Home Tags AVG

Tag: AVG

Low-end PCs get big performance boost from Windows 10 Game Mode

Creators Update addition can make games more playable on multitasking laptops.

AVG AntiVirus Free (2017)

Everybody needs antivirus protection. Everybody! And I don't mean the antivirus built into Windows—it just doesn't measure up. Fortunately, you can get that protection without spending a penny. AVG AntiVirus Free (2017) looks a bit different from its previous edition, and it includes some new technologies. In our own tests and tests by the independent labs, it earned very good scores.

Last year, Avast acquired AVG, but fans of either company needn't worry, as both product lines continue their separate existence. Why would a company want to acquire such a similar competitor? Both AVG and Avast have huge followings, but globally each is strong in different areas. The combined company has a worldwide reach.

Of course, AVG only makes money if somebody purchases the for-pay security suite. There's a certain amount of upsell when you go to install the free antivirus, but it's much more laid back than, for example, Comodo. You can choose the free antivirus or start a 30-day free trial of the suite. You don't have to enter a credit card, and if you do nothing, at the end of the trial it reverts to the free antivirus. It does offer to install a plug-in for all of your browsers, and replace your home page, new tab page, and default search. However, as I'll explain below, installing AVG in the browser gets you a ton of useful security features.

Management by Zen

Like all AVG products, the antivirus includes AVG Zen, a management and launching utility that offers an overview of AVG security on all of your devices. It's similar in many ways to the component that helps you manage McAfee AntiVirus Plus and other McAfee products.

Four panels dominate Zen's main window, devoted to antivirus, PC tuneup, VPN, and Web Tuneup. Each panel contains a circle that can be fully or partially colored, depending on whether or not you've installed all possible protection in that area. If all is well, the circle glows green; if your attention is needed, it changes color.

When you install the free antivirus, you see a three-quarter circle in the antivirus panel. That becomes a full circle only if you upgrade to the paid edition. If you followed the installer's instructions regarding Web Tuneup, that panel displays a full circle. As for the VPN panel, that one remains empty unless you separately install the Hide My Ass VPN.

Likewise, you won't see anything in the PC Tuneup panel unless you install AVG PC TuneUp. You do get a one-day trial of the tuneup product along with the free antivirus; I'll discuss that below.

New User Interface

Last year's edition of the antivirus looked extremely similar to AVG Zen, with the same color scheme and the same circle-based status indicators. This year, the color scheme hasn't changed, but almost everything else has.

The main window has two main panes. The Basic protection pane includes icons for computer protection and for Web and email protection, both enabled. The Full protection panes icons represent protection for private data, protection during online payments, and protection against hack attacks, all three disabled. To enable those, you must upgrade to AVG's non-free security suite.

In the middle, below the two panes, is a big button labeled Scan Computer. Clicking it launches a full scan, which does more than just scan for malware. It also scans for junk files, revealing browser traces, system logs, and Registry problems—but if you want to fix those you must start your short-time trial of AVG PC Tuneup.

In testing, the full scan finished in just six minutes, which led me to peruse all the scan options. I found another option called Deep Virus Scan. This scan took over an hour, quite a bit longer than last year's edition of AVG. However, because the scan flags safe files that don't need to be looked at again, a second scan goes much faster. I found that a repeat scan finished in just a few seconds.

Lab Scores High and Plentiful

It may seem counterintuitive, but in most cases antivirus makers pay for the privilege of having products included in testing by the independent labs, but they do benefit. A high score gives the company bragging rights; if the score is poor, the lab lets it know what went wrong. When the antivirus doesn't bring in any income, a company might be tempted to avoid the expense of testing. Not AVG. I follow five independent testing labs that regularly release reports on their results; all five of them include AVG.

Testers at AV-Comparatives run a wide variety of tests on antivirus and other security products; I follow five of those tests closely. As long as a product meets the minimum for certification, it receives a standard rating. Those that go beyond the minimum can receive an Advanced rating, or even Advanced+. AVG participates in four of the five, and received two Advanced and two Advanced+ ratings. Note, though, that Kaspersky and Bitdefender Antivirus Free Edition both rated Advanced+ in all five tests.

AV-Test Institute reports on antivirus capabilities in three areas: protection, performance, and usability. With six points possible in each category, the maximum score is 18 points. AVG took six points for usability, meaning it didn't screw up by flagging valid programs or websites as malicious. It came close in the other two categories, with 5.5 apiece.

A total of 17 points isn't enough for AV-Test to designate AVG a Top Product; that requires 17.5 or better. Bitdefender, Quick Heal, and Trend Micro earned the necessary 17.5 points, while Kaspersky and Avira Antivirus managed a perfect 18.

AVG scored 81.05 percent in Virus Bulletin's RAP (Reactive And Proactive) test, just a hair below the current average. SE Labs tests products using real-world drive-by downloads and other Web-based attacks, assigning certification at five levels: AAA, AA, A, B, and C.

While most of the labs report a range of scores, tests by MRG-Effitas are more like pass/fail. Half of the products tested failed at least one test; 30 percent, including AVG, failed both. Since not-quite-perfect and epic failure get the same rating in this test, I give it less weight when coming up with an aggregate score.

Avast Free Antivirus, AVG, ESET, and Kaspersky are the only products in my collection that currently have results from all five labs. AVG's aggregate score is 8.7 of 10 possible points, better than many commercial products. At the top is Kaspersky, with 9.8 points, followed by Avira and Norton with 9.7.

Very Good Malware Blocking

Malicious software from the Internet must get past numerous defenses before it can infect your PC. AVG could block all access to the malware-hosting URL, or wipe out the malware payload before the download finishes—I'll discuss those layers shortly. If a file is already present on your computer, AVG assumes it must have gotten past the earlier protection layers. Even so, it checks one more time before allowing such a file to execute.

To test AVG's malware-blocking chops, I opened a folder containing my current collection of malware samples and tried to execute each one. AVG blocked almost all of them immediately, wiping them out so fast it left Windows displaying an error message that the file could not be found. It wiped out most of those that managed to launch before they could fully install.

Initially I determined that AVG detected 94 percent of the samples and scored 9.0 of 10 possible points. However, upon checking with my company contact, I learned that for full protection I should enable detection of potentially unwanted applications, sometimes called PUAs or PUPs. With that setting enabled, AVG's scores rose to 97 percent detection and 9.5 points, better than many commercial programs. I wish, however, that AVG either enabled detection of PUAs by default or, like ESET NOD32 Antivirus 10, made the user actively choose to enable or disable this protection.

Webroot and Comodo Antivirus 10 scored a perfect 10 in this test. However, when I checked Comodo against hand-modified versions of my samples, it missed quite a few.

When AVG detects a file that's completely new to the system, never before seen, it prevents that file from launching and sends it to AVG headquarters for analysis. I managed to invoke this feature using one of those hand-modified samples. AVG killed the process, triggering a Windows error message. To show it wasn't really an error, AVG attached a CyberCapture tab to the error message.

A few other files merited special scrutiny. AVG displayed a message stating, "Hang on, this file may contain something bad," and promising an evaluation within 15 seconds. All of my hand-coded testing utilities triggered this warning; all three got a clean bill of health.

Detecting my months-old samples is one thing; protecting against the very latest threats is quite another. My malicious URL test uses a feed of URLs detected within the last day or two by MRG-Effitas. An antivirus product gets equal credit if it prevents all access to the malware-hosting URL or if it eliminates the downloaded malware immediately.

I test URL after URL until I've recorded data for 100 verified malware-hosting URLs, then tally the results. AVG blocked access to more than half of the URLs and eliminated almost another quarter at the download stage, for a total of 73 percent protection. That's quite a bit better than Comodo, which lacks URL-based blocking and scores just 37 percent. However, others have done quite a bit better than AVG. Symantec Norton AntiVirus Basic holds the lead, with 98 percent protection; Avira managed 95 percent.

Antiphishing Disappointment

Trojans and other malicious programs must successfully infiltrate your compute in order to steal data. Phishing websites, by contrast, only have to trick you, the user. If you log in to a fraudulent site that's pretending to be your bank, or your email provider, you've handed over your account to a crook. Such sites get discovered and blacklisted quickly, but the crooks simply set up new ones.

The most dangerous phishing sites are those that haven't been analyzed yet, so I scour the Web for sites that have been reported as fraudulent but not yet verified. I discard any that don't pretend to be some other site, and any that don't include fields for username and password. I launch each URL in a browser protected by the program under test, and in another protected by long-time phish-killer Norton. I also launch the URL in Chrome, Firefox, and Internet Explorer, relying on the browser's built-in protection. If the URL returns an error message in any of the five browsers (and they often do), I discard it.

Because the URLs themselves are different every time, I report each product's results as the difference between its detection rate and that of the others. In last year's test, AVG lagged Norton's detection rate by 28 percentage points, which is still actually better than the majority of competing products. This time around, it lagged Norton by 70 percentage points, putting it near the bottom. My contact at the company checked with the developers and confirmed that they know about the problem and are working on speedier updates.

Even though Norton is my touchstone for this test, it doesn't beat every single competitor. Check Point ZoneAlarm Free Antivirus+ 2017 tied with Norton in its most recent test. Bitdefender, Kaspersky, and Webroot actually beat Norton by a few points.

Bonus Features

The AVG Web TuneUp plug-in installs in all your browsers and offers several useful and important security benefits. First off, the Site Safety component warns when you visit a website that's risky or actively dangerous. You can click for more details, and click again for a full website report online. However, the full report isn't as detailed as what you get from Norton and a few others. And where Norton marks search results with red, yellow, and green icons, AVG only offers a rating once you try to visit a site.

Advertisers love to track your Web surfing, so they can show you ads they think you'll like, and avoid showing the same ad too often. But tracking by advertisers and others is a bit creepy, enough so that there's a header in the HTTP standard specifically designed to tell websites you don't want to be tracked. Alas, the header has no teeth. Your browser can send a Do Not Track header, but sites and advertisers can ignore it.

AVG's Web TuneUp includes an active Do Not Track component, one that checks each page you visit for trackers and optionally cuts off their tracking. It's disabled by default; I suggest you turn it on. A similar feature in Abine Blur uses its toolbar button to display the number of trackers on the current page and let you fine-tune its tracker blocking. AVG just blocks all trackers when this feature is turned on.

The last tune-up feature, Browser Cleaner, doesn't add a lot to your security. It tracks things like browsing history, saved Web form data, and cookies, and lets you click to delete them. But in Chrome, Firefox, and Internet Explorer, you can simply press Ctrl+Shift+Del to do the same, with finer control over what gets deleted.

As noted, you can at any time install a one-day free trial of AVG PC TuneUp. Don't do this until you have a little free time, so you can make full use of your short-term trial.

The final bonus feature is a little hard to spot. Buried in the right-click menu for files and folders, you should find a new item titled Shred using AVG. If you choose this item, AVG overwrites the file's data before deleting it, thereby foiling any attempt to recover the deleted file's data.

An Excellent Choice

With the Avast acquisition, both the outward appearance and the technology inside are changing for AVG AntiVirus Free, and that's not a bad thing. The antivirus gets very good marks from all of the independent labs that I follow, and also did quite well in my malware-blocking test. It wasn't quite as good at blocking malicious downloads, but still beat many competitors. Yes, its antiphishing performance wasn't great, but phishing protection isn't a central antivirus component. Overall, it's an excellent choice.

But don't just take my word for it. Go ahead and give the program a try; it's free, after all. While you're at it, have a look at Avast Free Antivirus and Panda Free Antivirus, our other Editors' Choice products in the free antivirus realm.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

Comodo Antivirus 10

Some antivirus vendors release a new version every year, with or without the coming year as part of the product name. Others, like Comodo, follow a simple version-number scheme, releasing a new version when it's ready. With Comodo Antivirus 10 the com...

TrustPort Antivirus Sphere (2017)

These days, you can find almost anything bundled into one antivirus or another—firewalls, spam filters, even password managers.

At the other end of the spectrum are lean, mean antivirus tools that just focus on the task at hand.

TrustPort Antivirus Sphere belongs to the latter group.
It does boast several bonus features, but they're all aimed at that core task.

Alas, it didn't fare well in my hands-on testing, and the independent labs mostly ignore it.

At $22.95 per year for one license or $29.95 for three, TrustPort is easier on the wallet than most of the non-free competition.

Bitdefender, Kaspersky, Norton, Webroot SecureAnywhere AntiVirus, and more than a dozen others charge $39.95 for a single license. However, after working with the product I'm not sure it's a bargain, even at that price.

With the 2017 product line, TrustPort has added "Sphere" to each product name, and changed the user interface considerably.

The small main window boasts a horizontal row of five large, square buttons against a dark gray background.

A green button toggles the on-access scanner, and another configures the anti-exploit component.

There are blue buttons to check for updates, display quarantined malware, and access bonus features.

What you won't see is anything like the big scan button that dominates Trend Micro Antivirus+ Security, Quick Heal, and a few others.

The documentation points out that the on-access scanner should take care of any problems, but that there are several ways to launch a scan. You can scan any drive or folder by choosing from the right-click menu, or select from numerous scan possibilities by right-clicking the TrustPort icon in the notification area.

A full scan of my standard clean test system took 63 minutes.

That's longer than the current average of 47 minutes, but again, TrustPort encourages users to skip the on-demand scan and rely on the real-time scanner.

Labs Mostly Mum

Independent antivirus testing labs around the world put multiple products through grueling tests, all designed to identify those that are the most effective.
I follow five labs that regularly report on their findings.
In most cases, vendors must pay to have a product tested (and reap the reward of learning what areas need work). When a product appears in reports from multiple labs, it means the vendor considered the expense worthwhile, and the labs considered the product significant enough to merit one of their testing slots.

Top antivirus utilities like Kaspersky Anti-Virus and Bitdefender get the highest marks from many labs.
If my simple hands-on tests don't seem to align with the lab results, I give the labs more weight.

Alas, there are very few lab results available for TrustPort.
It doesn't show up in reports from AV-Test Institute, AV-Comparatives, or SELabs.

