fail in at least one case.

Ransomware – the somewhat different attack

The lab at AV-TEST is continually asked whether ransomware was also evaluated in the repair tests. That is not the case, as active ransomware would encrypt the system and thus traditional system clean-up would not be possible. How well protection packages detect all malware samples, including ransomware, is revealed by the Windows virus protection tests for home users and for business users every 2 months.

Social Media

We want to stay in touch with you! Now there is an easy way to receive regular updates on the latest news and test releases.