PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

How We Test Malware Blocking

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Every antivirus product and security suite should prevent attack by viruses and other malware. I challenge such products by deliberately trying to infect a protected test system using known malware samples. I then calculate a malware blocking score based on how successfully the product detected and prevented these attacks. I also check the antivirus's ability to prevent infection by blocking malware-hosting URLs.

Blocking Malicious URLs
Almost all modern malware reaches your system from the Internet. Many antivirus products head off infection by blocking all access to malware-hosting URLs. Others check files during or immediately after download. Last year I introduced a test specifically aimed at measuring how well a product handles blocking malicious URLs.

I start with a feed of extremely new malicious URLs supplied by MRG-Effitas. They process many thousands of URLs every day; typically the ones I use are no more than four hours old. I filter the list to specifically capture URLs pointing to an executable file.

The testing process is quite simple. One after another, I launch the URLs in Internet Explorer, using a simple utility I coded myself. For each URL, there are three possible outcomes. The security software may block all access to the URL, it may wipe out the file during or right after download, or it may do nothing. I report the overall percentage blocked, whether at the URL level or during download.

I've ben running this test since November 2013; I don't have data for products reviewed before that date.

Deliberate Malware Attack
My malware samples change over time, but the collection will typically  include adware, spyware, viruses, worms, scareware (rogue security software), rootkits, and Trojans.

I install the product on a clean test system and manually run an update, to make sure it has the very latest virus definitions. Then I simply open a folder containing the collection of samples and note how the product reacts. In many cases, the minimal access that occurs when Windows Explorer displays the filename is sufficient to trigger real-time protection. I also single-click on each file, since real-time protection in some products doesn't kick in until a click.

Scoring
Naturally the product scores a full ten points for each threat it eliminates on sight. Continuing the test, I launch any samples that survived the initial culling and note how the product reacts. Typically I'll launch three or four of them and then run my proprietary analysis tools to determine whether the threats managed to place any files on the test system.

If the threat didn't plant any executable files and installed from zero to 20 percent of its non-executable file and Registry junk I award ten points, the same as if the antivirus wiped it out on sight. An antivirus that allowed the threat to put 20 to 80 percent of its junk on the test system still gets nine points. That sinks to eight points if 80 percent or more of the junk landed on the test system.

Once the antivirus has detected a threat attempting installation it really should prevent placement of any executable files. If an executable file gets through I offer five points, or half-credit. If, despite the antivirus's best efforts, a malware component manages to run, that goes down to three points. Naturally a total failure to detect the threat earns zero points. The overall blocking score is simply the average of all the individual scores. I also break out separate scores for blocking rootkits and scareware.

The product's final rating doesn't have a one-to-one correlation with the malware blocking and removal scores. Other factors can come into play, including the results of independent lab tests, but scoring well on my malware blocking and malicious URL blocking tests certainly helps get a good rating.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio