How we test antivirus and security software

Antivirus software is essential in providing you with robust security from malware and other online threats. However, to cut through the noise in the multitude of antiviruses on the market, it’s important to know how effective the antiviruses are in fighting malware and other modern threats and how they affect your device’s performance. For this, we run multiple in-house tests using various tools to help you make an informed decision.

The testing process isn’t identical for every antivirus because the software differs from one another and has a unique feature package available. Therefore, the reviews may vary in content. However, all antiviruses are tested for malware detection.

When reviewing antivirus software, we look through the eyes of consumers and consider the following main factors:

• In-house testing results
  • Real-time protection
  • Virus scans
  • Web protection
  • Ransomware protection
  • Anti-phishing tools
  • Firewall
• Independent lab results
• Advanced detection techniques
• Additional features and protection
• Ease of use and user interface
• Pricing

Below, you’ll find detailed explanations of our methodologies, how we gather data, and how we check and test each area.

Why trust Cybernews?

With many comparison and review sites online, finding a trusted source of the most recent information can be challenging. Our researchers maintain transparency, clearly outlining the criteria, methodology, and sources used. All affiliations are disclosed upfront to uphold transparency and accountability. The Cybernews team comprises seasoned professionals with vast experience in cybersecurity, software testing, and information technology.

We conduct reviews independently, and evaluations are based on objective criteria and empirical evidence rather than subjective opinions or personal preferences.

We follow strict testing protocols covering performance, security, usability, and value for money. Our methodologies are designed to provide a comprehensive assessment of all product’s capabilities.

Our evaluations delve deep into each aspect of the software tested, leaving no stone unturned, including features, performance, security measures, and usability.

We maintain consistency in our review process, applying the same standards and criteria to all products tested. Users can rely on our reviews to provide consistent and reliable information, enabling them to make decisions confidently over time.

Testing antivirus software with real-world malware

The Cybernews in-house research team gathers real-world malware samples to reflect on the rising cybersecurity trends and threats. We stay in line with the latest developments in the cybersecurity landscape, ensuring our reviews reflect the most current advancements in security software.

Antivirus testing involves collecting and analyzing the latest real-world malware samples from reputable sources. We gather all of our malware samples from bazaar.abuse.ch – a reputable malware sample exchange platform used by the infosec community and antivirus vendors. Samples in their database are verified as malicious before being made available. The testers gather diverse malicious software, including keyloggers, ransomware, miners, spyware, and others, to ensure the testing process is as versatile as possible.

By testing antivirus software against various malware, we monitor whether it can instantly block or quarantine any detected threats. With each antivirus software, the testers then use 100-150 different real-life malware to test real-time protection and virus scan feature capabilities.

How we test against real phishing websites

We test how well antivirus software detects and blocks phishing websites – fraudulent pages designed to steal credentials and personal information. We collect phishing URLs from phishtank.org, a widely used phishing intelligence database maintained by the cybersecurity community. We use up to 30 active phishing links per test batch.

We conduct these tests on Chrome and Firefox browsers with their built-in security protections disabled. Modern browsers normally block many phishing sites through services such as Google Safe Browsing or similar protection systems. We disable these protections to evaluate the antivirus product’s own web protection capabilities.

Testing malware protection at the web layer

We also test how effectively antivirus software blocks access to known malware-distribution URLs. These URLs are sourced from urlhaus.abuse.ch, a threat intelligence project that tracks active malware hosting and delivery infrastructure.

As with phishing tests, we disable browser security features during testing. This allows us to measure whether the antivirus product itself can block malicious websites if browser-level protections fail or are bypassed.

How we test parental control features in antivirus software

Since many antivirus suites include parental controls, we briefly test these built‑in tools as part of our overall evaluation.

We set up a “parent” device with access to the antivirus dashboard and a “child” device with parental controls enabled. Then we check whether the suite can:

• Filter inappropriate content (e.g., adult, gambling, drug-related, unsafe chat sites)
• Monitor browsing and app activity
• Enforce screen time limits or block internet access
• Track device location, if the feature is offered

We also try common bypass methods a child might use, such as uninstalling or disabling the app, using a VPN, switching browsers, changing DNS settings, or restarting the device. This helps us see whether the parental controls are not only functional but also reasonably hard to circumvent.

Our findings on parental control are factored into the antivirus product’s overall rating, rather than scored as a separate standalone category.

Our in-house testing and methodology

Our Cybernews research team conducts real-life testing and analysis to evaluate how well the antivirus software performs. The testing covers multiple areas, including real-time protection, scanning options, usage of system resources, web protection, ransomware detection and removal effectiveness, phishing protection, firewalls, and additional features.

