One-click repair or system chaos? 17 protection packages and tools in a repair test after a virus attack
It's a common scenario: a user is careless enough to launch unknown files without an adequate protection package for Windows, then system chaos is unleashed by malware. Suddenly the PC starts running haywire, slowing down and often even failing to open helpful websites of antivirus manufacturers. This is precisely the scenario in which protection packages or special tools are supposed to make things right again. The laboratory at AV-TEST examined whether they are truly capable of doing so in a comprehensive repair test. In the process, 9 protection packages and 8 special tools were required to show what they could do.
17 candidates put to the test
The latest test, which ran from January to June 2017, examined the following protection packages and special tools for clean-up after a malware infection:
9 security packages
- Avast Free Antivirus 17.5
- Avira Antivirus Pro 15.0
- Bitdefender Internet Security 21.0
- Enigma Software SpyHunter 4
- G Data Internet Security 25.3
- Kaspersky Internet Security 17.0
- Malwarebytes Premium 3.1
- Microsoft Security Essentials 4.10
- Symantec Norton Security 22.9
8 special tools (freely available on the Internet)
- Avast Rescue Disk
- Bitdefender Rescue Disk 2.1
- DE Cleaner Antibot 3.7
- G Data BootMedium
- Heise Disinfect 2016/17
- Kaspersky Virus Removal Tool 15.0
- Microsoft Safety Scanner 1.0
- Microsoft Windows Defender Offline
Here is how the protection packages were tested
1. They were installed on an already infected system
2. In the second scenario, the antivirus protection was switched off briefly for infection, then reactivated. This simulated the case in which the security package initially does not recognize the attacker, which is able to penetrate the system, and the solution only receives the detection information after the fact.
Here is how the special tools were tested
All the special tools were used on already infected systems, as is the case in everyday use.
The result is illustrated in stages
1. Was the malware detected?
2. Were the active malware components completely removed?
3. Did any harmless file remnants remain, and were all the changes to the system reversed?
4. How often did the security package or special tool perfectly remove and repair everything?
Many came out on top, and a few flopped
The most difficult part of this test: almost everything involved manual labor, because many individual queries have to be answered for infected systems and when cleaning up and restoring the system. But the time and effort always paid off!
Here is how the protection packages performed
The only protection package that removed all 38 tested attacks without leaving any remnants at all – not even harmless traces – is Kaspersky Internet Security. This is followed by the products from Bitdefender, Avast, G Data, Avira and Symantec. They left only 4 to 9 harmless file remnants. But the system was repaired and free of malware threats.
In 3 cases, Malwarebytes was unable to remove the detected active malware components. Microsoft's Security Essentials also had the same problem in 3 cases, but this was compounded by 2 undetected malware threats. Bringing up the rear is Enigma Software with SpyHunter. While it did capably solve 32 test cases, in 6 instances it did not even detect the attacker.
Here is how the special tools performed
The best tool in this category also comes from Kaspersky – the Virus Removal Tool. In the 19 separately-conducted test cases, all the attackers were eliminated, and each system was restored error-free. Even harmless file remnants were no longer found. Bitdefender Rescue Disk worked almost as well. It left harmless file remnants behind in only 3 cases.
The rescue tools Heise Disinfect and G Data BootMedium detected all 19 malware threats and deleted the dangerous components. But there was practically no instance where the harmless file remnants were cleaned up as well.
Microsoft Windows Defender as an offline version and Avast Rescue Disk did always detect all malware threats, but in 2 cases each they were unable to remove the active components of the malware. The remaining performance, however, was good.
The Microsoft Safety Scanner failed to detect 2 malware threats at all and was unable to remove the active component on one of the attackers.
The DE Cleaner Antibot did perform well on 14 attackers, a total of 5 attackers went totally undetected. That was the weakest performance in the test. The sad part, however, is that the tool comes highly recommended. Because it is part of the free service of the eco – Association of the Internet Industry. Several Internet service providers are members of the German association, for example, and a German government agency (Federal Ministry of the Interior) recommends the service.
Strong helpers to the rescue
Anyone caught in a bind due to an attack caused by carelessness will find a strong ally in good protection software or free special tools. According to the table, users are in good hands in all scenarios with Kaspersky. In both the clean-up and repair test with the protection package, as well as with the special tool, everything was restored to its condition prior to the attack.
But the suites from Bitdefender, Avast, G Data, Avira and Symantec also delivered a strong performance. They only missed cleaning up some harmless junk files. As valiant first-responders, they were beyond reproach, however.
Microsoft Security Essentials and the suite from Enigma Software still need to considerably improve their detection rates before they can be considered a top choice.
If the user needs a rescue tool for booting from a USB stick or CD, there are special tools available. Foremost, naturally, the Kaspersky Virus Removal Tool. But Bitdefender Rescue Disk, Heise Disinfect and G Data BootMedium are also very good first responders in a dire emergency.
The use of DE Cleaner Antibot, highly-acclaimed and widely distributed in Europe, did not achieve success in a quarter of the cases and therefore is not recommended.
Here is how the test worked
The scenarios in the test are simulated realistic conditions of a malware attack. All attacks were evaluated individually, the systems were restored and subsequently compared with a reference system down to the last bit.
It is a test involving major time and effort, that is for sure. In each test phase, a clean Windows system must be infected with an individual malware sample and detected, cleaned up and restored by the protection software. If the protection solution or tool is of the opinion that everything is complete, this is also checked out as well. To do so, the test team compares the cleaned system with a Windows reference system down to the bit level. This ensures that any file remnant, such as a tiny text file, can be ferreted out. Everything found by the team is again analyzed and categorized. Is it a harmless file remnant or a persistent dangerous component of the attacker, ready to re-infect the system at any time?
In the test with the protection suites, the lab team even takes two test scenarios into account. On the one hand, it attempts to install a production solution on an already-infected system. This happens often under everyday conditions if a user in an emergency seeks to rescue their system without existing protection software. In the second scenario, the attack of zero-day malware is simulated by briefly deactivating the protection suite. Then the malware is copied onto the system. This simulates the protection software's failing to detect the malware in case of an attack. Afterwards, the protection is reactivated and the testers check to see whether the infection is detected and repaired. Here as well, everything is naturally compared again down to the last bit.