These three offer the most information about a product's antivirus capabilities.

That leaves Virus Bulletin, with its VB100 and RAP (Reactive and Proactive) tests.
I stopped tracking VB100 a while ago, because a single false positive translates into failure.

The RAP test skews the other direction detail-wise, offering scores measured in hundredths of a percent.

TrustPort's latest RAP score of 85.34 percent is better than average, but that's all the information I have.
I can't build an aggregate lab score from one small data point.

Sharp-eyed users may notice that TrustPort uses two antivirus engines, code-named Argon and Xenon.

These are licensed from AVG and Bitdefender, respectively. However, the labs state very clearly that their results apply only to the actual product tested, not to any licensee.
So only tests of an actual TrustPort product are relevant.

So-So Malware Removal

I installed TrustPort on a virtual machine and waited for the necessary initial update.

Then I initiated my malware-blocking test by opening a folder full of malware samples.

TrustPort immediately started checking them, and quarantining any it found to be malicious. However, the process proved so CPU-intensive that the system was unusable for several minutes.

Admittedly, the average user doesn't just open a folder full of malware and shove the antivirus's face in it.

With G Data Antivirus 2017 and some other competitors, you must respond to a popup notification for each detection.

TrustPort conveniently stacks up multiple detections in a single popup.

The on-access scan eliminated 84 percent of the samples at this point.

I launched each of the remaining samples, taking note of how effectively the antivirus blocked its installation.

TrustPort missed a few, but managed to pull its overall detection rate up to 87 percent.
Its malware-blocking score was 8.5 of 10 possible points, which isn't great, especially with no stellar lab results to offset it. Webroot, G Data, F-Secure Anti-Virus, and a couple others managed 100 percent detection. Webroot earned a perfect 10 points; G Data and F-Secure came close, with 9.8 points.

My malicious URL blocking test starts with a feed of the latest malware-hosting URLs graciously supplied by MRG-Effitas.

These URLs are typically no more than a day or two old.

The malware samples aren't zero-day threats by any means, but they're definitely in the wild.
I launch each URL and note whether the antivirus kept the browser from reaching the URL, eliminated the malicious download, or did nothing at all. When I've got data for 100 valid malware-hosting URLs, I tally the results.

TrustPort's antivirus is at something of a disadvantage here, as the company reserves Web-based protection against malicious or fraudulent URLs for the security suite products. However, it proved quite vigilant at blocking malicious downloads.
In many cases, it identified and blocked the download before I could even hit Save.

That vigilance wasn't sufficient to yield a good score, however.

At 70 percent protection, TrustPort is in the lower half of recently tested products. Norton is at the top, with 98 percent protection.

Avira Antivirus Pro came quite close, blocking 95 percent of the malware downloads.

For most products, I would proceed to test antiphishing capabilities, comparing the products detection rate with that of Symantec Norton AntiVirus Basic and of the built-in protection in Chrome, Firefox, and Internet Explorer. However, as noted, detection of undesirable websites isn't included in TrustPort's antivirus.

Exploit Protection

TrustPort devotes one of its five main buttons to the anti-exploit component.

By default, this component runs in Silent mode, and the average user will assume that means it's offering exploit protection silently. Unfortunately, it isn't so.

The default action in Silent mode is to allow all activity, meaning the anti-exploit component doesn't do anything.
If you take it out of Silent mode, it pops up a notification when it detects chicanery, giving you the option to block or allow a specific action, or mark the program involved as trusted.

To evaluate this component, I turned off Silent mode and attacked the test system with about 30 exploits generated by the CORE Impact penetration tool. Not one of them triggered a notification by the anti-exploit component, though the on-access scanner tagged a dangerous payload for 20 percent of them.

It turns out I just didn't understand the meaning of exploit in this context.

TrustPort doesn't watch for attempts to exploit specific vulnerabilities in the operating system or popular programs. Rather, it looks for programs attempting to manipulate other programs.

For example, it found my hand-written programs that launch Internet Explorer and direct it to malicious or phishing URLs to be highly suspicious.

For a further test, I attempted to install 20 old utilities, programs that work by hooking deeply into the operating system.

TrustPort flagged eight of them, giving me the option to allow or deny the suspicious action.
Strangely, the checkbox to remember my choice wasn't functional, so the popups just kept coming, in every case.
I could end the torture by choosing to trust the program, but I found no other way.

The same menu lets you switch to the application inspector component, disabling anti-exploit.

This component aims to foil zero-day and polymorphic malware by preventing malicious behaviors.
It prevents modification of sensitive file system and Registry areas, active processes, Windows services, and more. When it detects suspicious activity, it asks you, the user, to decide a course of action. You can allow the program, in which case it becomes trusted, with no limits. You can run it with sandbox-like restrictions. Or you can block it, in which case TrustPort kills the process.

I switched TrustPort to use the application inspector and repeated the test with old utilities.

The application inspector flagged six of them for various crimes, among them modifying a protected Registry location, using harmful access privileges, and more.

Two other utilities failed to function properly, with no notice from TrustPort. While both anti-exploit and application inspector flagged eight programs, only two programs got zinged by both.

It's possible to dig deep into settings and fine-tune the way these features work, but few users will go beyond the three basic settings.

The default silent anti-exploit mode does nothing.

The interactive anti-exploit mode blocks activity by some valid programs, and I couldn't end its popup cycle except by trusting the program.

And the application inspector also blocks valid programs, but in a different way.

After experiencing all three, I'm warming to the do-nothing option.

Extra Applications

The Extra Applications button on the main window looks tempting. What could these goodies be? Alas, the average user won't be able to make use of them. Who understands what it means to Prepare BartPE Plugin or to Prepare Windows PE CD?

In fact, both options aim to let you wipe out the most persistent malware by booting into an environment where the malware has no power.
If you dare to choose the BartPE option, TrustPort prompts you to select a folder and then announces that it successfully created the plugin. You're left to research BartPE on your own, and create a BartPE bootable disk including the plugin files.

If you choose instead to prepare a Windows PE CD, you'll find that you can't. Not without first downloading and installing Microsoft's Windows Automated Installation kit.

This just isn't something the average user will do.

Bitdefender Antivirus Plus 2017 handles this same problem so much better. You don't have to fiddle with creating a rescue disk at all. Just choose Rescue Mode and the system reboots into a non-Windows environment where Bitdefender is king. Kaspersky automates the process of creating a rescue disk, and Avira at least lets you download its rescue disk as an ISO file.

TrustPort needs to move away from the über-geeky BartPE and Windows PE solutions.

Not a Winner

With its new name and user interface, TrustPort Antivirus Sphere makes a good first impression. However, most of the antivirus testing labs ignore it, and it earned mediocre scores in our testing.

The anti-exploit component takes no action by default.
If you take it out of silent mode, it pops up warnings about both good and bad programs. Yes, it costs less than most competing products, but the best of those are worth paying more for.

From the many dozens of antivirus products available, we've identified five as our Editors' Choice products.

They are: Bitdefender Antivirus Plus, Kaspersky Anti-Virus, McAfee AntiVirus Plus, Symantec Norton AntiVirus Basic, and Webroot SecureAnywhere Antivirus.

Each has its own virtues.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

Steganos Privacy Suite 18

If a website's massive data breach compromises your privacy, there's not much you can do. It's out of your hands. But that doesn't mean you're completely helpless. There's plenty you can do to protect your own privacy, things like encrypting your files, and protecting your passwords. Steganos Privacy Suite 18 brings together a variety of useful privacy-related tools. However, the quality of the tools varies, and the suite lacks some useful features found in competing products.

With most antivirus tools, security suites, and password managers, you pay a yearly subscription fee. That's not the case with Steganos. For $59.95 you can install it on up to five PCs and use it for as long as you like. The only thing you don't get is a free update to the next version.

Earlier editions of this product included VPN protection, but the current product lineup makes Steganos Online Shield VPN a separate product. As I write this, Steganos is running a promotion that gives you the VPN for free when you purchase the suite. Note, though, that PCMag's Max Eddy gave this VP service just two out of five stars.

Getting Started with Steganos

After the quick, simple installation Steganos displays its main window. At the left is a three-by-three matrix of icons representing the suite's features: Safe, Portable Safe, Crypt & Hide, Password Manager, Private Favorites, E-Mail Encryption. Shredder, Trace Destructor, and Privacy. The suite is effectively a launch pad for these utilities.

The right-hand portion of the main window is a kind of security progress report. Just by installing the suite, you start with a 20 percent security level. Creating an encrypted safe for storing sensitive files gets you another 20 percent, and setting up the password manager raises it by another 20. Using the password manager's bonus ability to store private favorites adds 20 percent more. Configuring the Privacy components takes you to 100 percent. I like the way this simple report encourages full use of the product's features.

Standalone Products

Several components of the Steganos Privacy Suite are available as standalone products. I'll summarize my findings regarding those products. To get full details, please click the links to read my reviews.

Steganos Safe 18 lets you create any number of safes, which are encrypted storage containers for your sensitive files. You can create safes on your PC, on portable devices, or in your cloud storage accounts. When a safe is open, you use it exactly like any disk drive. When it's shut, its contents are completely inaccessible.

Steganos Safe is extremely easy to use, more so than most container-based encryption products. In addition, it offers some seriously sneaky techniques for hiding the very existence of your safes from prying eyes. For example, you can hide a fairly small safe inside an audio, video, or executable file. And the Safe in a Safe feature lets you dedicate a percentage of a visible safe for use as a discrete, invisible storage location, with its own separate password.

Along with the encryption tool, you also get Steganos Shredder, a secure deletion shredder utility. You can securely delete any file or folder by selecting Destroy from the right-click menu. With this tool you can also shred all of the free space on disk, effectively applying secure deletion to already-deleted files. It can also wipe any disk drive (except the active Windows drive) so thoroughly that a format is required when it's done.

Steganos Password Manager 18 handles the basic tasks of password capture and replay, and includes a password generator. Unlike most competing products, it doesn't directly handle syncing your passwords between devices; if you want syncing, you must connect to your existing cloud storage. You also get a limited ability to fill Web forms with personal data.

In testing, I couldn't get the password manager's Firefox extension to load. Also, some features worked in Chrome but not in Internet Explorer. If you get this password manager as part of the Steganos suite, you might as well use it. But if you're shopping for a standalone password manager, there are much better choices.

The two standalone Steganos products I've reviewed account for five of the suite's nine component icons. Password Manager and Private Favorites both correspond to Steganos Password Manager. Safe and Portable Safe are parts of Steganos Safe, as is Shredder. For the remainder of this review I'll focus on the rest of the privacy components.

Encrypt and Hide

The name Steganos comes from the term steganography, which is not the same as encryption. The aim of encryption is to ensure that others can't decipher your secrets. The aim of steganography is to conceal the fact that you have secrets. When you process a file through the suite's Crypt & Hide component and then shred the original, a hacker or snoop won't find any evidence that the sensitive data exists.

I don't know precisely how this tool processes files—it's not in the company's interest to reveal such information. But here's a simple example of how steganography could work to hide a file inside an image. First, picture that the file contains a list of numbers representing the exact color of each pixel in the image. Now round all those numbers so they're even. That tiny change doesn't make a visible difference in the image. Convert your secret file into a stream of bits, and step through the list of the image's pixels, leaving the color number unchanged for zero bits and making it odd for one bits. You've hidden the file in a way that's completely recoverable, but the image doesn't look appreciably different.

Steganos can use BMP, WAV, or JPG files as carriers for encrypted data. The help system advises using a carrier file at least 20 times the size of the encrypted data. You can also use it to create encrypted archives without hiding them, much as you'd do with a ZIP archive utility. Note, though, that the archives created by Steganos use the proprietary EDF format, not the standard ZIP format.

To create a simple encrypted archive, drag files and folders onto the Crypt & Hide dialog, or browse to locate the desired items. You can also enter a text description of the contents. Clicking Save lets you define the name and location for the resulting EDF file. The password entry dialog is the same as that used by Steganos Safe and Steganos Password Manager. It rates password strength as you type, with the option to use a virtual keyboard, or to define the password by clicking a sequence of pictures.

To create an encrypted file and also hide it, follow precisely the same procedure, but click the Hide button instead of the Save button, and choose a BMP, WAV, or JPG file as carrier. That's it. Your secret files are hidden within the chosen carrier. Don't believe it? Launch Crypt & Hide again, choose Open, and select your carrier. Once you enter the password, your files are back. Of course you must use the shredder to destroy the originals.

TraceDestructor

As you use your computer and browse the Web, you leave behind traces of what you've been doing. Sure, you hid your secret plans using Crypt & Hide, but if MyWorldTakeover still shows up in the list of recent documents, you're busted. In a similar way, your browsing history may reveal way too much about what you've been researching. That's where TraceDestructor comes in.

TraceDestructor clears various types of browsing traces from Chrome, Firefox, Internet Explorer, and Microsoft Edge. For Edge, it just clears cookies and cached files. For the others, it can also wipe out such things as history, autocomplete data, and passwords. It can also empty the Recycle Bin and eliminate Windows temporary files, recently used file lists, and other traces.

Cleaning up traces doesn't take long. When the process has finished, Steganos advises you to log off and on again, for full cleanup. Simple!

Privacy Settings

Clicking the Privacy icon brings up a simple settings dialog with four on/off switches, all off by default. I couldn't test Webcam protection, because my virtual machine test systems simply don't have webcams. In addition, every time I opened Privacy Settings I got a notification from Windows that the webcam privacy component crashed.

Webcam protection does nothing but deactivate your webcam, so you must turn that protection off if you want to use the cam for videoconferencing. A similar feature in ESET Internet Security 10 lets you disable the webcam in general but enable specific programs. That would prevent webcam spying while still letting you Skype, for example.

Kaspersky Total Security also offers webcam blocking for all but permitted programs. It extends similar protection to the microphone, to head off the possibility of a snoop listening in on your activities.