Testing environment

We test the software on different devices based on the product and its compatibility. Here’s what we use:

• Windows – we test on Virtualbox VM with Windows 11 (10 GB RAM, 120 GB dynamic HDD, and 2 CPU cores) installed on a Lenovo ThinkPad T14s Gen2 device (AMD Ryzen 5 PRO 5650U processor, 16 GB RAM, 256 GB SSD, Windows 11 Pro OS). Or, Virtualbox VM with Windows 11 (20 GB RAM and 4 CPU cores) on Lenovo ThinkStation (AMD Ryzen Threadripper PRO 3945WX 12-core processor, 3.99 GHz, 64 GB RAM, 3TB SSD, Windows 11).
• macOS – we test on MacBook Pro M2 (16GB RAM, 500GB storage, macOS Tahoe 26.2) running a virtual machine with 4GB allocated RAM and 64GB storage.
• Android – we test on Google Pixel 9 (128GB storage, 12GB RAM, Google Tensor G4 chip) running on Android 16.

Real-time protection

The samples prepared in advance are downloaded by our research team from online malware libraries onto a Virtual Machine. The XAMPP tool is used to run a localhost webserver, which imitates a malware download from the web.

The live (in the wild) samples come from malicious URLs, which, by opening the link, triggers the malware to download.

The samples prepared in advance are downloaded by our research team from online malware libraries and are set up in a controlled environment imitating the World Wide Web (for this, we use the XAMPP tool to configure a virtual host).

It’s important to mention that before we run our tests, we turn off all local malware-catching tools like Windows Security. If the antivirus software has a feature that is supposed to block malicious websites, it’s also turned off.

The process is simple – we download the malicious files (usually 100-150) and take notice of how many of these samples the antivirus in question can detect and remove.

Suppose the antivirus has different levels of real-time protection (in our case, only the NordVPN Threat Protection does – basic and cloud-based options). In that case, we investigate, compare, and evaluate those separately.

The score of these tests is the percentage of the malware that the antivirus detected and prevented from entering the system (device). For example, if 120 out of 150 malicious files have been caught, the score is 80% of the malware detection rate. It's worth mentioning that a perfect antivirus does not exist, and a score of 100% is pretty rare.

If the software detects no less than 80% of threats, we classify this antivirus as good and efficient at catching malware.

It’s worth mentioning that we do not execute any malicious files (we don’t click on them) as you’d usually encounter them, but we use a safe virtual machine environment.

Scanning options

Another important feature of any AV is on-demand system scanners. The Cybernews research team investigates and evaluates all available scan options with the particular antivirus software – quick/smart, full, custom, etc.

Before testing, real-time protection is turned off on both the antivirus and the local system. Then, malware samples are put in a testing folder on the system, and separate antivirus scans are run.

We then evaluate each scanning option on:

• How long the scan took
• How many files in total have been scanned
• How many malicious samples have been detected
• How the antivirus scan impacted the device’s performance and CPU usage

We repeat quick scans more than once as these are developed to scan only those system directories that have the highest probability of being infected. So, the malicious files are planted accordingly (for example, in desktop, download folder, etc.)

For full system scans, the samples are usually placed deeper in the system (for example, somewhere on a Local Disk C:). We also consider whether the antivirus instantly removes or quarantines the detected malware from the system or leaves this choice to the user. The problem with the latter option is that it gives extra time for the malware to act and potentially cause more damage to the system.

The score is measured in the same way as with real-time protection – the percentage of detected malicious samples.

Web protection

Most antiviruses contain web protection features or additional browser extensions that protect from accessing dangerous or potentially malicious websites.

For the analysis of web protection features, we again use the previously mentioned malicious URLs. However, in this case, we investigate two types of links – URLs containing domain names and IPv4-based URLs. We click on these links to see how effectively the antivirus software responds.

We then evaluate how many of these websites have been detected and blocked by the antivirus. And, as with the other tests, the score is computed as percentages.

Ransomware protection

Ransomware protection is a crucial part of a strong antivirus solution. To test its effectiveness, we perform a malware detection test. We download ransomware files and then run an antivirus scan on the system to see how well the AV has performed.

The antivirus performance is evaluated based on the percentage of ransomware files detected and removed, as well as overall ransomware protection-related features included in the antivirus software package. For example, Bitdefender has a Ransomware Remediation function, which backs up user’s files and reverses any damage done by ransomware by restoring the encrypted files.

Phishing protection

Phishing is another type of online threat you need strong protection from. Our in-house research team evaluates phishing protection by testing the anti-phishing features available within the antivirus suite. We test the antivirus’ capability to protect you from dubious phishing websites.

For example, Bitdefender offers a phishing protection feature, which checks web pages for phishing behavior – whether the page tries to obtain sensitive user data, like login credentials or credit card details.

Another feature we test is email or spam filters to see how successful they are in removing threats sent via email. For example, ESET has an Antispam protection feature that detects and removes spam and potential phishing emails.

