PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Fewer False Positives Mean Better Antivirus Scores

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

How do you test an antivirus utility to make sure it works? Well, one simple method is to present it with thousands of malware samples and see which ones its scan detects. Yes, this kind of static detection is just one layer of antivirus protection, but it can be the first line of defense.

Of course, you also need to make sure the antivirus doesn't erroneously declare valid programs to be malware. Otherwise an antivirus utility that marked every single program as malicious could earn an unwarranted perfect score. The file detection test performed by researchers at AV-Comparatives takes into account both detection accuracy and avoidance of false positives. A dearth of false positives this time around raised scores for quite a few vendors.

The researchers presented each of 21 antivirus products with over 160,000 malware samples, and credited detection either by on-access scan or on-demand scan. AV-Comparatives doesn't disclose the precise number of files used in the false positives test, "because some people tend to calculate a percentage out of it, which is nonsense and misleading." However, in past instances of this test the number of false positives for some products has come close to 100, so the total number of valid files must be quite a bit more than that.

Much Improvement
AV-Comparatives assigns a rating of Standard to any product that passes the test; those that don't pass are rated as just Tested. The very best products can earn an Advanced rating, or even Advanced+. However, a product that exhibits many false positives can drop by one, two, or even three ratings. A product that hits the "crazy many" level (more than 100 false positives) can't pass the test, no matter how good its virus detection.

In the previous round of testing, five products showed enough antivirus accuracy to rate Advanced+, but dropped down to Advanced due to false positives. They are: Avira, BullGuard, Emsisoft Anti-Malware£31.16 at Emsisoft UK, eScan, and Ad-Aware Free. All five managed to hang on to that Advanced+ rating this time around; good going!

Bitdefender Antivirus Plus 2016£19.99 at Bitdefender UK and Kaspersky Anti-Virus (2016)£19.99 at Kaspersky UK routinely achieve top scores with all the labs. Neither had any trouble reaching Advanced+ in this test or the previous one.

Success wasn't universal, though. Poor Baidu Antivirus did well enough in the detection portion of the test to merit an Advanced+ rating. However, "crazy many" false positives knocked it out of the running, down to a failure rating of Tested.

McAfee AntiVirus£34.99 at McAfee UK didn't get into false positive trouble in either test. It was a drop in antivirus detection accuracy that brought it down from Advanced+ to Advanced.

One of Many Tests
In the real world, your antivirus gets numerous opportunities to detect and balk a malware attack. It might block the browser from even connecting to a malware-hosting URLs. It could eliminate the file before it's even downloaded. Or it might identify malware after launch, based on its nasty behavior.

AV-Comparatives runs many different tests, taking into account these different opportunities. There's a real-world dynamic test that does its best to let every protection layer have a chance at success. The retrospective detection test freezes each product's malware signatures and tests them against brand new samples that didn't exist before the freeze. There's even a test that starts with samples that all of the tested products are known to detect, and then measures how well they clean up an infected system.

Different products may succeed at different tests. Webroot£22.49 at Webroot UK, for example, doesn't use static detection, so it's not appropriate for a static detection test. Norton's£198.7 at Amazon UK developers reject the very concept of a static test. Even so, I have to admire products like Bitdefender and Kaspersky that manage to earn top marks from all the labs.

Image courtesy of Flickr User Yuri Samoilov.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio