The Best after the Crash: 16 Security Suites and Tools in the Recovery Test for 12 Months
A user surfs the web, downloads files, opens a data packet, reads an e-mail, clicks on a link, and all of a sudden, something about the PC is different than usual. Suddenly, commands are no longer executed, web pages will no longer launch – the PC takes on a life of its own. That is roughly what happens when malware penetrates a user's computer and seizes control. Is there anything that can be done at this point to save the day?
The chances after an attack
The laboratory at AV-TEST has now answered this question: throughout a 12-month period, the experts examined 9 security suites and 7 special tools in terms of their performance after malware attacks. To do so, the programs were required to detect and liquidate malware samples, and to repair and clean up the Windows system. While it sounds easy, the test demonstrates that for some suites and tools, this is not always a manageable task. Despite the enhanced level of difficulty, 6 suites and 4 tools proved their high degree of reliability.
The latest test took place from January to December 2017. All products were required to complete 4 test rounds, which at the end were consolidated into one result. As the tests involve individual evaluations with a vast number of manual tasks, the test cases were limited. Each security suite was required to repair 76 attacks in the entire test period. Each special tool was confronted with 38 attacks. In total, the lab performed 950 individual evaluations!
The 16 test candidates
In the test, 9 security suites were examined. 7 packages out of the total can be obtained for a paid license, and 2 can be used for free. The lab always used the latest version in the tests.
9 Security Suites
- Avast! Free Antivirus
- Avira Antivirus Pro
- Bitdefender Internet Security
- Enigma Software Spyhunter
- G Data Internet Security
- Kaspersky Internet Security
- Malwarebytes Premium
- Microsoft Security Essentials
- Symantec Norton Security
7 special tools (freely available on the Internet)
- Avast Rescue Disk
- Bitdefender Rescue Disk
- G Data BootMedium
- Heise Disinfect
- Kaspersky Virus Removal Tool
- Microsoft Safety Scanner
- Microsoft Windows Defender Offline
The test routine is somewhat different for the suites and the tools. This is because the tools were always evaluated using a system already infected. The security suites, on the other hand, had to manage two test scenarios.
Test routine for the security suites
1. The security suites were installed on an already infected system.
2. In the second scenario, the antivirus protection was switched off briefly for infection, then reactivated. This simulated the case in which the security suite initially does not recognize the attacker, which is able to penetrate the system, and the solution only receives the detection information after the fact.
Here is how the special tools were tested
All the special tools were used on already infected systems, reflecting a typical everyday scenario.
Here is how the results are presented in the test table
1. Was the malware detected?
2. Were the active malware components completely removed?
3. Did any harmless file remnants remain, and were all the changes to the system reversed?
4. How often did the security package or special tool completely remove and restore everything?
A vast selection of good helpers
Absolute perfection in a test is naturally the scenario in which the test system looks exactly the way it did prior to the attack. Thus, it ought to remove the detected malware with all components, reverse additional changes and remove all other harmless file remnants. While this top performance was not achieved, a few of the suites and some of the tools did come very close.
Here is how the security suites performed
The two best security packages come from Bitdefender and Kaspersky with 72 out of 76 completely repaired and cleaned-up systems each. In each of the 4 cases, the tools left behind harmless file remnants.
The following suppliers of security suites performed very well, also overlooking only harmless file remnants: G Data, Avast, Symantec and Avira (in order of results). The results showed between 68 and 61 completely repaired Windows systems. Thus, 8 to 15 times, only harmless file fragments remained.
In 3 cases, the tested suite from Malwarebytes did not remove active malware components from the system. The Microsoft Security Essentials did not remove active components 4 times and even failed to detect 2 malware samples at all. The Enigma Spyhunter package had the greatest problems: a total of 6 attackers were not detected.
Here is how the special tools ranked
The special tools are led by the freeware helpers from Kaspersky and Bitdefender. They provided virtually perfect assistance in all 38 test cases. The Kaspersky Removal Tool overlooked harmless file remnants 3 times, the Bitdefender Rescue Disk 5 times.
The Heise Disinfect and the G Data BootMedium special tools also rendered the attackers harmless in 38 test cases. However, they only managed to clean up all harmless file remnants in 2 and 4 cases respectively.
While Microsoft Windows Defender Offline and the Avast Rescue Disk did detect all malware samples, in 2 and 3 cases respectively, they did not remove the active elements of the malware. The Microsoft Safety Scanner did have the same problem with only one malware sample, but it failed to detect the 2 attackers at all in 2 test cases.
Reliable helpers, they do exist
In the past, the only tip after a malware infection was: format and re-install the system. The test clearly shows that this advice is totally over-the-top today. Anyone already using a good security suite has only a small risk of being caught off guard by malware. In case a suite did not know the malware at the time of the attack, good suites can come to the rescue retroactively.
Malware in the area of ransomware, e.g. Cryptolocker, is an exception, however, as the attack is immediately followed by encryption of data. While it is true to that security software would be capable of deleting the attacker after the fact, it cannot decrypt the data. Users are urged to create backups only on external drives that are not constantly connected to the PC.
The best partners in an emergency among the 9 suites tested are the products from Bitdefender and Kaspersky. They are neck-and-neck with 98.2 percent cleaned-up and repaired systems. But other security packages also removed the malware samples and additional malicious elements from the systems as well. In only 8 to 15 cases, they left behind harmless data remnants: G Data, Avast, Symantec and Avira. The suite from Avast can even be used free of charge. The suites from Malwarebytes, Microsoft and Enigma do not work reliably enough.
Among the special tools, the situation at the top is similar. The Removal Tool from Kaspersky had the best result, edging out Rescue Disk from Bitdefender.
But the first responders from Heise und G Data are reliable in an emergency, although they are hardly capable of managing the clean-up of data garbage. By contrast, the two Microsoft tools and Avast Rescue Disk are not among the best choices.
A high amount of time and effort for better results
Currently no other laboratory puts more time and effort into its recovery test than AV-TEST. The large amount of manual labor pays off, because only just so many substantive test cases can be organized.
As is often the case, it is the manual touch that puts the finishing touches on a special work. In the recovery test, this is exactly the scenario involved. In each test case, a clean Windows system must be infected with an individual malware sample, only to be detected, cleaned up and restored by the protection software. The outcome is then precisely examined. To do so, the test team compares the rescued system with a Windows reference system down to the bit level. This enables even the smallest file remnant to be ferreted out. The findings are re-analyzed and categorized. Is it a harmless file fragment or has a malicious element of the attacker been left behind?
For the test with the security suites, the laboratory team divides the test into two parts. On the one hand, a security solution is installed on an already-infected system, as often occurs in an emergency. In the second test segment, the attack of zero-day malware is simulated by briefly deactivating the security suite. Then the malware is copied onto the system and launched. It is a way of simulating that the security software did not yet know the malware at the time of the attack. Afterwards, the protection is reactivated and the testers check to see whether the infection is detected, repaired and cleaned up.