In-depth tests on 17 antivirus and recovery tools reveal which are the best at cleaning infected systems.
Security software is most often judged on how effective it is at keeping malware out. But what about situations where it is asked to deal with existing infections?
Perhaps someone misguidedly disabled their security software, or maybe forgot to renew the subscription and so the stream of updates ceased flowing. Whatever the train of events, the result was that a Windows system has become infected. What do they do next?
Security suites typically include features to clean up existing infections, and there are also recovery tools designed specifically for this task.
Germany-based testing organisation AV-Test.org compared a total of 17 products to find out which could scrub away the unwanted files and restore normal operation.
About the tests
The security suites were tested in two ways: firstly by installing them on an already infected system, and secondly by installing them on a clean system and temporarily switching off the antivirus protection to allow infection. The latter was intended to simulate the situation where the suite does not immediately recognise the malware, for example because the update that would have provided protection wasn't installed until after the infection had occurred.
The clean-up tools were used on already infected systems.
In each case, the quality of the repairs was determined by a bit-by-bit comparison of the cleaned system with a reference system.
AV-Test noted that these programs can't simply be left to clean up infections on their own – many questions must be answered during the process, “but the time and effort always paid off”, the testers noted.
The security packages tested were:
- Avast! Free Antivirus 17.5 (free)
- Avira Antivirus Pro 15.0 ($46.95)
- Bitdefender Internet Security 21.0 ($69.99)
- Enigma Software SpyHunter 4 ($49.99)
- G Data Internet Security 25.3 ($US39.95)
- Kaspersky Internet Security 17.0 ($41.95)
- Malwarebytes Premium 3.1 ($59.99)
- Microsoft Security Essentials 4.10 (Free)
- Symantec Norton Security 22.9 ($84.99)
The recovery tools tested were:
- Avast Rescue Disk
- Bitdefender Rescue Disk 2.1
- DE Cleaner Antibot 3.7
- G Data BootMedium
- Heise Disinfect 2016/17
- Kaspersky Virus Removal Tool 15.0
- Microsoft Safety Scanner 1.0
- Microsoft Windows Defender Offline
Next: the best and worst performers
The best and worst performers
One brand stood out in both categories: Kaspersky Internet Security and Kaspersky Virus Removal Tool both completely removed all traces of the 19 infections used as the test set.
They were followed by Bitdefender Internet Security, Avast Free Antivirus, G Data Internet Security, Avira Antivirus Pro and Symantec's Norton Security, which repaired the system and removed the malware, leaving between four and nine harmless file remnants.
Among the free tools, Bitdefender Rescue Disk, Heise Disinfect and G Data BootMedium detected all 19 threats and deleted the dangerous components, leaving some harmless file remnants.
Microsoft Windows Defender (offline) and Avast Rescue Disk detected all of the malware, but were each unable to remove the active components of two examples.
Microsoft Safety Scanner did not detect two of the 19 pieces of malware in the test set. And it failed to remove the active components of one that it did spot.
AV-Test was particularly concerned about the performance of DE Cleaner Antibot. It failed to detect five of the 19 infections, making it the worst of the 17 products, even though it is backed by several German ISPs and the German Federal Ministry of the Interior, and - perhaps as a consequence - is widely distributed in Europe.
While it is impressive that Kaspersky's products managed such thorough clean-ups, failing to remove every last trace isn't really a shortcoming as long as the active components are deleted. So users have a choice of software that will get them out of a hole when malware strikes.
But we would add one caution: you can't expect these products to recover a system that's run foul of ransomware. While there have been a small number of examples where researchers have been able to determine the required decryption keys, the only real fallback is a thorough backup strategy.