The best antivirus software? Kaspersky, Bitdefender and Trend Micro lead in latest tests

Ransomware and other threats often get through signature-based antivirus protection, giving it a bad rap. However, Windows antivirus tools still play an important role in the enterprise security strategy.

pc antivirus
Irina Tischenko/iStock/Thinkstock

The AV-TEST Institute recently tested the most popular Windows 10 client antivirus products on three primary criteria: protection, performance, and usability. Only four of the 16 products tested earned a perfect rating of 6 for each of those criteria: Bitdefender Endpoint Security 6.2 and 6.6, Kaspersky Lab Endpoint Security 11, Kaspersky Small Office Security 5 and 6, and Trend Micro Office Scan 12. 

The downloadable infographic below summarizes the results, along with earlier test data for Windows 7 and Windows 8. You can drill down on the full results at The AV-TEST Institute's website. Here are summaries of the top ten Windows antivirus products.

This infographic summarizes tests of Windows client antivirus software conducted by the AV-TEST Institute. The AV-TEST Institute

1. Bitdefender Endpoint Security 6.2 and 6.6

One of four products with perfect scores for protection, performance and usability, Bitdefender Endpoint Security stopped all zero-day malware web and email attacks tested, and all malware discovered in the last four weeks. Performance degradation when using applications and websites was minimal to moderate, with the worst being a 26 percent website launch slow-down on a standard PC. For the latest round of tests, the product gave no false positives.

2. Bitdefender Endpoint Security Elite 6.2 and 6.6

The results for Bitdefender Endpoint Security Elite are nearly identical to those of the standard Bitdefender product. The main difference is that it falsely blocked one of 41 actions tested while installing legitimate software, which is why it scored a 5.5 out of 6 on the usability rating.

3. Kaspersky Endpoint Security 11.0

With its perfect scores across the board, Kaspersky Endpoint Security continues its run in the top tier of anti-malware products. It stopped all zero-day and known attacks tested. On the performance side, the product had minimal impact on the launching or installation of websites or applications.

4. Kaspersky Small Office Security 5 and 6

Kaspersky Small Office Security scored similarly to the company’s endpoint protection product. It had a slightly higher impact on website launches and application installation, but its performance there was still well above industry average.

5. McAfee Endpoint Security 10.5

For protection and usability, McAfee Endpoint Security ranks with the best of its competitors. However, it falls a little short on performance, particularly during launch or installation of software. Launching standard applications with the McAfee product active was 37 percent slower than normal, well above the industry average of 13 percent. It was worse when installing frequently used applications—51 percent slower. The industry average there is 30 percent.

6. Microsoft Windows Defender Antivirus 4.2

With one or two improvements, Microsoft Windows Defender Antivirus 4.2 could join the elite with perfect scores among this group. Its impact on installation times for frequently used applications was significantly higher than industry average—45 percent vs 30 percent for standard PCs and 37 percent versus 27 percent for high-end PCs. It also blocked one action during the use or installation of legitimate software.

7. Sophos Endpoint Security and Control 10.8

You can count on Sophos Endpoint Security and Control to stop attacks as well as any other product in this group. It lags the leaders only in one performance category: Slower installation of frequently used applications. The product caused a 43 percent slower installation time for standard PCs, significantly higher than the 30 percent industry standard. In all other performances test, the Sophos product was better or near the industry average times.

8. Symantec Endpoint Protection 14.0

In addition to a perfect protection score, Symantec Endpoint Protection is one of the better-performing anti-malware tools tested. It scored below or near industry average in every category. The only reason it didn’t have perfect ratings across all three main categories is that it blocked two actions while installing and using legitimate software.

9. Symantec Endpoint Protection Cloud 22.14

Symantec Endpoint Protection Cloud scored similarly to its non-cloud counterpart. The main difference was in performance. It caused popular websites to launch more slowly (21 percent), but showed no slowdown of frequently used applications.

10. Trend Micro Office Scan 12.0

One of the few products with a perfect rating across all three main categories, Trend Micro Office Scan was among the best performers of that group. It was below or near industry average for all performance categories except for launching popular websites. There, it caused a 22 percent slowdown on standard PCs and a 16 percent slowdown on high-end PCs, versus industry standard 17 percent and 13 percent, respectively.

Why the best antivirus software may not be enough

Traditional signature-based antivirus is notoriously bad at stopping newer threats such as zero-day malware and ransomware, but it still has a place in the enterprise, experts say, as part of a multi-layer endpoint security protection strategy. The best antivirus products act as the first layer of defense, stopping the vast majority of malware attacks and leaving the broader endpoint protection software with a smaller load to deal with.

According to a survey of this year's Black Hat attendees, 73 percent think that traditional antivirus is irrelevant or obsolete. "The perception of the blocking or protection capabilities of antivirus has certainly declined," says Mike Spanbauer, vice president of strategy and research at NSS Labs, Inc.

Plenty of recent research supports that point of view. In December 2017, security company WatchGuard Technologies reported the results of a comprehensive test of traditional antivirus. They calculated how well a leading traditional antivirus product did at spotting zero-day threats by looking at customers who had both traditional antivirus and next-generation endpoint protection products installed. Traditional antivirus caught 9,861,318 malware variants, but it missed 3,074,534 others that were caught by a next-generation platform that used a behavior-based approach. That's a failure rate of about 24 percent.

