Real-World Test of Selected Products

What are we testing?


Webroot - heavily reliant on cloud and behavioural analysis, the software uses hash-based protection and pre-execution heuristics (dynamic analysis). It also makes use of behavioural monitoring, journalling and rollback. The Webroot extension provides real time Phishing protection by inspecting page linguistics and overall structure for signs of phishing.


ZoneAlarm - product makes use of dynamic emulation, inspecting files with 60+ AI engines in real time. It offers standard antivirus, reputation-based antivirus, CDR and real-time  phishing protection.


Eset - a well known package. Offers standard antivirus, behavioural monitoring, HIPS and anti-phishing protection. The most premium version includes cloud emulation.


Trend Micro - the software is heavily based on signatures and machine learning that's being ran only on files with low prevalence.

4 Products

Various threats

Tolerance: 1 fraudulent site

Section 1: known & unknown phishing links.

These links will test products abilities to block already known and pre-analysed phishing. In some cases, they may rely on real-time analysis. For example, ZoneAlarm and Webroot both use real-time inspection. Evidence suggests that Eset creates definitions/heuristics as part of the AV scanner, that can potentially detect unknown phishing pages.

Section 2: known & unknown malware links.

These links will test products abilities to detect malware in a realistic scenario. A lot of products control false positives by using more aggressive screening on downloads, but more moderate scanning of local files. By downloading files from the web, product's full potential is realised.

Malware Name Type Link Behaviour Any.run Report
Vidar/StealC Infostealer http://147.45.44.104/yuop/66bb989993888_crypted.exe#1 Injects in RegAsm.exe https://app.any.run/tasks/3dfbb89f-8768-44a6-bcba-2567d2f8b870
Phorpiex Infostealer http://185.215.113.66/newtpp.exe Abuses svchost and rundll https://app.any.run/tasks/731c7e4c-8ed6-42b9-b9cc-4c9791b1c92d
Lumma Infostealer http://147.45.44.131/files/L.exe Injects in RegAsm and svchost.exe https://app.any.run/tasks/87fd6b77-f487-45d2-befa-cc555e80023e/
Discord grabber Infostealer https://1drv.ms/u/c/32a149dac3ce5a59/EY65PdQ4DAhFlCYqOiZFXVYBlSO_218ksBLhazsWpoqIqg?e=xUbNlp Reads credentials; saves them in C:\Users\admin\AppData\Local\Temp\Discord\DiscordFiles.zip https://app.any.run/tasks/d2d4e52b-0c81-431b-af21-9658f3e9bf70/
Ryuk Ransomware https://1drv.ms/u/c/32a149dac3ce5a59/EWiPuWR7ihpOi0N7Nd6t3fUBjfRJ02oNa4KVLhvrhGOjNQ?e=mm97Ib Typical https://app.any.run/tasks/3fe7dabf-f049-418e-9156-2249b671c4f2
Ransomware https://1drv.ms/u/c/32a149dac3ce5a59/ET8L3fc3Ec9Kio9B3LOPWJ8Bc3RBPFxAF32l6ol3hCpUwQ?e=SSVgdi Typical https://app.any.run/tasks/8976b977-f230-4943-a965-5130fd975013/#
Stop/DJVu Ransomware https://1drv.ms/u/c/32a149dac3ce5a59/AT8L3fc3Ec9Kio9B3LOPWJ8?e=tW26F6 Typical https://app.any.run/tasks/a55506ae-3832-4b8e-b26f-331cc55685a3/#
Netwalker Ransomware https://1drv.ms/u/c/32a149dac3ce5a59/AUWehrKzj_NLhSoBtwzo0SM?e=cE084z Typical https://app.any.run/tasks/e1119668-302b-4f89-a72e-5d33787def97
Remcos RAT https://1drv.ms/u/c/32a149dac3ce5a59/EenNkMdyyyhCtJeApUrBbs8B9bvNcDaT55a_pIzu1BmPIQ?e=CrNAmW Allows Remote Access; attacker must be actively looking at the machines to log-in https://www.joesandbox.com/analysis/1491471/0/html