These days, new and modified malware strains are emerging in massive numbers almost every day, and attack techniques are becoming increasingly sophisticated. That naturally leads to a bigger question: are antivirus solutions really keeping up? More specifically, are their detection capabilities improving as dramatically as vendors often claim in their marketing materials?
To explore this question, our research team chose not to rely on a one-off test. Instead, we conducted long-term evaluations on a quarterly basis under the same conditions. In this article, we bring together and analyze the results of our PC antivirus detection performance tests carried out from the third quarter of 2024 through the fourth quarter of 2025.
Malware Samples and Evaluation Scenarios for Antivirus Performance Testing
For this test, we used malware samples that were randomly selected from threats collected over a three-month period each quarter, both through our own collection efforts and from malware database sites. The collected samples were then categorized into executable malware, documented-based malware, and ransomeware, and performance testing was carried out for each category separately.
Figure 1. PC Antivirus Performance Test
Antivirus Products Under Test and the Evaluation Testbed
The PC antivirus products used in this evaluation were selected from consumer-grade offerings. We focused on products with strong market presence in both domestic and international markets that could be installed on the Windows operating system. From a pool of 20 candidates, 9 products were randomly chosen for testing. In this blog, the products are anonymized and referred to simply as A thorugh I.
The testbed consisted of nine PCs inside the firewall, each with a different antivirus product installed, along with one additional PC used for test control and log collection. To minimize human intervention, each of the nine antivirus-equipped PCs was installed with an in-house developed agent program that automatically downloaded and executed malware samples. The separate log storage PC was equipped with a controller that delivered commands and malware samples to the agents running on the nine test systems, allowing the entire evaluation to be carried out in a controlled and automated manner.
Analysis of Download Detection Performance
Looking at quarterly download detection rates across all antivirus products, the overall trend shows clear improvement over time. Compared with 2024, the average detection rate in 2025 increased noticeably. While detection rates hovered aroudn 50% in 2024, they rose to over 70% on average in 2025.
In particular, ransomeware and executable files showed especially strong results, with detection rates reaching around 90%. Document-based malware, however, remains a weaker area. Its download detection rate still stays at roughly 50%, suggesting that this type of threat continues to require extra caution from users.
Looking at detection rates by product, C, D, E, F, and I stand out as the most consistently strong performers. From late 2024 onward, these products generally maintained detection rates in the 70-80% range or higher, and by Q4 2025, several of them were recording rates above 90%. Based on these results, it is reasonable to infer that these products likely incorporate technologies capable of blocking malicious downloads before execution, such as signature-based detection and cloud reputation analysis.
A and B, on the other hand, started out with relatively low detection rates but showed steady improvement over time, eventually reaching over 80% in recent tests. G and H showed much greater quarter-to-quarter fluctuation. In particular, although H has improved in more recent evaluations, its overall detection rate has remained comparatively low, which may cautiously suggest the presence of some structural limitations. That said, as the data moves into the second half of 2025, the performance gap between products begins to narrow, pointing to an overall improvement across the board.
One note regarding Product H: it was excluded from the Q3 2024 download test results. This was due to an issue in the test process itself─we did not initially realize that the product would fail to detect downloads unless the file was placed in the Downloads folder through File Explorer. Because of that oversight, the Q3 2024 result for H was excluded, and only the performance results from subsequent quarters were included in the analysis.
Analysis of Real-Time (Execution) Detection Performance
Real-time, or execution-based, detection performance remains significantly weaker than download detection performance, with detection rates coming in at less than half the level overall. The results also show greater quarter-to-quarter fluctuation and a lack of consistency, and in some categories the detection rate even appears to decline over time rather than improve.
Document-based malware stands out in particular as a persistent weak point. Its low detection rate strongly suggests that defenses against macro- and script-based attacks are still falling short. Executable file detection, on the other hand, showed a bried dip at one stage, but the overall trend insists gradual improvement over time.
Looking at real-time detection performance by product, C and D delivered relatively strong results compared with the rest. By contrast, A, B, G, and H showed periods where detection rates fell into the 10% range, highlighting just how weak their real-time protection can be in certain cases. One possible explanation is that behavior-based detection engines may not be operating aggressively enough in real-world conditions. Factors such as limited analysis time and the need to avoid false positives may be causing some products to take a more conservative approach, which in turn reduces their ability to block malicious behavior at the moment of execution.
Conclusion
Through the results of this malware performance evaluation, we were able to get at least a clearer answer to the question of whether antivirus software is actually improving over time. Overall, the findings show that antivirus products are making steady progress in download-stage detection, and that the performance gap between products is also beginning to narrow. Protection against ransomeware and executable files (.exe) has clearly improved, which is an encouraging sign. At the same time, however, document-based malware still shows relatively low detection rates at the download stage, and that remains one of the more disappointing takeaways from the test results. The data also suggets that antivirus products continue to face clear limitations when it comes to real-time, execution-stage detection. In particular, stronger and more innovative capabilities seem to be needed for threats such as document-based malware, delayed-execution malware, and the early-stage behavioral blocking of ransomeware.
Our research team will continue to evaluate antivirus products through quarterly testing under consistent conditions as well as a wider range of test scenarios, and we plan to keep sharing the results going forward. We hope you will continue to follow our work with interest.
KAIST 사이버보안연구센터 사이버위협분석팀 연구원으로 데이터 수집 및 분석, 소프트웨어 테스팅 연구를 주로 수행하고 있다.
KAIST 사이버보안연구센터 사이버위협분석팀 연구원으로 악성코드 분석 연구를 수행하고 있다.