Internet advertisers work hard to profile your personal surfing habits, so they can target ads based on your interests. If you've ever bought (or looked at) a product on one site and then seen an ad for that product on a different site, you've seen this process in action. You can set your browser to send a Do Not Track header with each request, but sites aren't compelled to obey this header. The Prevent tracking option in Steganos filters out tracking activity before it reaches the browser.

Some trackers skip the usual techniques for tying together all data about your online activity, instead trying to create a fingerprint of your devices and activity, including precise data about the browsers you use. Steganos lets you replace your actual browser details with a generic fake set, to anonymize your browser type. Finally, you can choose to block advertisements altogether. The Block ads, Prevent tracking, and Anonymize browse type settings are simple on/off switches.

In testing, these three privacy elements initially didn't work. I confirmed this using various online tests. I reinstalled the product, to no avail. I installed it on a physical system, thinking that it might be incompatible with running in a virtual machine. Here, too, the privacy elements just didn't work. Tech support determined this was due to the absence of a proxy process that provides all three types of filtering.

Going back and forth with tech support, I determined that the installer failed to create a necessary configuration file. Even after I manually copied the config file that tech support supplied, it did not launch the proxy process. After more back and forth, I got the proxy running on both systems. It seemed to be running smoothly on the physical system, but its output on the virtual system contained many error messages. That being the case, I focused on the physical system.

There's no way to tell if the Prevent tracking feature is working, but Anonymize browser type should change the user agent string that your browser sends to every website. It did not do so. And although the filter's output log contained tons of ad blocking reports, the ads visibly weren't blocked.

The worst thing about this component is that even when its proxy failed to load, it didn't display any kind of error message. The privacy features work silently, so you'd have no idea that they weren't functioning, unless you noticed its failure to block ads.

There is one icon I haven't covered, E-Mail Encryption. I've skipped this one for several reasons. First, it is not a Steganos product; it's from another company, MyNigma. Second, on a PC it only functions as an Outlook plug-in, and my test systems don't have Outlook. Third, it only works to encrypt email between other users of MyNigma, so it's not useful for general-purpose encrypted communication.

Another Take on Privacy

Abine Blur is another suite of tools aimed at protecting your privacy. Its active Do Not Track component goes way beyond just sending the DNT header, which websites can ignore. Furthermore, unlike Steganos, it makes its activity visible. It includes a simple password manager, but goes beyond Steganos by offering a safety report that flags weak and duplicate passwords.

Blur protects your privacy by masking email accounts, credit cards, and (on a smartphone) phone numbers. Suppose you make a purchase from a merchant using a masked email account, and a masked credit card. Mail from the merchant reaches your inbox, but you can delete the masked account if it starts getting spam. And a merchant who doesn't have your real credit card number can't sell the card data or overcharge you. Read my review for a full explanation.

Blur doesn't block ads, and it doesn't include file encryption, but all of its components are directly aimed at protecting your privacy. Even if you do install the Steganos suite, consider trying Blur's free edition for additional protection. Note that if you do opt for a $39-per-year premium subscription, you can use Blur on all your devices.

Do You Already Have It?

You may also find that you've already got significant privacy protection courtesy of your security suite. For example, Kaspersky and AVG Internet Security include an active Do Not Track system, like what Blur offers, and Kaspersky can block banner ads. Webcam protection in Kaspersky and ESET goes farther than what you get with Steganos.

As for encrypted storage, the core of Steganos Privacy Suite, you can find a similar feature in many suites, among them McAfee LiveSafe, Bitdefender, Kaspersky, and Trend Micro. Admittedly, none of the suites build out this feature into the comprehensive encryption system that is Steganos Safe.

As for password management, it's becoming a common bonus feature in larger suites. Webroot includes a version based on award-winning LastPass, and McAfee comes with all the multi-factor authentication glory of True Key. Symantec Norton Security Premium, Trend Micro, ESET, Kaspersky, and Bitdefender are among the other suites with a password manager built right in.

Before you purchase a set of privacy tools, check to see what you already have right in your existing security suite.

A Mixed Bag

Steganos Safe is easier to use than other container-based encryption programs, and has some nifty features to both encrypt and hide your files. However, Steganos Password Manager lacks advanced features, and some of its features didn't work in testing. The Crypt & Hide component is a kick, as it truly hides your secrets, leaving no trace. But the browser-related privacy filters just didn't work in testing. Steganos Privacy Suite is a mixed bag, for sure.

There aren't many utilities specifically devoted to privacy. Abine Blur Premium remains our Editors' Choice in this interesting field. I look forward to seeing more competition in the specific area of privacy protection.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

Bitdefender Antivirus Free Edition (2017)

Microsoft includes free antivirus protection with recent versions of Windows, and it does work—to a point. But for full protection against malware, you need a third-party antivirus, and you don't necessarily have to pay for it. Bitdefender Antivirus Free Edition (2017) includes all the core malware-fighting components of Bitdefender's paid edition, but without the vast collection of additional security features. This product has gone several years without an update; the latest edition is now compatible with Windows 10.

Installing Bitdefender Free is quick and easy. During the process, it downloads the latest version and scans for active malware. You need to sign up for a Bitdefender account to activate it (or sign in if you already have one). The premium edition's main window isn't especially busy, but the free edition is simplicity itself. There's a button to run the full system scan, a drag/drop spot to scan specific files or folders, and a timeline of recent activity. That's it. There isn't even a separate scan window. When you launch a scan, the scan's progress appears in the events timeline.

Excellent Lab Results

While Bitdefender Free doesn't include every feature of the commercial edition, its core antivirus engine is exactly the same as what the independent labs test. And indeed, all the labs that I follow include Bitdefender in their testing. It scored 84.36 percent in Virus Bulletin's RAP (Reactive And Proactive) test, very close to the current average. PC Pitstop PC Matic blew away the competition in the most recent RAP test, with a score of 99.87 percent.

In the three-part test regularly reported by AV-Test Institute, Bitdefender earned 6 of 6 possible points each for protection and usability, and 5.5 out of 6 for performance. Its total score of 17.5 points makes it a top product. Avira and Kaspersky edged out that score, each taking a perfect 18 points.

The researchers at AV-Comparatives perform a wide variety of tests; I follow five of them. Products that pass a test earn Standard certification, while those that do significantly better receive Advanced or even Advanced+ certification. Bitdefender took Advanced+ in all five tests; only Kaspersky Anti-Virus has matched that feat recently.

Simon Edwards Labs attempts to simulate the real world of malware as closely as possible for testing purposes, using a capture/replay system to present each product with a real-world Web-based attack. Certification from this lab comes at five levels, AAA, AA, A, B, and C. Bitdefender and Avast got AA certification, beaten only by the AAA certification received by ESET, Kaspersky, and Norton.

The tests performed by MRG-Effitas are a bit different from the rest. To pass this lab's banking Trojans test, a product needs a perfect score; anything less is failure. Another test using a wide variety of malware offers two passing levels. If a product absolutely blocks every installation attempt, it passes at Level 1. If some malware gets through, but is eliminated within 24 hours, that earns Level 2. Anything else is a fail. Like two-thirds of all products tested, Bitdefender failed the banking Trojans test. Along with Avast Free Antivirus 2016, Avira, and a few others, Bitdefender passed the broad-spectrum test at Level 2.

Only Avast, AVG AntiVirus Free, Bitdefender, and ESET show up in the test results of all five of the labs that I follow. Bitdefender's excellent performance yields an aggregate lab score of 9.3 points. Avira Antivirus and Norton scored a bit better, and Kaspersky is at the top, with a perfect 10 points, but all the other products I track trail Bitdefender in aggregate lab score.

Very Good Malware Blocking

I always run my own hands-on testing, just to get a feel for the way a product handles malware. If I don't get enough data from the labs, my hands-on test is the only way I can rate antivirus accuracy. In this case, the labs have already made it very clear that Bitdefender is a winner.

Naturally the results of my hands-on malware blocking test were basically the same as what I got when testing Bitdefender Antivirus Plus 2017 a few months ago. In a few cases the cleanup was more thorough, but not enough to change the score. A detection rate of 90 percent isn't tip-top, nor is an overall score of 8.8 points. Tested with this same collection of samples, Webroot managed 100 percent detection and a perfect 10 points. Avast detected 100 percent of my previous collection and earned 9.7 points. But when my results don't jibe with the findings of the labs, I yield to the labs.

Bitdefender's premium antivirus, along with the suite products, runs by default in AutoPilot mode, meaning that as much as possible it takes care of security without bothering the user. You can turn off AutoPilot in the premium products, but not in the free edition. I observed that in several cases, it silently killed off a malware process and cleaned up its traces, occasionally triggering an error message from Windows about its inability to access the file.

My malicious URL blocking test takes an hour or more to run. In this test, I challenge the antivirus's Web-based protection to keep the browser safe from 100 very fresh malware-hosting URLs. I also give credit if the real-time antivirus eliminates the malicious payload during the download process. I didn't rerun the entire test, since the underlying engine is the same, but I ran a stripped-down version just to verify that the free edition handles malicious URLs. A 90 percent protection rate is quite good, better than all but a few competing products. However, with 98 percent protection, Norton has the top score.

Tops at Antiphishing

The most accurate malware-detection system in the world can't help you if you fall for a scam and give away your precious passwords. Phishing websites masquerade as banks, online merchants, even gaming websites, and do their best to steal your login credentials. They get caught and blacklisted quickly enough, but the fraudsters just grab their winnings and move on.

To test a product's ability to keep users safe from this kind of fraud, I scrape phishing URLs from a variety of reporting sites. I try to get URLs so new that they haven't been analyzed and verified. I run the test simultaneously on the product under testing and on Symantec Norton AntiVirus Basic, a consistent antiphishing winner. I also check the protection built into Chrome, Firefox, and Internet Explorer.

Hardly any products come even close to Norton's detection rate. Avast and Qihoo 360 Total Security 8.6 did well, coming in just 1 percentage point behind Norton. Webroot beat Norton by 1 percentage point, and Kaspersky beat it by 2 points. But Bitdefender owns this test, coming in 5 percentage points better than Norton.

Note that Bitdefender also aims to detect frauds and scams other than straight phishing websites. The full antivirus product uses specialized icons for such things as escrow scams, online dating scams, and piracy sites. With the free edition, you just get a report that it blocked a phishing attempt or a fraud attempt.

What's Not Here

I've described the entirety of what Bitdefender Free does. The feature list of the full, premium Bitdefender Antivirus goes way, way beyond this. Please read my review (linked above) for full details on what you get by paying for the full edition. I'll list the bonus features here.

The Bitdefender Wallet component is a complete, if basic, password manager. It captures and replays passwords, imports passwords from your browsers, generates strong passwords, and fills Web forms. It doesn't try for advanced features like two-factor authentication or automatic password update.

Bitdefender SafePay is a hardened separate desktop designed to keep your sensitive online transactions safe. Processes running under SafePay are isolated from processes on the regular desktop. The Wi-Fi Advisor both checks your home network's security and warns when you connect to an insecure network. If the antivirus can't eliminate a particularly nasty malware specimen, you can reboot in Rescue Mode to handle the threat outside of Windows.

Using the File Shredder you can delete sensitive files permanently, beyond the possibility of forensic recovery. A Search Advisor add-in marks up dangerous websites in search results. And the Vulnerability Scan checks for missing security updates and for weak Windows passwords. A new ransomware-specific protection layer aims to protect your important files. And none of these jolly bonus features are present in the free edition.

Basic Protection

As you can see, Bitdefender Antivirus Free Edition doesn't have the wealth of features that makes its for-pay sibling such a powerhouse. But it totally does contain the same basic protection against malware, malicious websites, and fraudulent sites. If that's exactly what you want, then you needn't spend a penny to get your system protected by Bitdefender.

The feature set of AVG AntiVirus Free includes website rating, file shredding, active blocking of trackers, and a simple browser privacy cleaner. Avast Free Antivirus 2016 offers password management, vulnerability scanning, system cleanup, and an unusual scan for network and router vulnerabilities. Panda Free Antivirus helps clear out unwanted toolbars from your browsers, scans every USB drive you mount, and vaccinates USB drives against malware infestation. These three are our Editors' Choice free antivirus utilities. Of course, since they're all free, you can give each of them (and Bitdefender, too) a try before settling on your favorite free protection.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

Malicious Ads Are Embedding Stegano Exploit Kit On Popular Sites

Millions of readers who visited popular news websites have been targeted by a series of malicious ads redirecting to an exploit kit exploiting several Flash vulnerabilities.
Since at least the beginning of October, users might have encountered ads promoting applications calling themselves “Browser Defence” and “Broxu” using banners similar to the ones below: These advertisement banners were stored on a remote domain with the URL hxxps://browser-defence.com and hxxps://broxu.com. Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server.

Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin. The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel.
Since the modification is minor, the final picture’s color tone is only slightly different to that of the clean version: Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine. ”If the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page, via the TinyURL service.

The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim’s system. Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cybercriminals behind this attack – yet another check to verify that it is not being monitored.
If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image. The payload is then decrypted and launched via regsvr32.exe or rundll32.exe. Payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders. An earlier variant of this stealthy exploit pack has been hiding in plain sight since at least late 2014, when we spotted it targeting Dutch customers.
In spring 2015 the attackers focused on the Czech Republic and now they have shifted their focus onto Canada, Britain, Australia, Spain and Italy. In the earlier campaigns, in an effort to masquerade as an advertisement, the exploit kit was using domain names starting with “ads*.” and URI names containing watch.flv, media.flv, delivery.flv, player.flv, or mediaplayer.flv. In the current campaign, they have improved their tactics significantly.
It appears that the exploit pack’s targeting of specific countries is a result of the advertising networks the attackers were able to abuse. We can say that even some of the other major exploit kits, like Angler and Neutrino, are outclassed by the Stegano kit in terms of referrals – ‘the websites onto which they managed to get the malicious banners installed. We have observed major domains, including news websites visited by millions of people every day, acting as “referrers” hosting these advertisements. Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer.

There is, however, a lot more to it than advertising. The steganography advertisement In the vast majority of the cases, the advertisement was promoting a product called “Browser Defence” and it has been only recently when we started to detect banners promoting the software “Broxu”. However, for the sake of simplicity, and since the campaigns are practically identical (apart from the banner and its hosting domain, of course), only the “Browser Defence” campaign is analyzed below. The advertisement was located at the browser-defence.com domain with a URI structure similar to the following (note the https): hxxps://browser-defence.com/ads/s/index.html?w=160&h=600 The index.html loads countly.min.js and feeds the initial parameters to the script.

This countly, however, is not the stock library of the open source mobile & web analytics platform you would download from github.
It is a heavily modified and obfuscated version, with some parts deleted and interlaced with custom code.

This custom code is responsible for an initial environment check.
Information about the environment is reported back to the server as XOR-encrypted parameters of the 1x1gif file, as captured in the image above. The following information about the environment is sent: systemLocale^screenResolution^GMT offset^Date^userAgent^pixelRatio After that, the script will request the advertising banner.

The server will reply with either a clean or a malicious version, most likely also depending on the previous environment check. The script will then attempt to load the banner and read the RGBA structure.
If a malicious version of the image was received, it will decode some Javascript and variables from the alpha channel The steganography is implemented in the following way: Two consecutive alpha values represent the tens and ones of a character code, encoded as a difference from 255 (the full alpha). Moreover, in order to make the change more difficult to spot by naked eye, the difference is minimized using an offset of 32. For instance, if the first few alpha bytes contained the values 239, 253, 237, 243, 239, 237, 241, 239, 237, 245, 239, 247, 239, 235, 239 and 237, they would decode to the word “function”.
In this example, the first two alpha values 239, 253 would give us an ‘f’: A closer look at one of the clean banners and one with the Stegano code shows only a subtle difference. Clean picture; picture with malicious content; malicious version enhanced for illustrative purposes. The alpha channel of the unused pixels is filled with some pseudorandom values, in order to make the “alpha noise” evenly distributed and thus more difficult to spot. After successful extraction, the JS code integrity is checked against a hash encoded at the end of the picture, then executed. Next, the new script attempts to check the browser and computer environment further using a known Internet Explorer vulnerability, CVE-2016-0162.
In particular, it is it is focused on checking for the presence of packet capture, sandboxing, and virtualization software, as well as various security products.

Also, it checks for various graphics and security drivers to verify whether it is running on a real machine. More details can be found Appendix 1. If no indication of monitoring is detected, it creates an iframe (just one pixel in size) at coordinates off the screen, sets its window.name property (this name will be used later) and redirects to TinyURL via https.

TinyURL then redirects to an exploit landing page via http.

The referrer to the original site is lost during this process. The exploit After successful redirection, the landing page checks the userAgent looking for Internet Explorer, loads a Flash file, and sets the FlashVars parameters via an encrypted JSON file.

The landing page also serves as a middleman for the Flash and the server via ExternalInterface and provides basic encryption and decryption functions. The Flash file has another Flash file embedded inside and, similarly to the Neutrino exploit kit, it comes with three different exploits based on the Flash version. The second stage Flash file decrypts the FlashVars.
It contains a JSON file with URI for error reporting, JS function names for ExternalInterface, the callback function name and some unused data: {“a”:”\/e.gif?ts=1743526585&r=10&data=”,”b”:”dUt”,”c”:”hML”,”d”:true,”x”:”\/x.gif?ts=1743526585&r=70&data=”} Subsequently, it invokes a JS via ExtelnalInterface.call() that checks for the Flash version and communicates this to the server via the landing page.

This is done through an encrypted URI parameter of a request for a GIF file.

The encryption’s algorithm is simple, and uses the window.name from the advertisement: The response is a GIF image of which the first bytes are discarded and the rest is decrypted using the same algorithm and then passed back to Flash. The response is a JSON containing a letter denoting which exploit to use (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117), a password for the corresponding exploit and a shell code ready with the URI for the payload. The shell code The shell code is decrypted into its final stage during the exploitation phase.
It will attempt to download an encrypted payload, again disguised as a GIF image.

First, however, it performs yet another check for signs that could suggest it is being analyzed. It is particularly interested in presence software containing the following strings in their filenames: vmtoolsd.exe VBoxService.exe prl_tools_service.exe VBoxHook.dll SBIEDLL.DLL fiddler.exe charles.exe wireshark.exe proxifier.exe procexp.exe ollydbg.exe windbg.exe eset*, kasper*, avast*, alwil*, panda*, nano a*, bitdef*, bullgu*, arcabi*, f-secu*, g data*, escan*, trustp*, avg*, sophos*, trend m*, mcafee*, lavaso*, immune*, clamav*, emsiso*, superanti*, avira*, vba32*, sunbel*, gfi so*, vipre*, microsoft sec*, microsoft ant*, norman*, ikarus*, fortin*, filsec*, k7 com*, ahnlab*, malwareby*, comodo*, symant*, norton*, agnitu*, drweb*, 360*, quick h If it detects anything suspicious, it will not attempt to download the payload. The payload If the payload is received, the first 42 bytes of the GIF are discarded; the rest is decrypted and saved to a file using one of the following methods: CreateFile, WriteFile CreateUrlCacheEntryA(*” http://google.com/”,,,,), CreateFileA, CreateFileMappingA, MapViewOfFile, {loop of moving bytes}, FlushViewOfFile, UnmapViewOfFile The payload is then launched via regsvr32.exe or rundll32.exe. During our research, we have seen the following payloads being downloaded by the Stegano exploit kit: Win32/TrojanDownloader.Agent.CFH Win32/TrojanDownloader.Dagozill.B Win32/GenKryptik.KUM Win32/Kryptik.DLIF After a detailed analysis of the Downloaders and Kryptiks (the latter are ESET’s detections of extensively obfuscated variants), we found out that they either contained or were downloading Ursnif and Ramnit malware. Ursnif has a multitude of modules for stealing email credentials, has a backdoor, keylogger, screenshot maker, and video maker, is injecting into IE/FF/Chrome and modifying http traffic, and can steal any file from the victim computer.

