Skip navigation

Put to the test for 12 months: This is how well security packages and special tools help after an attack

First comes the malware attack, then the chaos in recovering the data. But it doesn't have to be that way. In an endurance test, AV-TEST discovered which security packages and special tools really help. Here are the results of the 15 good and mediocre applications.

Repair endurance test for security suites: This is how well security packages can clean up and repair a system after infection or in case of short-term non-detection of malware.

8 security suites in the repair endurance test: Four of the security packages tested for 12 months cleaned up and repaired all malware attacks – Avira Antivirus Pro particularly well.

Repair tools for emergencies: The Virus Removal Tool from Kaspersky demonstrated 39 times in the test how to clean up and repair everything.

Avira Antivirus Pro: The paid product from Avira excelled in all the tests throughout the year in terms of system recovery and clean-up.

Kaspersky Virus Removal Tool: In the endurance test, the special tool was able to clean up and repair all Windows systems.

One click is often sufficient – then it happens: the Windows PC has unwanted visitors in the form of viruses, Trojans, etc. Once they have become embedded, they call in reinforcements, blocking websites that could help, and begin to feast on personal data. It's a nightmare.

There is perfect help after an attack!

Are there really good software packages and tools that can help in an emergency? In its endurance test, which took place from January to December 2016, the laboratory resolved three important questions:

- Is there protection software that can truly help after an attack?

- In case a brand-new attacker falls through the cracks, is there anything that security software can do after the fact?

- Are special clean-up or repair tools of help after a malware attack?

For some victims, the result after a 12-month endurance test must seem like a light at the end of the tunnel: The best protection software capable of helping 100% of the time in all 78 live test cases, even when installed after the fact, is Avira Antivirus Pro. The best special tool after a malware infection, tested in 39 live tests, is the Kaspersky Virus Removal Tool. For this performance, both products were recognized with the AV-TEST BEST REPAIR 2016 AWARD.

These products and tools were tested

The following security packages and rescue tools were included in the endurance test:

The 8 security suites
- Avast! Free Antivirus 2016
- Avira Antivirus Pro
- Bitdefender Internet Security 2016
- G Data Internet Security
- Kaspersky Internet Security 2016
- Malwarebytes Anti-Malware
- Microsoft Security Essentials
- Symantec Norton Security

The 7 special tools and boot CDs are freely available on the Internet
- Avira PC Cleaner
- Bitdefender Rescue CD
- Antibot CD
- Heise Desinfec't 2016
- HitmanPro
- Kaspersky Virus Removal Tool
- Microsoft Windows Malicious Software Removal Tool

This is how "live" testing was conducted 897 times

For many test scenarios, the testing procedures can be automated in the laboratory. That won't work in the repair test. Because the systems not only have to be infected in a targeted manner. All the clean-up steps after each attack in each software package have to be performed individually, and thus manually. This endurance test involves the work of 897 individual tests and countless mouse clicks!

In the lab, the 8 security packages were tested in two scenarios:
1. They were installed on an already infected system.
2. They were already installed, switched off briefly in order to infect the system, then reactivated. This simulated the case in which the security software initially does not recognize the attacker and only receives detection information after the fact. For the seven clean-up and rescue tools, only already infected systems were used.

The clean-up was tested in stages, logged and is listed in the tables:

1. Did the malware sample prevent clean-up?
2. Were the active malware components completely removed?
3. Did any harmless file remnants remain, and were all the changes to the system reversed?
4. Did the security and clean-up software perfectly remove and repair everything?

The individual results of the endurance test

After so many individual tests, you can quickly see which product or tool performed flawlessly throughout the entire year.

4 out of 8 security packages can be recommended

Avira Antivirus Pro, Kaspersky Internet Security 2016/2017, Malwarebytes Anti-Malware and Avast! Free Antivirus 2016 were not thwarted by malware samples in any of the tests. The packages were always capable of removing the dangerous active components. That is strong performance, indeed. Avira Antivirus Pro crowned the result by also completely removing all innocuous file remnants or registry entries. Thus, it is the package with the best overall performance in the endurance test.

Symantec Norton Security, G Data Internet Security and Bitdefender Internet Security 2016/2017 had to concede defeat in one or two cases. Eight times, Microsoft Security Essentials proved either totally or partially ineffective against the malware.

1 out of 7 special tools can be recommended

The result among the special tools is very clear: the Kaspersky Virus Removal Tool was able to detect all the malware, remove the dangerous core and even clean up all the innocuous file remnants. Perfect.

For all other tools, there was at least one malware sample that they either failed to detect or for which they were not capable of removing the active component. The Microsoft Windows Malicious Software Removal Tool, with 27 undetected malware threats in 42 tests cases, was completely off the charts.

Conclusion: the performance is getting better and better

Based on the tables, one can clearly see how well the suites and tools can help after a successful attack. If we compare the results from the year 2015 for the security suites and tools, we see a clear boost in performance. Especially in advanced functions, in which innocuous file remnants and entries are removed, the performance is much more perfect.

Among the security packages, the paid product, Avira Antivirus Pro, demonstrated the best performance. But Kaspersky Internet Security 2016/2017, Malwarebytes Anti-Malware and Avast! Free Antivirus 2016 are also very highly recommended. What's more, the Avast software is available for free.

Among the tools, the Kaspersky Virus Removal Tool is the clear frontrunner. It also cleans up and repairs from a boot stick or a CD.

The lab from AV-TEST is continuing to stay on the ball and constantly testing the performance of security software and tools in 2017 as well. You will simply have to be patient for further results.

Special case of ransomware

Director Testing Labs:
Erik Heyland

Many of the security packages and clean-up tools against malware also provide good help even after an attack. But not in case of ransomware or blackmail Trojans – it has to do with the nature of the problem.

In a traditional virus or Trojan attack, the malware modifies files and seizes control of the operating system or parts thereof. The file structure remains readable for anyone, however – also for antivirus software or special clean-up tools. Not so in the case of ransomware – also referred to as crypolockers. As a first step, the system is penetrated as with a Trojan, but immediately thereafter, files, folders or entire volumes are encrypted. While it is true to that antivirus software would be capable of deleting the attacker after the fact, it cannot decrypt the data.

That is why it is always recommended that users create backups only on external drives that are not constantly connected to the PC. Because during such an attack, all connected drives are often encrypted. This includes external drives, network storage devices or cloud storage integrated as a folder, such as Dropbox.

Help on the Internet

For victims of ransomware attacks, there are a few help websites that provide decryption algorithms found by manufacturers and authorities (ID-Ransomware).

Additional help is offered by the initiative No More Ransom. On this site, there are tips and help for victims of ransomware. There you can upload an encrypted file, for example, and identify the ransomware in this way. Moreover, there is a very large collection of tools by many different security software manufacturers for decrypting data.

The initiative was launched by the Dutch police, Europol's European Cybercrime Centre and manufacturers such as Kaspersky Lab and Intel Security. In the meantime, additional partners have joined the initiative, such as Bitdefender, Trend Micro, G Data and ESET.

Share news: