The name perfectly captures the nature of the tests: the samples used in the study come from real attacks on honeypots, i.e. traps that pretend to be systems or protocols and intercept malware.
The “Advanced In-The-Wild Malware Tests” are performed automatically. Before viruses are placed in machines with security programs installed, they are thoroughly analysed. We make sure that only malicious samples will be admitted to tests.
Each virus is verified in Windows 10 for 15 minutes. Excluding the human factor from the test does not enable us to verify during the analysis that the malware has finished its activity, e.g. after 60 seconds. We need to set a time threshold, after which the log collection should be finished. We do not exclude the situation when malicious software will wait even several hours before it is activated – it can also wait for a specific activity, such as starting a particular application. For this reason, we must be sure that the analysed virus is 100% malicious. We have made every effort to ensure that the sample collection is thoroughly checked beforehand, and that the tests are as close as possible to the actual use of Windows 10.
If we are sure that the entire malware collection has already been checked, then every sample is sent one by one to all machines. There, a threat analysis procedure is carried out – its result will be sent to the PERUN system, which searches the logs for potentially dangerous indicators. If the analysis is completed, another sample is tested.
All information from automated analysis is published on CheckLab and AVLab in a user-friendly and manufacturer-friendly format. More details are provided in the methodology and other documents describing the entire test procedure.