According to the configuration files found in the analyzed samples, they seem to be targeting the corporate sector, focusing on payment services and institutions. Ramnit is a file infector that has been targeting the banking sector as well, utilizing its many capabilities, such as information exfiltration, screenshot capture, file execution, etc. Conclusion The Stegano exploit kit has been trying to fly under the radar since at least 2014.
Its authors have put quite some effort into implementing several techniques to achieve self-concealment.
In one of the most recent campaigns we detected, which we traced back at least to the beginning of October 2016, they had been distributing the kit through advertisement banners using steganography and performing several checks to confirm that they were not being monitored. In the event of successful exploitation, the vulnerable victims’ systems had been left exposed to further compromise by various malicious payloads including backdoors, spyware and banking Trojans. Exploitation by the Stegano kit, or any other known exploit kit for that matter, can often be avoided by running fully patched software and by using a reliable, updated internet security solution. Appendix 1 – Strings scanned for by Stegano exploit kit Security products C:\Windows\System32\drivers\vmci.sys C:\Program Files\VMware\VMware Tools\vmtoolsd.exe C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe C:\Windows\System32\drivers\vboxdrv.sys C:\Windows\System32\vboxservice.exe C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxTray.exe C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxTray.exe C:\Windows\System32\drivers\prl_fs.sys C:\Program Files\Parallels\Parallels Tools\prl_cc.exe C:\Program Files (x86)\Parallels\Parallels Tools\prl_cc.exe C:\Windows\System32\VMUSrvc.exe C:\Windows\System32\VMSrvc.exe C:\Program Files\Fiddler\Fiddler.exe C:\Program Files (x86)\Fiddler\Fiddler.exe C:\Program Files\Fiddler2\Fiddler.exe C:\Program Files (x86)\Fiddler2\Fiddler.exe C:\Program Files\Fiddler4\Fiddler.exe C:\Program Files (x86)\Fiddler4\Fiddler.exe C:\Program Files\FiddlerCoreAPI\FiddlerCore.dll C:\Program Files (x86)\FiddlerCoreAPI\FiddlerCore.dll C:\Program Files\Charles\Charles.exe C:\Program Files (x86)\Charles\Charles.exe C:\Program Files\Wireshark\wireshark.exe C:\Program Files (x86)\Wireshark\wireshark.exe C:\Program Files\Sandboxie\SbieDll.dll C:\Program Files (x86)\Sandboxie\SbieDll.dll SbieDll.dll C:\Program Files\Invincea\Enterprise\InvProtect.exe C:\Program Files (x86)\Invincea\Enterprise\InvProtect.exe C:\Program Files\Invincea\Browser Protection\InvBrowser.exe C:\Program Files (x86)\Invincea\Browser Protection\InvBrowser.exe C:\Program Files\Invincea\threat analyzer\fips\nss\lib\ssl3.dll C:\Program Files (x86)\Invincea\threat analyzer\fips\nss\lib\ssl3.dll InvGuestIE.dll InvGuestIE.dll/icon.png sboxdll.dll InvRedirHostIE.dll C:\Windows\System32\PrxerDrv.dll PrxerDrv.dll C:\Program Files\Proxifier\Proxifier.exe C:\Program Files (x86)\Proxifier\Proxifier.exe C:\Windows\System32\pcapwsp.dll pcapwsp.dll C:\Program Files\Proxy Labs\ProxyCap\pcapui.exe C:\Program Files (x86)\Proxy Labs\ProxyCap\pcapui.exe C:\Windows\System32\socketspy.dll socketspy.dll C:\Program Files\Ufasoft\SocksChain\sockschain.exe C:\Program Files (x86)\Ufasoft\SocksChain\sockschain.exe C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe C:\Program Files (x86)\Debugging Tools for Windows (x86)\windbg.exe C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe mbae.dll C:\Program Files\Malwarebytes Anti-Malware\mbam.exe C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe C:\Windows\System32\drivers\hmpalert.sys C:\Program Files\EMET 4.0\EMET_GUI.exe C:\Program Files (x86)\EMET 4.0\EMET_GUI.exe C:\Program Files\EMET 4.1\EMET_GUI.exe C:\Program Files (x86)\EMET 4.1\EMET_GUI.exe C:\Program Files\EMET 5.0\EMET_GUI.exe C:\Program Files (x86)\EMET 5.0\EMET_GUI.exe C:\Program Files\EMET 5.1\EMET_GUI.exe C:\Program Files (x86)\EMET 5.1\EMET_GUI.exe C:\Program Files\EMET 5.2\EMET_GUI.exe C:\Program Files (x86)\EMET 5.2\EMET_GUI.exe C:\Program Files\EMET 5.5\EMET_GUI.exe C:\Program Files (x86)\EMET 5.5\EMET_GUI.exe C:\Python27\python.exe C:\Python34\python.exe C:\Python35\python.exe C:\Program Files\GeoEdge\GeoProxy\GeoProxy.exe C:\Program Files (x86)\GeoEdge\GeoProxy\GeoProxy.exe C:\Program Files\geoedge\geovpn\bin\geovpn.exe C:\Program Files (x86)\geoedge\geovpn\bin\geovpn.exe C:\Program Files\GeoSurf by BIscience Toolbar\tbhelper.dll C:\Program Files (x86)\GeoSurf by BIscience Toolbar\tbhelper.dll C:\Program Files\AdClarity Toolbar\tbhelper.dll C:\Program Files (x86)\AdClarity Toolbar\tbhelper.dll XProxyPlugin.dll C:\Program Files\EffeTech HTTP Sniffer\EHSniffer.exe C:\Program Files (x86)\EffeTech HTTP Sniffer\EHSniffer.exe C:\Program Files\HttpWatch\httpwatch.dll C:\Program Files (x86)\HttpWatch\httpwatch.dll httpwatch.dll C:\Program Files\IEInspector\HTTPAnalyzerFullV7\HookWinSockV7.dll C:\Program Files (x86)\IEInspector\HTTPAnalyzerFullV7\HookWinSockV7.dll C:\Program Files\IEInspector\HTTPAnalyzerFullV6\HookWinSockV6.dll C:\Program Files (x86)\IEInspector\HTTPAnalyzerFullV6\HookWinSockV6.dll C:\Program Files\IEInspector\IEWebDeveloperV2\IEWebDeveloperV2.dll C:\Program Files (x86)\IEInspector\IEWebDeveloperV2\IEWebDeveloperV2.dll HookWinSockV6.dll/#10/PACKAGEINFO HookWinSockV7.dll/#10/PACKAGEINFO C:\Program Files\NirSoft\SmartSniff\smsniff.exe C:\Program Files (x86)\NirSoft\SmartSniff\smsniff.exe C:\Program Files\SoftPerfect Network Protocol Analyzer\snpa.exe C:\Program Files (x86)\SoftPerfect Network Protocol Analyzer\snpa.exe C:\Program Files\York\York.exe C:\Program Files (x86)\York\York.exe C:\Windows\System32\drivers\pssdklbf.sys C:\Program Files\Andiparos\Andiparos.exe C:\Program Files (x86)\Andiparos\Andiparos.exe C:\Program Files\IEInspector\HTTPAnalyzerStdV7\HTTPAnalyzerStdV7.exe C:\Program Files (x86)\IEInspector\HTTPAnalyzerStdV7\HTTPAnalyzerStdV7.exe C:\Program Files\IEInspector\HTTPAnalyzerFullV7\HttpAnalyzerStdV7.exe C:\Program Files (x86)\IEInspector\HTTPAnalyzerFullV7\HttpAnalyzerStdV7.exe C:\Program Files\HTTPDebuggerPro\HTTPDebuggerUI.exe C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe C:\Program Files\OWASP\ed Attack Proxy\AP.exe C:\Program Files (x86)\OWASP\ed Attack Proxy\AP.exe C:\Program Files\Iarsn\AbpMon 9.x\AbpMon.exe C:\Program Files (x86)\Iarsn\AbpMon 9.x\AbpMon.exe C:\Program Files\AnVir Task ManagerAnVir.exe C:\Program Files (x86)\AnVir Task ManagerAnVir.exe C:\Program Files\rohitab.com\API Monitor\apimonitor-x64.exe C:\Program Files (x86)\rohitab.com\API Monitor\apimonitor-x64.exe C:\Program Files\Chameleon Task Manager\manager_task.exe C:\Program Files (x86)\Chameleon Task Manager\manager_task.exe C:\Program Files\Free Extended Task Manager\Extensions\ExtensionsTaskManager.exe C:\Program Files (x86)\Free Extended Task Manager\Extensions\ExtensionsTaskManager.exe C:\Program Files\Kozmos\Kiwi Application Monitor\Kiwi Application Monitor.exe C:\Program Files (x86)\Kozmos\Kiwi Application Monitor\Kiwi Application Monitor.exe C:\Program Files\PerfMon4x\PerfMon.exe C:\Program Files (x86)\PerfMon4x\PerfMon.exe C:\Program Files\Process Lasso\ProcessLasso.exe C:\Program Files (x86)\Process Lasso\ProcessLasso.exe C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe C:\Program Files (x86)\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe C:\Program Files\Psymon\Psymon.exe C:\Program Files (x86)\Psymon\Psymon.exe C:\Program Files\LizardSystems\Remote Process Explorer\rpexplorer.exe C:\Program Files (x86)\LizardSystems\Remote Process Explorer\rpexplorer.exe C:\Program Files\Security Process Explorer\procmgr.exe C:\Program Files (x86)\Security Process Explorer\procmgr.exe C:\Program Files\System Explorer\SystemExplorer.exe C:\Program Files (x86)\System Explorer\SystemExplorer.exe C:\Program Files\Iarsn\TaskInfo 10.x\TaskInfo.exe C:\Program Files (x86)\Iarsn\TaskInfo 10.x\TaskInfo.exe C:\Program Files\What’s my computer doing\WhatsMyComputerDoing.exe C:\Program Files (x86)\What’s my computer doing\WhatsMyComputerDoing.exe C:\Program Files\VMware\VMware Workstation\vmware.exe C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe C:\Program Files\Oracle\VirtualBox\VirtualBox.exe C:\Program Files (x86)\Oracle\VirtualBox\VirtualBox.exe C:\Windows\System32\VBoxControl.exe C:\Windows\System32\VBoxTray.exe C:\Windows\System32\vmms.exe C:\Program Files\HitmanPro.Alert\hmpalert.exe C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe   Drivers and libraries (needs to find at least one) C:\Windows\System32\drivers\igdkmd64.sys C:\Windows\System32\drivers\atikmdag.sys C:\Windows\System32\drivers\nvlddmkm.sys C:\Windows\System32\drivers\igdkmd32.sys C:\Windows\System32\drivers\nvhda64v.sys C:\Windows\System32\drivers\atihdmi.sys C:\Windows\System32\drivers\nvhda32v.sys C:\Windows\System32\drivers\igdpmd64.sys C:\Windows\System32\drivers\ATI2MTAG.SYS C:\Windows\System32\drivers\igdpmd32.sys C:\Windows\System32\OpenCL.dll C:\Windows\System32\igdumd32.dll C:\Windows\System32\igd10umd32.dll C:\Windows\System32\igdumd64.dll C:\Windows\System32\igd10umd64.dll C:\Windows\System32\igdusc64.dll C:\Windows\System32\igdumdim64.dll C:\Windows\System32\igdusc32.dll C:\Windows\System32\igdumdim32.dll C:\Windows\System32\atibtmon.exe C:\Windows\System32\aticfx32.dll C:\Windows\System32\nvcpl.dll C:\Windows\System32\nvcuda.dll C:\Windows\System32\aticfx64.dll C:\Windows\System32\nvd3dumx.dll C:\Windows\System32\nvwgf2umx.dll C:\Windows\System32\igdumdx32.dll C:\Windows\System32\nvcuvenc.dll C:\Windows\System32\amdocl64.dll C:\Windows\System32\amdocl.dll C:\Windows\System32\nvopencl.dll C:\Windows\System32\ATI2CQAG.DLL C:\Windows\System32\ati3duag.dll C:\Windows\System32\ATI2DVAG.DLL C:\Windows\System32\ativvaxx.dll C:\Windows\System32\ATIKVMAG.DLL C:\Windows\System32\OEMinfo.ini C:\Windows\System32\OEMlogo.bmp C:\Windows\System32\nvsvc32.exe C:\Windows\System32\nvvsvc.exe C:\Windows\System32\nvsvc.dll C:\Windows\System32\nview.dll (must not find any of these) C:\Windows\System32\drivers\ehdrv.sys C:\Windows\System32\drivers\eamon.sys C:\Windows\System32\drivers\eamonm.sys C:\Windows\System32\drivers\klif.sys C:\Windows\System32\drivers\klflt.sys C:\Windows\System32\drivers\kneps.sys ie_plugin.dll ToolbarIE.dll C:\Windows\System32\drivers\tmtdi.sys C:\Windows\System32\drivers\tmactmon.sys C:\Windows\System32\drivers\tmcomm.sys C:\Windows\System32\drivers\tmevtmgr.sys tmopieplg.dll Unreferenced strings mhtml:file:///Program Files\asus/ mhtml:file:///Program Files\acer/ mhtml:file:///Program Files\apple/ mhtml:file:///Program Files\dell/ mhtml:file:///Program Files\fujitsu/ mhtml:file:///Program Files\hp/ mhtml:file:///Program Files\lenovo/ mhtml:file:///Program Files\ibm/ mhtml:file:///Program Files\sumsung/ mhtml:file:///Program Files\sony/ mhtml:file:///Program Files\toshiba/ mhtml:file:///Program Files\nero/ mhtml:file:///Program Files\abbyy/ mhtml:file:///Program Files\bonjour/ mhtml:file:///Program Files\divx/ mhtml:file:///Program Files\k-lite codec pack/ mhtml:file:///Program Files\quicktime/ mhtml:file:///Program Files\utorrent/ mhtml:file:///Program Files\yahoo!/ mhtml:file:///Program Files\ask.com/ mhtml:file:///Program Files\the bat!/ mhtml:file:///Program Files\atheros/ mhtml:file:///Program Files\realtek/ mhtml:file:///Program Files\synaptics/ mhtml:file:///Program Files\creative/ mhtml:file:///Program Files\broadcom/ mhtml:file:///Program Files\intel/ mhtml:file:///Program Files\amd/ mhtml:file:///Program Files\msi/ mhtml:file:///Program Files\nvidia corporation/ mhtml:file:///Program Files\ati technologies/ Appendix 2 – Hashes (sha1) countly.min.js 24FA6490D207E06F22A67BC261C68F61B082ACF8 Code from banner A57971193B2FFFF1137E083BFACFD694905F1A94 banner.png with stegano 55309EAE2B826A1409357306125631FDF2513AC567799F80CEF4A82A07EFB3698627D7AE7E6101AB09425B3B8BF71BA12B1B740A001240CD43378A6C4528736618BBB44A42388522481C1820D8494E37FE841DF1ACD15E32B4FFC046205CAAFD21ED2AB27BE0A9387F8528EC185ACC6B9573233D167DF71BA5BC07E8E223A0DF3E7B45EEFD69040486E47F27EC326BA5CD406F656C3B26D4A5319DAA26D4D5FE3F1A5F624E0E974CAA4F290116CE7908D360E98133F921C61D02E0758DCB0019C5F37A4D047C9EC72FF89048D39BE75F327031F6D308CE1B5A512F739A0D9EBC236DF87788E4A3E16400EB8513743233F36C283B89C9F1B21A4AD3E384F54B0C8E7D417A17787879D550F11580C74DA1EA36561A270E16F79090DB6731A8D49E8B2506087A261D857946A0EB45B3EE46ADA9C842E65DCF235111AB81EF733F34F56A878CA094D461BDF0E5E0CECED5B9903DB6E06C74A357B932CF27D5634FD88AA593AEF3A776720C3C22B8AA461C7DE4D68567EEA4AE3CD8E4D8455A5A015C378159E6DC3D7978DAD8D04711D997F8B2473B3658C13831C62A85D1634B035BC7EBD5159638E1897B748D120149B94D596CEC6A5D5470670195C8C7B687DD4CBF2578AD3CB13CD2807F25CBFEC222095ABD62FC7635E2C7FA226903C849C25C0FCB2B3ED16672A94CD003B4B53181B568E3591203483E4039839F0807D7BEC08090179E62DBCC60 Stegano exploit kit landing page 67E26597CF1FF35E4B8300BF181C84015F9D1134CD46CEE45F2FC982FBA7C4D246D3A1D58D13ED4A191FFA6EB2C33A56E750BFFEFFE169B0D9E4BBE44B2F4C20CC9294F103319938F37C99C0DE7B49323FCEA1AFDA9888400D8DE5A232E4BF1E50D3380FCA750F492691F4D31A31D8A638CE4A56AF8690D01374EE22D99ECFC6D68ADE3ACE833D4000E4705B6BF1A2B7E8CA44E63E1A801E25189DC0212D71B9B84AB2D5EAD12C257982386BC39F18532BF6939E476A0455044B9111BDA42CDB7F4EA4E76AA7AB2D0C1CA7D9C7E4B26A433946A6495782630EF6FD1829B6DD92FBDF6070B171C38B1D3CA374F66E4B6689DA7E7A88F9B6CBBFAF7F229BFEA8767220C831CEE32C8E45A59D3084D832A9E6500AE44F75F7B5A152AB43BEDCD8F6B7BFB67249C5599CF663D0503AC722AC0D4764545A3E8A6DF02059C8A164CA1725E0474E4F8D7D3053278B45A9C24380275B470535FB5F3C2957B4525A0330427397915AEEFDDD9119EEE9745E25194DD573423C6DB0F5AF5D8CFE1DE88B2B7A08322738C74B29C4CA538741F85A0B7FA388A2A241339489685CB4AD22EBA9E04B72CD67 Flash files  BADAE04BFF7AFD890C3275E0434F174C6706C2C66EF95ACB8AA14D3BA8F1B3C147B7FB0A9DA579A210840AEB8342A26DFC68E0E706B36AC2B5A0D5B2093B25B04FE21185BFEEAFD48F712942D3A3F0C6C680734AF8670895F961C951A3629B5BC64EFE8EEEDBBB65A441979974592343C6CA71C90CC2550FDE288CADE8EE3F13D44719796A5896D88D379A1E9488CDBB242BE50DF3D20B12F589AF2E39080882B664365FC8C0B93F6A992C44D11F44DD091426DD7557B5D987F0236FF838CD3AF05663EFA98EBC5624B7933A8A8F6ED50FBAF2A5021EF47CE614A46F11BA8B354001900ED79C43EA858F1BC732961097 Appendix 3 – URL samples TinyURL.com  /jf67ejb/jqp7efh/j56ks2b/gplnhvm/gwwltaf/hgnsysa/hvfnohs Stegano exploit kit landing pages  hxxp://conce.republicoftaste.com/urq5kb7mnimqz/3dyv72cqtwjbgf5e89hyqryq5zu60_os24kfs1j3u_ihxxp://compe.quincephotographyvideo.com/kil5mrm1z0t-ytwgvx/g7fjx4_caz9hxxp://ntion.atheist-tees.com/v2mit3j_fz0cx172oab_eys6940_rgloynan40mfqju6183a9a4kn/fhxxp://entat.usedmachinetools.co/6yg1vl0q15zr6hn780pu43fwm5297itxgd19rh54-3juc2xz1t-oes5bhhxxp://connt.modusinrebus.net/34v-87d0u3hxxp://ainab.photographyquincemiami.com/w2juxekry8h9votrvb3-k72wiogn2yq2f3it5d17/j9rhxxp://rated.republicoftaste.com/6t8os/lv-pne1_dshrmqgx-8zl8wd2v5h5m26m_w_zqwzqhxxp://rence.backstageteeshirts.com/qen5sy/6hjyrw79zr2zokq1t4dpl276ta8h8-/3sf9jlfcu0v7daixie_do6zb843/z7 Author ESET Research, ESET

Save 30 Percent on AVG Internet Security

While this service retails for $69.99 for year, you'll instantly save 21 bucks when you take advantage of today's sale. Looking for an affordable way to protect your PCs and mobile devices? Today, AVG is offering its Internet Security package for unl...

Avira Antivirus (2017)

Is it just me, or do too many antivirus product names start with the letters A and V? If any company can stake a claim to those two letters, it's Avira, founded in way back in 1986. With hundreds of millions of users worldwide, the free Avira Antivirus is immensely popular.
It gets excellent lab scores, and it brings along a team of related Avira products.

Given that it's free, I can overlook the fact that both its on-demand scan and real-time protection proved sluggish in testing. The app's main window is largely white, with a white-on-slate menu at left and couple of panels that offer status information and access to features.

From PC Protection, you can launch a scan or an update, toggle real-time protection, or drill down for detailed configuration settings. The Internet Protection panel is a bit weak, by comparison. Web Protection, Mail Protection, and Game Mode are grayed out and disabled, because they're not available in the free edition.

And the firewall item just helps you configure Windows firewall. An Antivirus With a PosseMany security products flip through a series of informational slides during installation, extolling the virtues of the product itself or advertising companion products.

Avira takes the concept a step further.

Each of its informational images both describes a companion product and offers to install that product.
I'll report on the posse of companion products after covering the core antivirus features. Many Scan ChoicesClicking the Scan System button in the PC Protection panel launches a full system scan.

The scan window itself retains the oddball window caption "Luke Filewalker" that I remarked on in previous editions.
I guess George Lucas doesn't mind. A full scan of my standard clean test system took two and a quarter hours, the longest time for any current product, about three times the current average scan time.

That's slow.
Some products speed subsequent scans by skipping files that have already been validated.

For example, a repeat scan with AVG AntiVirus Free finished in just one minute. Not Avira; a second scan took just as long.

Don't be fooled by the progress bar, as it runs to 100 percent multiple times during a scan. Most antivirus products offer a full system scan and a quick scan that focuses on active malware and commonly infected locations. Many add a custom scan that lets you choose where and how the scanner should operate.

Clicking System Scanner in Avira's left-hand menu brings up a dizzying array of scanning choices. Quick scan and full scan are present in the list, naturally. Other choices include scanning all local drives, examining just local hard disks, checking for active malware, and scanning the Documents folder.

Clearly these are meant for the unusually tech-savvy consumer. Most folks will do fine with the basic quick or full scan. Very Good Lab ResultsIn most cases, antivirus companies must pay to be included in testing by the independent labs.

A few of the labs actively help them achieve certification—if the product fails, the vendor gets a punch list of things that need fixing.
ICSA Labs and West Coast Labs offer this type of certification, but Avira doesn't participate with either. More interesting to me are the tests that put a group of products through the exact same evaluation and report how well they did. With those labs, Avira did quite well.
Its score of 85.07 percent in Virus Bulletin's RAP (Reactive and Proactive) test is about halfway between the current average and the current maximum. When the experts at AV-Comparatives determine that a product does everything it should, they certify it at the Standard level.

A product that goes beyond the minimum can earn Advanced certification, or even Advanced+.

Avira participates in four of the five tests that I follow from this lab, and it took Advanced+ in all four.

By contrast, Quick Heal AntiVirus Pro 17 took two Advanced+ certifications and one Advanced and one Standard in those same four tests. To cover all facets of antivirus functionality, AV-Test Institute rates products on how well they protect against malware, how little they interfere with performance, and how carefully they avoid flagging valid programs or websites as malware, with 6 possible points in each area.

Avira got 5.5 points in the first two categories and 6 points in the third, for a total of 17 points. Note, though, that Bitdefender Antivirus Plus 2017, Kaspersky Anti-Virus, and Trend Micro Antivirus+ Security all earned a perfect 18 points in the same test. Earlier this year I added a pair of tests from London-based MRG-Effitas to the mix. One focuses on financial malware, while the other attempts to cover the whole range of malware types.

Avira failed the financial test, but then, 70 percent of the products tested failed that one. Nearly as many failed the whole-range test, but Avira managed to pass at Level 2, like Avast, Norton, and Trend Micro. Only Kaspersky Anti-Virus earned Level 1 certification.

Given that there's no reported difference between an epic fail and missed-it-by-that-much, I give less weight to this test in calculating my aggregate score. Avira's aggregate score, 9.3 of 10 points, puts it in a tie with Bitdefender. Only Norton (9.7 points) and Kaspersky (10 points) have done better.

All five of the labs I follow include Avast Free Antivirus 2016 and AVG in their testing, but their aggregate scores aren't as good as Avira's.

AVG came in with 8.7 points and Avast with 8.3. Improved Malware BlockingAnalyzing a new set of samples for my hands-on malware blocking test is a grueling ordeal that takes me several weeks.

That being the case, I refresh the sample set just once a year, in late winter when there typically aren't many new antivirus releases.

That works fine when product releases come roughly a year apart. However, Avira's previous edition was the very first product tested using my current set of samples. Naturally the current version, which I tested in the middle of the cycle, did a little better. When I opened the folder containing my malware samples, Avira started picking them off, but slowly.

Every so often it popped up a notification saying that it quarantined six files, or eight, or one.
It also popped up several small floating windows captioned Luke Filewalker, with nothing in them except a progress bar, followed by a similar window with the caption "System is being scanned." Overall, it seemed like a lot of fuss, considering these samples were just static files, never launched. When all the progress bars reached 100 percent and the floating windows vanished, more than 10 minutes had passed, and 68 percent of the samples were gone.

At that point, Avira wanted to reboot the system and run a full scan. However, the point of this test is malware blocking, not scanning. Most antivirus programs I've tested wipe out the samples they recognize in less than a minute, and they certainly don't require a reboot. Next I started launching those samples that survived.

Avira detected almost all of them at this point.

For each detection, it launched one of those miniature Luke Filewalker windows, with the apparent aim of eliminating malware traces related to what it discovered.

At one point during this test I found the system to be extremely sluggish.

Checking with Task Manager, I discovered that the avscan.exe process was using 99 percent of CPU resources. In a few cases, the antivirus popped up a window informing me that for full remediation I should run a scan using the Avira Rescue Disk.
I dutifully downloaded the ISO file and booted the system from it, thereby launching Avira's Ubuntu-based scanner.

But wow! A full scan with the Rescue Disk took more than 90 minutes! To check how successfully the antivirus blocked malware installation, I run a tool that checks for the file and Registry traces associated with each sample, as well as for active malware processes.

Each time the app asked for a Rescue Disk scan, I checked for traces both before and after the scan, but found next to no difference.

Avira failed to prevent installation of one or more executable files for most of the samples that it detected after launch. Like Norton, Trend Micro, Emsisoft Anti-Malware 11.0, and K7 Antivirus Plus 15, Avira detected 97 percent of the samples, either on sight or after launch. Norton and Trend Micro completely blocked every detected sample, earning 9.7 of 10 possible points overall.

Avira could have had 9.7 points too, but its incomplete malware blocking dragged its score down to 8.9 points.

Avast detected 100 percent of my previous malware set and earned 9.3 points. I also test each app with a sampling of the latest malware.

For this test, I use a feed of the very latest malware-hosting URLs supplied by MRG-Effitas.

The purpose-built program I use for this test normally launches the URLs in Internet Explorer, but I had to modify it for Avira, as the Browser Safety feature in this program still only supports Chrome and Firefox.

For each valid URL, I record whether the antivirus kept the browser from connecting, wiped out the payload during or just after download, or just heedlessly allowed the download. The exact URLs differ every time, naturally, but I keep going until I have a decent sample of at least 100 data points. Last time I tested Avira, it blocked 99 percent of the samples, all of them by preventing all access by the browser.

This time around, it blocked a total of 95 percent, 93 percent at the browser level and 2 percent by killing off the download.

That's still an extremely good protection rate, but Norton's 98 percent protection is now the top score among current products. Improved Phishing Detection, But…That same Browser Safety extension that fends off malicious URLs also serves to keep users from being fooled by phishing sites, fraud sites that try to steal login credentials by posing as, say, PayPal, or a bank website.

These URLs don't last long, because they quickly get blacklisted.

As soon as the fraudsters have conned a few saps, they close up shop and re-open with a different URL. For testing purposes, I scrape phish-watching sites to get URLs that have been reported as fraudulent but haven't been around long enough to get blacklisted.
I launch each simultaneously in five browsers, one protected by the product under test, one by Symantec Norton AntiVirus Basic (a long-time antiphishing winner) and one apiece by the protection built into Chrome, Firefox, and Internet Explorer.

Because the URLs themselves are different every time, I report the results as the difference in detection rate between the product and the other four. Last time I tested Avira's antiphishing ability it lagged 50 percentage points behind Norton's, which is bad.

This time it was only 28 points behind, which is better, but still not great.
In addition, its detection rate edged out both Chrome and Internet Explorer, and totally slammed Firefox.

Even so, I wouldn't advise turning off your browser's built-in protection. Very few products outscore Norton in this test, and no free products do. However, Avast came in just one percentage point behind Norton. Qihoo 360 Total Security 8.6 and Sophos Home also came close. Avira Antivirus Pro technically should do better than the free edition, because in addition to the Browser Safety plugin, it has a Web Protection component. Just to see the difference, I tested the Pro edition using the same sample set as with the free edition.

The result? Web Protection caught exactly one fraud that Browser Safety didn't.

The most important thing about Web Protection is that it works in all browsers, not just Chrome and Firefox. The Rest of the GangAs I mentioned, when you install Avira Antivirus you can choose to also install a large collection of ancillary tools.
I'd strongly suggest installing all those that are truly free, starting with Avira Connect.
It manages all your other Avira products and serves as a launch pad to start any of them. Avira Connect also lets you review all the devices that you've associated with your Avira account online.

Clicking the Manage Device button opens the Avira dashboard online. Here you can see each device, with icons showing all the installed Avira tools. You can also dig in to view system details, or details for each installed product.

And you can even trigger an email with instructions on how to install missing products. Phantom VPN is a full-featured virtual private network with servers in 20 countries around the world.

The list of countries is seriously weighted toward North America and Europe, though it does include China and Singapore. Using it is a snap; just select the country you want and click the big green Secure my connection button.

This is a free installation of Phantom VPN, which means you can use it on just one device, with a data limit of 1GB per month. Upgrading to Pro gives you unlimited devices and unlimited bandwidth, and enables a feature that automatically activates the VPN any time you're connected to an unsecured wireless network. Avira Scout is a Chrome-based secure browser with some interesting additions. Privacy Badger blocks advertisers from tracking your Web surfing, and HTTPS Everywhere ensures the browser uses a secure HTTPS connection whenever possible—these two are projects of the Electronic Frontier Foundation.

Avira's own Browser Safety is installed, naturally, and it also aims to block trackers.
If you go shopping online, Avira can look for better deals on whatever item you've selected.

That's a feature I haven't seen in other security products. Note that Browser Safety adds some of these features to Chrome and Firefox (but not Internet Explorer).
It includes Avira Price Comparison, it automatically sends the Do Not Track header, and it actively blocks trackers.

A tiny tab at the top of the page pulls down to show the current site's rating and the number of trackers; you can click to see a full list of trackers. You can also enable Avira SafeSearch Plus, which becomes the default new tab page in the two supported browsers. Exploit attacks take advantage of unpatched security vulnerabilities.

Avira Software Updater scans your system and lists any software with missing security patches.

Clicking Download All gets all the updates; you can also download updates one by one, or remove products from being monitored. On my test system, the only thing it found was an update for Firefox.
I did notice that it downloaded a full installer for the latest version, which took a good bit longer than just updating within Firefox itself.

At present this tool doesn't do a lot. On my test system, it reported Java and Firefox as monitored, but Chrome and a ton of other apps were listed as unmonitored. All the items I've mentioned so far are free, though the free Phantom VPN is limited.

They can be downloaded for use independent of Avira Antivirus.

Avira System Speedup is a bit different. You get a free trial that's good for exactly one use.
Its basic scan seeks junk files, Registry problems, and system traces of your private activity.

Additional features include boot time optimization, power management, file encryption, secure deletion, backup, and more.

After your one-time optimization, you can explore these features and even use some of them, but Avira hopes you'll shell out $31.99 for a full license. Accurate but SluggishAvira Antivirus gets better ratings from the independent labs than most free products.
It also did well in my hands-on malware blocking and malicious URL blocking tests, though both the on-demand scan and real-time protection proved sluggish.

The fact that its Browser Safety component works only in Chrome and Firefox is no problem if one of those is your default browser.

The fact that it can keep you safe, for free, means it's worth a try.

But also take a look at our Editors' Choice products in the free antivirus realm, Avast Free Antivirus, AVG AntiVirus Free, and Panda Free Antivirus. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

The Best Free Antivirus Protection of 2016

Early adopters, daredevils, and purchasers of new computers are all running Windows 10 by now.

Those who prefer caution, or whose IT department them to, are still running Windows 8. Whether you run Windows 8 or Windows 10, your computer is theoretically under the protection of the built-in Microsoft Windows Defender. However, our hands-on tests and independent lab tests show that you're better off with a third-party solution.

Fortunately, you've got plenty of free choices, and the best of them are better than many competing commercial products. Which one is best for you? We've rounded them up to help you choose. Quite a few of these products are free only for noncommercial use; if you want to protect your business, you have to pony up for the paid edition.

At that point, you should probably consider upgrading to a full security suite.

After all, it's your business's security on the line.

And if you've grown beyond SMB status, investing in a SaaS endpoint protection system will let you monitor and manage security across your entire organization. See Our Top Paid Antivirus Solutions Your antivirus should definitely have the ability to root out existing malware, but its ongoing task is to prevent ransomware, botnets, Trojans, and other types of nasty programs from getting a foothold.

All of the antivirus programs in this collection offer real-time protection against malware attack.
Some take the fight upstream, working hard to ensure you never even browse to a malware-hosting site, or get fooled into turning over your credentials to a phishing site. Independent Antivirus Lab Test Results Around the world, researchers at independent antivirus testing labs spend their days putting antivirus tools to the test.
Some of these labs regularly release public reports on their findings.
I follow five such labs closely: AV-Comparatives, AV-Test Institute, Simon Edwards Labs (the successor to Dennis Technology Labs), Virus Bulletin, and MRG-Effitas.
I also take note of whether vendors have contracted for certification by ICSA Labs and West Coast Labs. Security companies typically pay for the privilege of being included in testing.
In return, the labs supply them with detailed reports that can help improve their products.

The number of labs that include a particular vendor serves as a measure of significance.
In each case, the lab considered the product important enough to test, and the vendor felt the price was worthwhile.

The labs don't necessarily test a vendor's free product, but most vendors pack full protection into the free product, enhancing premium versions with additional features. PCMag Antivirus Test Results In addition to carefully perusing results from the independent labs, I also run my own hands-on malware blocking test.
I expose each antivirus to a collection of malware samples, including a variety of different malware types, and note its reaction.

Typically the antivirus will wipe out most of the samples on sight, and detect some of the remaining ones when I try to launch them.
I derive a malware blocking score from 0 to 10 points based on how thoroughly the antivirus protects the test system from these samples. Since I use the same samples month after month, the malware-blocking test definitely doesn't measure a product's ability to detect brand-new threats.
In a separate test, I attempt to download malware from 100 very new malicious URLs supplied by MRG-Effitas, typically less than a day old.
I note whether the antivirus blocked all access to the URL, wiped out the malicious payload during download, or did nothing.

Avira Free Antivirus holds the current top score in this test, followed by McAfee and Symantec, both paid products. If you're interested in learning more about my testing techniques, you're welcome to read more about how we test security software. Useful Features Just about every antivirus product scans files on access to make sure malware can't launch, and also scans the entire system on demand, or on a schedule you set. Once that cleaning and scheduling is done, blocking all access to malware-hosting URLs is another good way to avoid trouble. Many products extend that protection to also steer users away from fraudulent websites, phishing sites that try to steal login credentials for financial sites and other sensitive sites.

A few rate links in search results, flagging any dangerous or iffy ones. Behavior-based detection, a feature of some antivirus products, is a two-edged sword. On the one hand, it can detect malware that's never been seen before. On the other hand, if it's not done right, it can baffle the user with messages about perfectly legitimate programs. One easy way to keep your PC protected is to install all security updates, both for Windows and for browsers and other popular applications. Windows 10 makes it easier than ever to stay up to date, but there are plenty of security holes in older Windows versions, in popular apps, and in add-ons.
Scanning for vulnerabilities in the form of missing updates is a feature most often found in commercial antivirus products, but it does turn up in some free ones.
In the chart above you can see which products include these useful features. What's Not Here This article reports only on free antivirus products that received at least a good rating in our reviews—three stars or better.

Among those that didn't make the cut is Microsoft Windows Defender, with 2.5 stars.

All of the independent labs I follow do include Microsoft in testing, but most use it as a baseline.
If a product can't do better than the baseline, it's got real problems. FortiClient fans may notice that this product doesn't appear in chart.
It did get three stars, but it's quite different from the rest.

FortiClient is actually designed to work as a client for Fortinet's network security appliance, but is incidentally available as a free standalone. Furthermore, I'm aware that my review of Bitdefender's Free Antivirus is getting long in the tooth, but the company simply doesn't update its free utilities as often as its premium ones. Rest assured, I'm in close contact with Bitdefender and I'll review its new offering when it becomes available. Now that the commercial Bitdefender 2017 line is out, perhaps the developers will have more time to work on the free edition. There are also numerous free antivirus utilities that work solely to clean up existing malware infestations. You bring out these cleanup-only tools when you have a nasty malware infestation. When the problem's gone, they have no further use, since they offer no ongoing protection. Our Editors' Choice in this category is Malwarebytes Anti-Malware 2.0, and it's definitely one you should try if you've got a malware problem.

But since they're free, you can keep trying others if the first one doesn't do the job. When the scare is over, you'll need a full-blown antivirus for ongoing protection. What's Best Our current Editors' Choice products for free antivirus utility are Avast Free Antivirus, AVG AntiVirus Free, and Panda Free Antivirus.

All three get very good scores from the independent labs, and in our own tests as well.

All three include some useful bonus features.

Avast in particular packs a password manager and a network security scanner in its toolkit.
If you do have a little cash in your budget for security, the best paid antivirus products do tend to offer more and better protection.
If not, try a few of these free tools and see which one you like best. FEATURED IN THIS ROUNDUP

CryPy: ransomware behind Israeli lines

A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others. This Python executable comprises two main files. One is called boot_common.py and the other encryptor.py.

The first is responsible for error-logging on Windows platforms, while the second, the encryptor, is the actual locker. Within the encryptor are a number of functions including two calls to the C&C server.

The C&C is hidden behind a compromised web server located in Israel.

The Israeli server was compromised using a known vulnerability in a content management system called Magento, which allowed the threat actors to upload a PHP shell script as well as additional files that assist them in streaming data from the ransomware to the C&C and back. A notable point to mention is that the server was also used for phishing attacks, and contained Paypal phishing pages.

There are strong indications that a Hebrew-speaking threat actor was behind these phishing attacks.

The stolen Paypal credentials were forwarded to another remote server located in Mexico and which contains the same arbitrary file upload technique, only with a different content management. It is a known practice for attackers to look for low-hanging fruit into which they can inject their code in order to hide their C&C server. One such example was the CTB-Locker for web servers reported last March. ICON:SHA1: ad046bfa111a493619ca404909ef82cb0107f012MD5: 8bd7cd1eee4594ad4886ac3f1a05273bSize: 5.22 MBType: exe To reverse the executable one should first conduct a number of checks using a convenient debugger.

The universal steps for unpacking an unknown packer start with trying to set a memory breakpoint on popular functions that packers use, such as VirtualAlloc. If the breakpoint hits, the next step involves switching to user mode and setting a hardware breakpoint (on access).

That will assist in inspecting where exactly the program initializes the memory block.
In most cases, an executable magic header (MZ) should appear in the memory block. However, in this case the following screenshot shows the readable data that was allocated to that memory block: After the data was allocated to the memory block, it appeared to be using VM code (python vm) to execute the code.

For those who are not familiar with the term, VM code is the process of creating new instruction sets based on the author’s request.

The CPU uses those instruction sets to understand the instructions. py2exe simply converts the code to x86 assembly, the architecture used on the CPU for communication, and, by loading a python DLLs, loads all the modules into the memory. We found that the executable file was generated using py2exe.

The first indicator was a stack PUSH instruction to add the string – PY2EXE_VERBOSE: a module that compiles Python scripts to Microsoft Windows executables. PY2EXE module string disclosure A module that reverse the operation of the py2exe can be found in Github and is called unpy2exe.

This module will revert the executable back to its origin Python compiled code (i.e. .pyc file).

From that format, another step will be required to fully revert to the original code. We randomly chose to use EasyPythonDecompiler. Fully decompiled Python scripts In it’s current state, the executable fails to encrypt the file system, simply because the threat actors must have migrated from the current server to another.

By doing so, they deleted the remaining traces of the PHP files they used for data collection from a victim’s machine.

The following is the log file that is generated upon exception: Error log file being generated by the boot_common.py The scripts in Python use two files: Name: boot_common.pymd5: dfd6237e26babdbc2b32fa0d625c2d16SHA1: 38fe7b64113e467375202e2708199b45a22b25a6Size: 3KbThis file throws an “error” to show that the program failed to execute if there is a problem. Name: encryptor.pymd5: 1ed3f127a0e94394ef049965bbc952efSHA1: 73122712b4563fadcc9871eb3fe0efdcf70bb608Size: 9KbThis script encrypts the victim’s files. The ransomware disables the following features from the compromised machine by overwriting the registry policies it disables Registry Tools, Task Manager, CMD and Run. list of registry manipulations It then continues with changing bcdedit to disable recovery and ignore boot status policy. Upon successful encryption, the ransomware will encrypt the following file extensions:*.mid, *.wma, *.flv, *.mkv, *.mov, *.avi, *.asf, *.mpeg, *.vob, *.mpg, *.wmv, *.fla, *.swf, *.wav, *.qcow2, *.vdi, *.vmdk, *.vmx, *.gpg, *.aes, *.ARC, *.PAQ, *.tar.bz2, *.tbk, *.bak, *.tar, *.tgz, *.rar, *.zip, *.djv, *.djvu, *.svg, *.bmp, *.png, *.gif, *.raw, *.cgm, *.jpeg, *.jpg, *.tif, *.tiff, *.NEF, *.psd, *.cmd, *.class, *.jar, *.java, *.asp, *.brd, *.sch, *.dch, *.dip, *.vbs, *.asm, *.pas, *.cpp, *.php, *.ldf, *.mdf, *.ibd, *.MYI, *.MYD, *.frm, *.odb, *.dbf, *.mdb, *.sql, *.SQLITEDB, *.SQLITE3, *.asc, *.lay6, *.lay, *.ms11 (Security copy), *.sldm, *.sldx, *.ppsm, *.ppsx, *.ppam, *.docb, *.mml, *.sxm, *.otg, *.odg, *.uop, *.potx, *.potm, *.pptx, *.pptm, *.std, *.sxd, *.pot, *.pps, *.sti, *.sxi, *.otp, *.odp, *.wks, *.xltx, *.xltm, *.xlsx, *.xlsm, *.xlsb, *.slk, *.xlw, *.xlt, *.xlm, *.xlc, *.dif, *.stc, *.sxc, *.ots, *.ods, *.hwp, *.dotm, *.dotx, *.docm, *.docx, *.DOT, *.max, *.xml, *.txt, *.CSV, *.uot, *.RTF, *.pdf, *.XLS, *.PPT, *.stw, *.sxw, *.ott, *.odt, *.DOC, *.pem, *.csr, *.crt, *.key and wallet.dat to encrypt crypto currency wallets The files are encrypted using AES with CBC mode for the following paths: D:\\E:\\[userhome]\\contacts[userhome]\\Documents\\[userhome]\\Downloads\\[userhome]\\Favorites\\[userhome]\\Links\\[userhome]\\My Documents\\[userhome]\\My Music\\[userhome]\\My Pictures\\[userhome]\\My Videos\\F:\\..Z:\\*userhome - The current user home directory When the encryption step is done, the ransomware will remove the restore points and write the README_FOR_DECRYPT.txt file and execute it.

The following screenshot is the ransom note: CryPy Ransomware Note embedded in the Python code The threat actor behind the attack asks the victim to contact it via email, and to send a request to the following two email addresses to receive the decryption program:(1) m4n14k@sigaint[.]org(2) blackone@sigaint[.]org Note that the ransom note contains mistakes, implying that it has been written by a non-English speaker.

First, the headline is missing a ‘T’ in “IMPORTAN INFORMATION”.
Second, the sentence “Decrypting of your files…” is syntatically wrong. Native speakers will be able to find additional mistakes. The threat actor claims that files will be deleted every 6 hours, which reflects the approach of more advanced ransomwares. However, it forgets to mention proof of decryption or a channel that can be used in cases where the payment process is not responsive.

This points to the executable being at an early stage of development. The ransomware survives a reboot by adding the following keys to the registry:Software\\Microsoft\\Windows\\CurrentVersion\\Run regkey Software\\Microsoft\\Windows\\CurrentVersion\\Run subkey Adobe_ReaderX data %TEMP%\\mw.exe regkey Software\\Microsoft\\Windows\\CurrentVersion\\Run subkey explore_ data [userhome]\\Appdata\\local\\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.exe The code for adding the values to the registry is located on the functions autorun() and autorun2(). Right before launching the ransom note, the script calls a delete_shadow() function that takes no arguments, and simply executes the following command line code to remove all shadow copies and prevent recovery from backup: os.system("vssadmin Delete shadows /all /Quiet") Lastly, the file calls autorun2() fuction that copies the ransomware from its current location to C:\\Users\\\\AppData\\Local with hardcoded name:DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.exe The ransomware hides behind an Israeli web server which was compromised using Shell script arbitrary upload written in PHP.

The compromise and upload were possible because the server carried a vulnerable Magento CMS. The executable transfers data over an unencrypted HTTP channel in clear-text.

This allows for easy traffic inspection using a network listener.

The following screenshot is the traffic being sent to the server: Inspecting the Magento exploit and the compromised server, we found that the origin of the upload carries the title Pak Haxor – Auto Xploiter and the email ardiansyah09996@gmail[.]com and that the file was uploaded in August 2016, which aligns with the case in subject.

The following screenshot reveals how attackers are using massive exploiters that scan for vulnerable web servers and exploit the vulnerability, which they later visit to expand their control over the server: Part of such an exploitation technique is dropping additional PHP scripts to refine a more sophisticated attack, such as the CryPy ransomware. A call to one of those scripts script can be found hard-coded in the CryPy Python code, in the form of a GET request.

The request is sent with two parameters to a script that was uploaded using the Auto Xploiter and carries the name victim.php.

By reviewing the Python code it is easier to understand the type of data being presented in Base64 encoding format. As seen in the screenshot above, the configurl parameter accepts a URL querystring where the victim_info input value of the info parameter is derived from the platform module. uname() is used when one wants to return a tuple of system, node, release, version, machine and processor values.

These are encoded with Base64. The next parameter is ip which contains the socket.gethostname() which basically collects an IP address. The querystring is then sent to urllib.urlopen(), which will send a GET request to the selected server and read the reponse content into glob_config. The response contains a JSON format payload which is checked for the following keys:x_ID – the victim’s unique ID to request their decryption keys after payment.x_UDP – Not used; perhaps saved for future use.x_PDP – Not used; perhaps saved for future use. The second call is implemented in a function called generate_file() which is responsible for fetching a unique key for each file before encryption. We have seen in recent lockers that, in order to demonstrate trust and integrity, the victim is able to decrypt one/two files before processing the payment.

This proves decryptor validity.
In order to randomly choose a file, the attacker must first generate a unique token for each one.

The second PHP script found in the code is savekey.php which is described in the following screenshot and is suspected to have the C2 IP in it.
It was however deleted long before we were able to reach it. As for the first call, the second sends two parameters.

The first is the file’s name and the other is the victim ID.
In return, the server responds with two keys:X – Unique key after encryption which will be appended to the file’s header.Y – New filename which will be stored instead of the previous one. These parameters are then sent to an encryption routine, along with the file’s original name. REG Keys HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\SystemHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ExplorerHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\explore_HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Adobe_ReaderX Domains hxxp://www.baraherbs[.]co.il/js/owebia/victim.phphxxp://www.baraherbs[.]co.il/js/owebia/savekey.php Hashes 8bd7cd1eee4594ad4886ac3f1a05273b crypy.exe1ed3f127a0e94394ef049965bbc952ef encryptor.py Emails m4n14k@sigaint[.]comblackone@sigaint[.]com

Bitdefender Antivirus Plus 2017

All an antivirus product really has to do is wipe out any malicious software that's present on your computer and prevent future infestation by viruses, Trojans, ransomware, and other types of malware.

Bitdefender Antivirus Plus 2017 goes way beyond these basic functions.

Among its many features are a simple password manager, a secure browser for financial transactions, a secure file shredder, and new active ransomware protection.
It's almost a suite, and it performs its core antivirus tasks very well. A one-year subscription to Bitdefender costs $39.99, which is a very popular price point.

Bitdefender, Kaspersky, and F-Secure, among others, cost almost exactly the same.

For $59.99, you can install Bitdefender on three devices, which is a good deal. Of course, that same price gets you unlimited installations of McAfee AntiVirus Plus. Installation and AppearanceLike Trend Micro and Check Point ZoneAlarm PRO Antivirus + Firewall 2017, Bitdefender's installer downloads the very latest program and virus definition files.

The installer scans for active malware that could derail the installation. You can either activate your installation with a license key or select a fully functional 30-day free trial.

And you must create or log in to your account at Bitdefender Central online, to connect this installation to the account. Note that you can only associate one level of Bitdefender protection with a single account.
If you want to have the straight antivirus on some systems and the security suite on others, you must create two accounts. Over the last several years, each new Bitdefender version changed its appearance a little bit. With the 2017 edition, the main window went through some more radical changes.
It does still use a background in shades of gray, but they're substantially darker.

And it does break down the window into rectangular panels that offer access to security stats and features.

A circled green checkmark still represents safety, though the circles now animate when you open the window. The big change is a new left-rail icon menu with eight selections: Protection, Privacy, Upgrade, Activity, Notifications, Account, Settings, and Help. Protection includes antivirus, Web protection, and vulnerability scan. On the Privacy tab, you manage the Safepay secure browser, the file shredder, and the password manager.

Each of these offers a Modules view that gives you finer control.
I like the changes.
It's easier to find any given feature now. As always, Bitdefender comes preconfigured to use Autopilot mode.
In this mode, it takes care of business without hassling you.

Are you being targeted by a malware attack? Bitdefender handles it silently.

This is great for most users, but for testing purposes I frequently had to turn it off.
If you reach into the settings and start making changes, perhaps turning on Paranoid Mode, you'll get a notification that you've turned Autopilot off. Bitdefender has the option, turned off by default, to automatically change its configuration depending on what you're doing. You can also manually select any of the five configuration profiles: Work, Movie, Game, Public Wi-Fi, and Battery Mode. My stripped-down test systems aren't really conducive to testing the automatic mode selection, but I like the idea. Lovely Lab ResultsBitdefender doesn't pay for certification by ICSA Labs or West Coast Labs, but four of the five testing labs I follow include it in their testing.
In Virus Bulletin's RAP (Reactive and Proactive) test, it scored 81.08 percent, a bit of a drop from last year's score of 93.64 percent.

This current score is a hair below the average score for products I follow, 81.76 percent.

TrustPort Antivirus holds the best score at present, with 88.43 percent. The researchers at AV-Comparatives perform a broad array of tests on antivirus utilities and other security products.
I follow five of these closely.

A product that passes one of these tests earns Standard certification.

Those that do more than the minimum, or much more, earn Advanced or Advanced+ certification.

Bitdefender took Advanced+ in all five of these tests, as did Kaspersky. AV-Test Institute reports on three aspects of antivirus utilities, protection against malware, low performance impact, and low false positives.

A product can earn six points in each aspect, for a maximum of 18 points.

Bit defender lost a half-point in protection and another half-point for false positives.
Its total score of 17 points is impressive, but Kaspersky managed a perfect 18.

AVG, Norton, and Trend Micro came close, with 17.5 points. This year I added a pair of tests by MRG-Effitas to my collection. One focuses specifically on financial malware, while the other attempts to cover the whole range.

A product can earn full or partial credit in the financial test; few receive full credit.

The full-range test offers level 1 certification for products that completely prevent infection by every sample, and level 2 certification for those that initially let some samples past but remediate the damage before the next reboot.
It's all or nothing, and most products fail. My contacts at several vendors, Trend Micro in particular, urged me to treat this pass-fail test differently.
Starting with this review, I've done so, giving the MRG test significantly less weight. With the new calculation, Trend Micro's aggregate score rose to 8.5, which I'm sure they'll like.

The same calculation gives 9.2 points to Bitdefender. Kaspersky, previously burdened by one second-rate score from this lab, now has a perfect 10 points for its aggregate score. Very Good Malware BlockingA full scan of my standard clean test system took 58 minutes, a good bit longer than the average time for recent products, which is 44 minutes.

A second scan completed in half the time, which is good. However, a number of other products avoid rescanning unchanged files, making a repeat scan ridiculously fast.

F-Secure Anti-Virus 2016 took two minutes for a repeat scan, and AVG did it in under a minute. Of course, once you've performed that initial scan, most of your antivirus tool's job involves preventing infestation, not removing it. Bitdefender's score in my own hands-on malware blocking test was good, but not on par with the scores it earned from the labs. When there's a discrepancy, I give significantly more weight to the lab results. My hands-on test still gives me needed experience with the product. This test starts when I open the folder containing my samples.
In most cases, the minuscule access that occurs when Windows Explorer reads the file's name, size, and so on is enough to trigger an on-access scan.

At first, I thought Bitdefender must be one of those that waits for a more significant access, like trying to launch the file.
I didn't see any notification that it caught malware.

But then I realized—it's on Autopilot! Looking closely, I saw that it wiped out just over 60 percent of the samples immediately. Before continuing to the next phase, launching the surviving samples, I turned off Autopilot so I'd get notification of the antivirus's activities.

Bitdefender caught most of the survivors at launch, or shortly after launch.
Its detection rate of 90 percent and overall score of 8.7 are both good, but others have done better. Norton and Trend Micro both earned 9.7 points, and Webroot SecureAnywhere AntiVirus managed a perfect 10 of 10. It takes ages for me to collect and analyze a new set of malware samples, so I use the same set for a whole season. My malicious URL blocking test, by contrast, uses URLs discovered by MRG-Effitas no more than one day earlier.
I launch each URL and record whether the antivirus blocked the browser's access to the dangerous URL, wiped out the malicious executable during download, or sat around like a lump doing nothing. Bitdefender passed this test with flying colors, blocking 90 percent of the samples, almost all of them at the URL level.

Few products have done better, though Avira Antivirus Pro 2016 displayed a 99 percent protection rate and Norton managed 98 percent. Antiphishing ExcellencePhishing websites don't need fancy scripts or drive-by downloads.

They simply imitate PayPal, Facebook, Yahoo mail, your bank…just about any kind of secure site.
If you take the bait and enter your password, you're totally hosed.

The fraudsters have full access to your account. My antiphishing test uses freshly reported frauds, URLs too new to have been analyzed and put on the blacklist.

That's important, because phishing websites are ephemeral, lasting only a few days, or even a few hours.

By the time they get blacklisted, the fraudsters have pulled out and set up a new site. I launch each URL in five browsers.

Three of them just use the protection built into Chrome, Firefox, and Internet Explorer. One relies on Symantec Norton AntiVirus Basic, which for years has displayed excellent protection against phishing.

And of course one uses the product currently under test. Because the samples are different every time, I report the difference in protection rate between the product and the other four browsers rather than the raw score.
Very few antiphishing tools outscore Norton. More than half of recent products couldn't even beat two or more of the browser built-ins. As for Bitdefender, it has scored close to or better than Norton for a number of tests in a row.

This time it zoomed to the top, beating Norton's detection rate by a full five percentage points, and thoroughly trouncing all three browsers.

That puts it ahead of Kaspersky Anti-Virus and Webroot, the only other recent products to catch more phish than Norton, and of ZoneAlarm, which tied Norton. Fraud DetectionBitdefender's protection against fraudulent websites doesn't stop with antiphishing. Like Norton, Trend Micro, and many others, it marks up links in popular search and social media sites.

But where this feature typically just identifies sites as safe, iffy, or dangerous, Bitdefender goes into great details. Most links will get the green all-clear icon, but there are more than a dozen other icons detailing very specific dangers.
It very specifically calls out such things as escrow scams, online dating scams, pay-per-click websites, and piracy sites, along with malware-hosting sites and phishing sites.

Don't worry; you don't have to memorize all of the icons. Just click the icon for a popup explanation, and click the popup for a page explaining all of the icons. Vulnerability ScanYou read about security breaches at major companies every week, and quite often these breaches take place because somebody, somewhere failed to install a security patch. We recommend setting Windows Update to always install critical updates, but you also need to keep your browsers and other sensitive applications up to date. Bitdefender's vulnerability scan looks for missing Windows updates and for outdated browsers and other tools such as Java.
It also flags weak Windows account passwords and, if the system supports Wi-Fi, insecure Wi-Fi networks. On my test system, it found updates for Firefox and Java, and suggested I change all of the Windows account passwords. See How We Test Security Software Ransomware ProtectionLike Panda Internet Security 2016's Data Shield component, Ransomware protection in Bitdefender lets you define one or more folders whose contents should be protected against unauthorized modification.
It's preconfigured to protect the Documents and Pictures folders for each user account, and you can add more folders for protection.

Trend Micro Antivirus+ Security has a similar feature, but it protects just one folder (and its subfolders). With Trend Micro, turning off the real-time antivirus also turns off ransomware protection, so I couldn't test with real ransomware.

Bitdefender's configuration is more flexible, allowing me to turn antivirus off while leaving ransomware protection running.

That permitted me to launch a ransomware sample and observe the protection.

The first thing my ransomware sample does is copy an executable file to the Documents folder, launch that new file, and delete itself.

Bitdefender cut off that behavior, and thereby prevented the entire ransomware attack. I also tried editing a file in the Documents folder using an unknown text editor, one that I wrote myself.

As with Trend Micro, the ransomware protection blocked my attempt to save the edited file until I clicked the button to allow access. Panda's Data Shield goes even further, optionally blocking unauthorized programs from even reading files in your protected folders.

But Panda Antivirus Pro 2016 doesn't have this feature, just the security suite. What's in Your WalletOver the years, Bitdefender's Wallet feature has evolved into a complete, if basic, password manager.
Its feature set is on par with Trend Micro Password Manager 3.7, but it's not available as a separate purchase. Wallet exists as an extension in Chrome, Internet Explorer, and Firefox. You can create multiple wallets, perhaps for different users of the family PC. When you create a wallet, you must give it a strong master password, something you can remember, but that nobody else would guess. You can choose whether or not to sync this wallet across multiple Bitdefender installations. At creation time, a new wallet can siphon off passwords stored insecurely in your browsers. However, it doesn't remove them from the browsers or disable future password capture, the way Trend Micro does.

There's no option to import passwords from other competing programs. When you log in to a secure site, Bitdefender captures your credentials and pops up a transient notification that it did so.

Clicking the notification lets you edit the just-saved site, but you can't give it a friendly display name or assign it to a folder or category. When you return to a site, Bitdefender fills in your credentials.

Even easier, you can select the site from the browser extension's menu to both navigate there and log in. Like Trend Micro, Bitdefender doesn't handle non-standard login pages. You can manually add website login details, if you wish. You can also add application passwords, though the password manager won't fill them in for you. When you're signing up for a new account or replacing a bad password on an old one, use the password generator to create something random. You don't have to remember it, after all.

The password generator defaults to a respectable 15 characters, but only uses letters and digits by default. Please check the box to enable use of special characters, as it will improve your password security. You can create one or more identity profiles for use in filling Web forms.

Each profile includes personal, address, email, and telephone data, with just one instance of each field.

There's also a separate option to create credit card and bank account profiles, but for security these are not synced across multiple devices. When you reach a page that's asking for that personal data, just click the Wallet button and choose the profile you want to use.
If appropriate, choose the credit card separately. In testing, I found that Bitdefender did fill Web form data on most sites, including a few that stymied Trend Micro.
It did miss filling quite a few fields, but every field that it handles is one you don't have to type.

And hey, in last year's test it put the wrong data in many fields.

This is an improvement. Wallet has a few more features. You can use it to store geeky email details, like the server address and port.
If for some reason your laptop doesn't remember for itself, you can record Wi-Fi network details like password and type of encryption. Wallet handles all the basics of password management, and it may well be enough for you. However, if you want advanced features like two-factor authentication, secure credential sharing, and automated password update, you should look at our round up of the best password managers and choose one of those. Bitdefender SafePayIf you're just surfing the web for videos of kittens and fainting goats, any old browser will do.

But if your aim is to log in and make money transfers from your bank, that's a different story. When Bitdefender detects that you're heading for a financial site, it offers to open it in SafePay, a separate, secure desktop with a full-featured, hardened browser that supports multiple tabs and bookmarks. Naturally Wallet is compatible with the SafePay browser.
It allows installation of Flash, but no other extensions are permitted. Processes running in the SafePay desktop are isolated from those on the regular desktop. You can switch back and forth at will.

For protection against even a hardware keylogger, SafePay includes a virtual keyboard.

And it prevents applications from capturing the screen.
I couldn't get a screenshot using Alt+PrtSc; I had to use the virtual machine's internal screen capture feature.
I strongly advise using SafePay for any sensitive online activity. Wi-Fi AdvisorI couldn't actively test the Wi-Fi Security Advisor feature, because the virtual machines I use for testing don't have Wi-Fi.

This tools works one way for public networks, another way for your home network. When you connect to a public network, the advisor checks its security level.
If the network fails the sniff test, the advisor suggests you do all your browsing through the secure SafePay browser. For the network that you designate as home, the advisor checks security and makes recommendations.

For example, if you're using weak encryption, or no encryption, it advises that you use at least WPA2 encryption, and choose a strong password. File ShredderIf you just delete a file, it goes to the Recycle Bin, which is handy for those times you deleted the wrong file. You can also bypass the Recycle Bin for sensitive files, but even if you do, it's often possible to recover the deleted file's data.

For true, unrecoverable deletion, you need a secure deletion utility like Bitdefender's File Shredder component. Some secure deletion utilities, especially those found in encryption tools, let you choose from many different shredding algorithms.

But in truth, overwriting data just once before deletion is enough to foil all but the highest-end forensic recovery tools.

Bitdefender overwrites the data three times, which is plenty. You can open the File Shredder and browse to add files and folders for deletion, or right click a file or folder and choose File Shredder from the Bitdefender submenu.

This tool proved easy to use, though I would have preferred the option to drag files and folders onto it rather than browsing for them. Practically a SuiteThis is a long review, because this is a feature-packed product.

The labs love it, and it did especially well in my own antiphishing and malicious URL blocking tests.

Among its vast array of bonus features are a basic password manager, a secure browser to protect your financial transactions, and a permissions-control monitor to keep ransomware from modifying your important files. Bitdefender shares the Editors' Choice honor with several other commercial antivirus products.

The labs love Kaspersky Anti-Virus even more than they do Bitdefender. McAfee AntiVirus Plus protects all of your devices, on multiple platforms.
Symantec Norton AntiVirus Basic includes advanced intrusion detection and other significant bonus features.

And the journal-and-rollback technique that Webroot SecureAnywhere Antivirus applies to unknown programs should let it prevent damage by even a zero-day Trojan. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.