Modern protection without signatures – comparison test on real threats

28 February 2022

We started the year 2022 with protection test of modern antivirus solutions on so-called samples in the wild that can be found in various areas of the Internet, also captured by our honeypots. This test is completely automated, so it can run continuously 24 hours a day. We used more than 1800 samples of malware for the test. We verify all viruses before they are added to our test base.

In January 2022, we checked the following applications to protect desktops:

  • Avast Free Antivirus
  • Avira Antivirus Pro
  • Comodo Advanced Endpoint Protection
  • Comodo Internet Security
  • Emsisoft Business Security
  • F-Secure Total
  • Malwarebytes Premium
  • Microsoft Defender
  • SecureAPlus Pro
  • Webroot Antivirus

Unlike other testing laboratories, our tests are fully transparent, so we provide a complete list of virus samples. Key information and test results are available at


Summary of January edition of the test

Notice the Level 3 of analysis because it shows real protection against 0-day samples. But beware! Certain antiviruses of the next generation intentionally do not have protection in a browser (Level 1). Sometimes they do not have traditional protection based on signatures (Level 1 and Level 2), so without proper interpretation, such tests could favor other protection solutions. Not ours!

In our tests, we do not award negative or positive points for early blocking of threats. Simply put, security products must stop a threat in any way – designed by a developer. The final result is whether or not this has been achieved

The so-called Level 1 shows early blocking of threats in a browser or on a hard drive.

If this fails, the next is Level 2: a virus is scanned by the antivirus based on signatures when moving from X to Y folder. Obviously, only if such protection exists. In this test, there are many test cases when samples have not been tested by developers yet, so the next level of analysis is crucial.

Level 3 represents modern protection without any signatures. In such cases, a virus is run in the operating system. It is the most dangerous situation but needed because it shows true effectiveness of protection against and 0-day files – a threat unknown to a developer of protection software.