August 25, 2025 | Text: Markus Selinger | Antivirus for Windows

Prevention against ransomware and info stealers: 20 security solutions in the ATP test

Take a look at any study on the subject of malware: ransomware and info stealers have consistently been on the front line of cybersecurity threats for years now. Good protection software detects attackers before they wreak devastation. But what happens if the attackers are not readily detected by the software? This question is answered by the Advanced Threat Protection test – ATP test for short. In the process, the experts in the lab examine whether the current 20 protection solutions detect the malware directly or whether further protection mechanisms only protect a system from damage in later stages. The test reveals that even if malware is not detected, the battle is far from over. Many a protection package tussles with an attacker over many rounds, ultimately leading security to victory.

Advanced Threat Protection test under Windows 10

– 20 products for consumer users and corporate users were required to defend against ransomware and info stealers

They are often referred to as the malware "Top Ten" – although their lead positions mean anything but good. While the names in the malware charts of security vendors may change, ransomware and data stealers still dominate the list. Security packages not only have the task of detecting malware directly. They must also be capable of stopping them in a later stage of an attack. The Advanced Threat Protection test – ATP test for short – clarifies in 10 live scenarios in which step the evaluated security solutions are successful against an attacker. There is often already a quick take-down upon detection, but sometimes the fight goes down to the last round and individual files are encrypted or stolen. Unfortunately, there are also cases in which the attacker was not recognized immediately or even later through its actions, so no alarm is triggered. This scenario occurred several times in this test.

20 programs - 200 defensive scenarios

The current ATP test includes 20 software packages for protecting Windows systems. 8 packages cater to the PCs of consumer users – the other 12 solutions are designed for Windows endpoints of corporate users. The products were tested in May and June 2025 under Windows 10 – the operating system still in use on most PCs by companies and consumers. The following vendors of packages for consumer users participated in the current test: Avast, AVG, Bitdefender, ESET, K7 Computing, Kaspersky, McAfee and Norton. And the following solutions were in the line-up of solutions for corporate users: Acronis, Avast, Bitdefender, Check Point, ESET, Huawei, Kaspersky (with 2 versions), Microworld, Qualys, Trellix and WithSecure.

ATP test: 8 Windows security packages for consumer users

The Advanced Threat Protection test under Windows 10 reveals how well security packages can dispatch persistent attackers

ATP test: security solutions for corporate users

Of the 12 endpoint protection solutions examined, 9 showed error-free performance in the ATP test under Windows 10 in all scenarios

ATP test: 8 Windows security packages for consumer users

ATP test: security solutions for corporate users

Vendors can achieve up to 35 points for their protection score in the respective table. This score is made up of the maximum points for defense against 5 malware samples involving ransomware and info stealers. Since the defensive steps are different for the two malware categories, a product can receive 3 points per ransomware and 4 points per info stealer fended off. If an attack is only partially thwarted in one step, half points are awarded accordingly.

The team of experts documents all defensive steps – whether successful or not – for each product in a matrix in accordance with the MITRE ATT&CK standard. This allows the test process to be precisely tracked.

Every attack carried out in the test starts in the same way: A spear phishing e-mail lands on a Windows system and includes an archive in its payload. In the 10 scenarios, this involves either an executable EXE file or an .LNK link file with hidden malware code. This is usually followed by further steps using PowerShell or other methods. All the steps can be found in the individual scenarios.of protection.

The 10 test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for "Techniques", for example "T1566.001" under "Phishing: Spearphishing Attachment". Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.

How well products for consumer users fend off attackers

Almost all of the evaluated 8 packages for consumer users in the May-June test delivered excellent performance. 7 products passed all test scenarios without a single glitch and protected Windows systems from damage: Avast, AVG, Bitdefender, K7 Computing, Kaspersky, McAfee and Norton. For this they all received the maximum 35 points for their protection score.

Only the security package from ESET allowed ransomware to get through: The attacker was not immediately recognized – not even during subsequent actions. The end result was that the system was lost and all data was encrypted. This left ESET with 9 error-free scenarios and 32 out of 35 points on the protection score.

All tested packages were awarded the AV-TEST "Advanced Certified" certificate, as they achieved at least 75 percent of the maximum 35 points (26.5 points) in the test.

How well endpoint solutions fend off attackers

The result in terms of solutions for corporate users looks excellent. Of the 12 products tested, 9 achieved the maximum 35 points for their protection score: Acronis, Avast, Bitdefender, Kaspersky (both versions), Microworld, Qualys, Trellix and WithSecure. Only the 3 products from ESET, Huawei and Check Point did experience a few minor problems.

ESET's product did not detect ransomware in one case and did not stop it in subsequent actions. Thus, the system was encrypted and a full 3 points were lost. The result was 32 out of 35 possible points for the protection score.

Huawei's solution did not recognize a data stealer and allowed it free reign, including theft of data. This meant that 31 out of 35 points were achieved – 4 points less than the maximum number.

The product from Check Point suffered the biggest hit: It failed to identify a data stealer in the test and did not initiate any further actions afterwards. This led to 4 points being deducted. In two other cases, Check Point detected the ransomware, but did not block it completely. As a consequence, the encryption software was launched. But the solution continued to put up a fight against the attacker. In the end, it was a draw: the ransomware was stopped, but some data was encrypted. One point was deducted for each case. This left the solution with only 29 out of 35 possible points when it came to the protection score.

All the evaluated endpoint solutions were able to receive "Advanced Approved Endpoint Protection" certification, as they achieved the necessary 75 percent (at least 26.5 points) out of 35 points for the protection score.

Conclusion: stable protection values in the ATP test

The test went very well for most products – for consumer users as well as for corporate users. As a result, 16 of the 20 products examined showed perfect performance, attaining the full 35 points on the protection score.

Of the 8 products for consumer users, only one vendor suffered a miss in one instance of ransomware. All in all, 79 of the 80 scenarios examined were error-free.

The field of the 12 endpoint solutions tested was somewhat more varied. Here as well, 9 of the 12 solutions mastered the 90 scenarios examined error-free. Only 3 products had their difficulties with some malware, yet still provided a very high level