Firewall

To test the antivirus firewall we evaluate how customizable it is, how it monitors network traffic to prevent unwanted access from the outside, and if there is an option to also safeguard the outgoing traffic. A good example is Norton’s smart firewall feature.

We test the monitoring of local applications to see whether network resources aren’t misused and whether the firewall can prevent port scanning (a common technique used by cybercriminals to look for potential weak points in the network).

Independent lab tests

In addition to our in-house tests, we analyze the independent lab test results that regularly test different antivirus software on various platforms.

The three trusted independent labs we use for assessing antivirus products are:

• AV-TEST – independent organization testing and evaluating security software for Microsoft Windows, MacOS, and Android OS
• AV-Comparatives – an independent Austria-based company assessing antivirus software and regularly providing reports freely available to the public
• SE Labs – a private and independently run testing company evaluating security services and products

Each of these labs uses its own scoring system and does not always test the exact same collection of antivirus programs. Because of this, we normalize and average their results before combining them with our own scores. From independent lab reports, we focus on key categories such as real-world protection, malware protection, performance, usability, and home endpoint security.

We then aggregate all of this data into a single, easy-to-understand rating. To determine the final score, we combine the three normalized lab results with our in-house test score, add these four values together, and divide by four. This way, our antivirus ratings reflect both independent, industry-standard benchmarks and our hands-on testing experience, giving readers a balanced and reliable view of overall protection quality. way, we get a complete overview of how secure the antivirus software is and how much impact it has on your device.

Advanced detection techniques

We evaluate antivirus solutions that employ advanced detection techniques, such as signature-based scanning, heuristic analysis, and behavior monitoring. Signature-based scanning involves comparing files to a database of known malware signatures for detection. Heuristic analysis proactively identifies suspicious behaviors in files, such as code patterns or actions, even if they don’t match known signatures. Behavior monitoring observes real-time activities on the system to detect unusual behavior indicative of malware, such as unauthorized file modifications or network connections.

These methods complement each other to provide comprehensive protection against both known and emerging threats in antivirus software. Therefore, we check whether the antivirus program implements all of these methods or just some.

Evaluation of other features

Many antivirus services provide additional useful features on which we also perform tests. For example, some have system optimization features, like Bitdefender’s OneClick optimizer.

We evaluated it on how effectively it detected and removed redundant files from the device to improve its performance, how long it took, and how much space it freed up on the system. This is just one example of how we test additional antivirus features.

Another good example is McAfee and its Secure Apps feature, designed to find and install updates for Windows and local applications. We evaluate its performance by checking if the applications that require an update are detected and updated.

We also check and evaluate other extra antivirus features, like VPNs, password managers, or ad blockers. All of them are tested the same as if these services were standalone. We test VPNs for their encryption, unblocking capabilities, server count, and many other features. Password managers are evaluated based on their encryption levels, multi-factor authentication options, logging policies, etc. Ad blockers are tested on their effectiveness in blocking ads and trackers on different platforms, like games, social media sites, or streaming services.

Testing user experience

When testing security products, we always consider the overall user experience and decide if the tool in question is, for example, convenient for beginners or non-technical users.

We evaluate the arrangement and accessibility of tools and features on the interface. For example, we check whether all the features can be found on the same application or whether you must go to the provider’s website for some of them. We check if there are any descriptions or tutorials provided on how to use the features and how complicated the settings are to configure.

We analyze the applications to see whether the interface is clear, not too crowded, or complicated. And vice versa – if the service is aimed at more tech-savvy users, we look for more extensive configuration options and setups.

Pricing

Here at Cybernews, we believe it’s important to know the pricing structure and transparency of ToS. After testing the feature and overall service effectiveness, we evaluate whether the antivirus service provider offers a good quality-to-price ratio based on its features, performance, and level of protection.

We also check whether the subscription options are flexible, have annual plans, how many multi-device connections are offered, etc. We check if the service provides a discount and if the price increase after the deal ends is clearly indicated before subscribing.

We always investigate if the security software provides a free trial or a money-back guarantee, as consumers often look at how to test the service before committing long-term. What’s more, we check how clearly it’s explained on how to stop the free trial before being charged or how easy it is to claim a refund.

Based on all of the above evaluations regarding pricing and subscription plans, we then rank the antivirus services. For example, if the service performs poorly but is fairly expensive, it will get a lower rating. And vice versa, if the service is cheap and also offers excellent protection rates, it will be one of the top providers on our list.

Our researchers

At Cybernews, our in-house research team of information security experts and tech enthusiasts conducts antivirus software tests. The team uses proprietary tools and industry-standard methods to evaluate various antivirus software and their effectiveness. During testing, they also gain valuable insight into the user experience that will be extremely valuable to our readers.

The research team and writers work closely together to ensure our articles are accurate, up-to-date, and understandable to a broad audience. If you notice something missing, let us know.