The traditional antivirus product was from AVG Technologies, a well-reviewed product. In fact, in a report released in late 2017 by AV Comparatives, AVG caught 99.6 percent of the samples tested, making it one of the top ten products on the market.

Antivirus is particularly bad at catching ransomware, one of the biggest new threats that companies face. In a March 2017 survey of 500 organizations, anti-phishing vendor KnowBe4 found that only 52 percent of companies were able to thwart a simulated ransomware attack. For the rest, the ransomware was able to get past their antivirus defenses.

A newer threat called Process Doppelganging takes advantage of the ability of the transactions feature in Windows' NTFS file system. It allows malware to perform operations on files that make them invisible to security software. "From a technical perspective, [our] research shows that correct file scan engines are hard to get right and specifically, that correct handling of transactions is even harder," says Udi Yavo, a researcher at enSilo, which discovered Process Doppelganging. 

"However, I think the main takeaway of this research is that having a single line of defense is not enough, and sometimes even small tricks can lead to bypasses, even in mature products. Enterprises should move to solutions that can block fileless attacks and are effective in both pre- and post-execution scenarios,” says Yavo.

NSS Labs has also been running tests of both traditional and next-generation endpoint protection tools. In its latest rounds of testing the company has focused only on vendors that have advanced detection capabilities. Last year, when testing included signature-only vendors as well, the traditional products did poorly. "A number of products scored in the 90s," says NSS Lab's Spanbauer, "But none of those were sole traditional antivirus."

The problem is compounded if the new threats are designed to spread quickly in a company and do as much damage as fast as possible, and compounded again if enterprises delay rolling out antivirus updates. In addition, the amount of malware is growing exponentially, according to AV-TEST, so even if a particular product has a high detection rate, more and more malware in absolute terms is going to slip through. Plus, if the attackers notice that a particular kind of malware is getting through, they can double-down on it.

These four factors combined have helped propel the recent WannaCry ransomware to more than 400,000 infected devices and potential total financial impact of as much as $8 billion. That doesn't mean that traditional antivirus is completely obsolete. It still has a place in the enterprise, experts say, because it is very effective at spotting and blocking known threats quickly, efficiently and with minimum human intervention. Plus, traditional antivirus is a compliance or customer requirement in some industries.

The case for traditional antivirus

One company that doesn't have a choice about whether to use traditional antivirus is Emeryville, Calif.-based National Mortgage Insurance Corp. "Our customers are banks, and many require a traditional signature-based antivirus as part of the defense we have in place," says Bob Vail, the company's director of information security.

[Related: Review: Minerva protects endpoints with trickery and deception]

Sophos, the company’s antivirus vendor, has a good detection record, and is very light-weight, he says. That makes it a good first round of defense, but Vail says he knows that's not enough. "antivirus in general is going to be after-the-fact," he says. "Someone has to be infected and a signature developed and hopefuly everyone else gets protected before they get attacked."

The company also has a second level of protection in place to guard against the malware that gets through, a behavior-based system from enSilo. The two products work well together, Vail says. "If a known virus comes down, Sophos will quarantine the file before it gets a chance to execute," he says. "But those things that get past it, enSilo will prosecute those, so it's a classic defense at depth."

Traditional antivirus is a good adjunct to the newer technologies such as those that involve behavior analytics, sandboxing, and machine learning. The more advanced tools can require more processing power, which can slow down computers. If the product runs behavioral or other tests on potential threats before permitting user access, it can impact productivity. If the product allows the threats through, then tests them separately, malware has a window of opportunity to get access to enterprise systems.

Finally, when a new threat is detected, additional work is required to mitigate the threat and generate signatures to protect against the threat in the future. "The first level of defense will always be some kind of signature-based defense," says Raja Patel, VP for corporate product at McAfee LLC. "If you already know something is bad, why do an additional layer of protection against it?"

Without that initial signature-based screening, companies will have to spent a lot more time, effort and money to handle all the threats that come in, he says. "You can image how much a security team would have to put up with." If a threat can be caught and stopped right out of the gate, it's the cheapest option. "Signature-based antivirus saves human effort and reduces false positives and time delays," he says. "It's a fantastic first layer, and will be for a long time."

Traditional, next-gen tools are converging

As the industry matures, enterprises are going to be able to get the full-suite of malware protection tools from a single vendor, if they don't already. Traditional antivirus providers are adding next-gen capabilities, while the next-generation vendors are including signature-based protections in their suites.

Endpoint security startup CrowdStrike, for example, launched its all-in-one Falcon platform three years ago, allowing customers such as the Center for Strategic and International Studies, a Washington, DC, think tank, to get everything in one place. "We had CrowdStrike already in place and were relying on it as part of endpoint security," says Ian Gottesman, the organization's CIO. "Extending that solution to include antivirus was advantageous for CSIS. I would recommend any other organizations do the same."

According to a survey released in 2017 by the SANS Institute, about 95 percent of respondents expect to see antivirus protection included in their next-generation endpoint solution. Traditional antivirus vendors aren't sitting on the sidelines, either.

1 2 Page 1
Page 1 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.