large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Understanding antivirus test results

Our reviews of the best free antivirus and best paid-for antivirus software use publicly available data from three anti-malware testing labs: AV-TEST, AV-Comparatives and SE Labs. Here’s how to access and read that test data for yourself.

By way of full disclosure, I worked with the SE Labs team during its earlier incarnation as Dennis Technology Labs. All three testing houses provide a range of services and test results for antivirus makers, enterprise and consumers for a range of platform. Here, I’ll focus on consumer AV testing for Windows.

See the FAQ below for more detail, but ‘real-world’ malware testing involves pointing a browser or email client at a live malware source, while a static ‘reference set’ exposure usually has the anti-malware suite scan a set of known recent malware samples.

Kaspersky Anti-Virus – Now 50% off

Kaspersky Anti-Virus – Now 50% off

Essential Virus Protection

Our 5-star rated anti-virus blocks malware and viruses in real time and stops hackers, now 50% off at just £12.49 per year

  • 50% off
  • Was £24.99
  • £12.49 per year
Buy now

AV-Comparatives

AV-Comparatives anti-malware test report

Based in Austria and founded in 1999, AV-Comparatives carries out tests of consumer and enterprise anti-malware solutions for Windows, macOS and Android. AV-Comparatives typically publishes its results in comparative reports with interactive graphs and tables showing the protection and false positive performance of each antivirus suite in the group test. I focus on its real-world (live exposure) tests for the results we use in Trusted’s antivirus reviews.

Key figures to look for in the firm’s real-world tests are Blocked, which shows how many malicious programs were blocked outright, Compromised, which shows how much malware took hold on the system, and User dependent, which shows how often the antivirus tool asks the user to decided about a potential threat. These results are make up the at-a-glance Protection Rate percentage.

AV-TEST

AT-TEST anti-malware test spreadsheet

Founded in 2004, Germany’s AV-TEST carries out a wide range of enterprise and consumer anti-malware testing for Android, macOS and Windows, as well testing the security and performance of other software and devices.

AV-TEST provides at-a-glance results for each anti-malware suite it tests, using scores out of six for protection, performance, and usability. However, to see how that maps to actual performance, you’ll want the summary test results spreadseets published in the company’s publicly-accessible Press Area.

For Windows home anti-malware, these show the percentage of blocked real-world and reference set malware exposures, false positive detections of benign software, and the impact on system performance in a range of categories.

Kaspersky Anti-Virus – Now 50% off

Kaspersky Anti-Virus – Now 50% off

Essential Virus Protection

Our 5-star rated anti-virus blocks malware and viruses in real time and stops hackers, now 50% off at just £12.49 per year

  • 50% off
  • Was £24.99
  • £12.49 per year
Buy now

SE Labs

SE-Labs anti-malware test report

UK-based SE Labs, founded in 2015, tests security software for the consumer, small business and large enterprise. Reports are available as downloadable PDFs and include information on the threat landscape, a summary test methodology and a breakdown of the performance of each anti-malware suite.

Protection accuracy ratings are weighted to differentiate between blocked malware, which never gets a hold on the system, and neutralised malware, which gets onto the system but is then successfully removed by the antivirus tool – a Protection Score hashes these together, while detailed charts and graphs show the number of threats detected, blocked, neutralised or compromised. False positive detection of legitimate software is also tested, and weighted based on what kind of interaction is required from the user.

FAQ

FAQs

What is static malware testing?

Also known as reference set tests, static malware testing generally involves an on-demand scan of a range of malware, typically introduced to a test system via an external storage medium. This is useful in that it can replicate the kind of infection you might see via a USB drive or even a local network share, but it doesn’t accurately reflect everything going on.

The fact that the malware threat samples have to be collected in advantage also means that static tests tend to assess how up-to-date malware detection engines’ signature libraries are, rather than the accuracy of their behavioural or heuristic detection.

What is ‘real-world’ malware testing?

‘Real-world’ testing, also known as dynamic testing or live threat exposure is the most realistic kind of malware test. The most simple example would be pointing test systems for each antivirus suite at a website known to attempt a drive-by download or opening an email with an infected attachment and seeing how each antivirus suite responds.

In practice, testing houses often use more reproduceable systems, for example by recording and using replays of attacks using an HTTP/S traffic capture tool such as Fiddler2.

The accurate collection of logs and recording of results, and the use of a transparent methodology, is critical to the reliability and trustworthiness of such tests, leading to the formation of bodies such as AMTSO.

What is AMTSO certification?

The Anti-Malware Testing Standards Organisation publishes a protocol standard for the testing of anti-malware solutions, with a particular focus on fairness and transparency of the testing process. While it’s not in any way a guarantee of strict accuracy, AMTSO compliant tests provide enough data and information on the testing process to make their results clear and easy to follow.

What is an EICAR test file?

The EICAR antivirus Test File is a rudimentary “is this thing on?” test for malware detection engines, developed and distributed by the European Institute for Computer antivirus Research. Every antivirus program in the world is configured to detect it as a demonstration of what the detection of a real malicious file would look like.

An Eicar test file detected using Clam-TK for Linux

It’s safe for everyday users to use, and can thus be used to ensure that your antivirus suite is actually working. It does not test the real malware detection capabilities of your AV in any way whatsoever.

If a review of antivirus software relies exclusively or largely on an antivirus suite’s ability to detect EICAR files for its conclusions on the malware detection engine’s effectiveness, you should go and read a different review.

What is a false positive?

A false positive occurs when antivirus software incorrectly flags up a benign program as a potential threat. The most often occurs with unknown software.

Kaspersky Anti-Virus – Now 50% off

Kaspersky Anti-Virus – Now 50% off

Essential Virus Protection

Our 5-star rated anti-virus blocks malware and viruses in real time and stops hackers, now 50% off at just £12.49 per year

  • 50% off
  • Was £24.99
  • £12.49 per year
Buy now

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.