What does the name of the "Advanced In-The-Wild Malware Test" mean?
The name perfectly captures the nature of the tests: the samples used in the study come from real attacks on honeypots, i.e. traps that pretend to be systems or protocols and intercept malware.
How to join your tests?
If you are a manufacturer, distributor, or developer and you would like to join our tests, simply contact us. In response, we'll ask you to provide guidance on the proper operation of your product. We will also arrange other details that are needed to develop an automated malware detection procedure.
How to get a certificate?
Only the best solutions to protect workstations will receive BEST+++ certificate confirming very high effectiveness. Details are available at checklab.pl/en/how-to-get-certificate
Is it possible to join the tests informally?
Yes. If you think your solution is not fully developed or you are afraid of getting low evaluation, you can join the test for a trial period. The protection results will not be made available to the public. In addition, we will provide you with the necessary details to help improve the effectiveness of your product's protection.
Are the tests free?
It is not true that charging for the preparation and publication of tests is synonymous with manipulating results. Once caught up in fraud, the organization will never again be able to rebuild its position and credibility. The very small fee collected is treated by both parties as remuneration for work and improved user safety. Without financial help, maintaining the infrastructure, continually improving the procedures and necessary tools needed to conduct the tests would not be possible. In return, we offer access to detailed information and samples used in the test to each creator. The studies “Advanced In-The-Wild Malware Test” are conducted under the AVLab brand that has been known at the market for 6 years – marketing benefits are the added value.
Is all information available publicly?
Not all. Producers have insight into more detailed data. Other information that is necessary to visualize the results remains available to any reader.
Do you carry out other tests?
Yes, but we do not have a test schedule developed. In large comparative tests, we focus on checking the protection against sophisticated cyberattacks. Preparing such study, co-operation with manufacturers to improve security and producing a final report takes far more time than automatic verification of the protection on the basis of malicious software samples.
Do you perform tests and prepare reviews at the request of the manufacturer or distributor?
Of course. We can prepare detailed reviews that will be published on AVLab and CheckLab. Interested manufacturers of software and hardware are encouraged to contact us.
What is your source for obtaining malware samples?
The only source of the virus samples are honeypots located on all continents of the world. We collect malicious software, among others for Windows. Before the samples are tested, they are checked based on more than 100 models. These rules allow to determine if the virus is a real threat to the Windows 10 operating system. Malicious software that for various reasons is not suitable for testing is separated from the rest. Only the malicious files that have suspicious indicators will be added to the test virus database on the following day. In other words – malware that e.g., modifies system parameters, encrypts files, manipulates keys and registry values, runs malicious scripts, loads malicious DLLs into processes – is considered useful.
Do you share samples of malware?
Yes. If you want to access the virus database, please contact us. This service is payable. The reliability of our tests is always at the top of the list, so the database that you have access to will be already checked by antivirus software.
In what environment do you carry out tests?
The tests are performed in virtual machines. Virtualisation is increasingly being used in VDI (Virtual Desktop Infrastructure) work environments. We use scripts that further "harden" the system, which makes it more difficult for viruses to detect virtualization. We realize that some worms may detect their launch in a virtual system, so we only take into consideration those samples that have been thoroughly verified before. We do not include malicious software that is able to detect well-hidden virtualization. This is not an ideal solution, but we are doing everything we can to approach the tests professionally and reconcile these aspects at the same time.
Can you describe your tests in a nutshell?

The “Advanced In-The-Wild Malware Tests” are performed automatically. Before viruses are placed in machines with security programs installed, they are thoroughly analysed. We make sure that only malicious samples will be admitted to tests.

Each virus is verified in Windows 10 for 15 minutes. Excluding the human factor from the test does not enable us to verify during the analysis that the malware has finished its activity, e.g. after 60 seconds. We need to set a time threshold, after which the log collection should be finished. We do not exclude the situation when malicious software will wait even several hours before it is activated – it can also wait for a specific activity, such as starting a particular application. For this reason, we must be sure that the analysed virus is 100% malicious. We have made every effort to ensure that the sample collection is thoroughly checked beforehand, and that the tests are as close as possible to the actual use of Windows 10.

If we are sure that the entire malware collection has already been checked, then every sample is sent one by one to all machines. There, a threat analysis procedure is carried out – its result will be sent to the PERUN system, which searches the logs for potentially dangerous indicators. If the analysis is completed, another sample is tested.

All information from automated analysis is published on CheckLab and AVLab in a user-friendly and manufacturer-friendly format. More details are provided in the methodology and other documents describing the entire test procedure.

How do you make sure that a virus sample is really malicious?
On the basis of detailed logs. We have developed over 100 indicators that are likely to point out any malicious changes introduced to the system. The more such indicators are in the logs, the greater the chance that a particular sample is malicious. For more details on acquiring and analysing malware, see other documents.
Based on what data do you decide whether the product has blocked the threat?
Logs from the activity of each sample are recorded in the system event log. This solution helps us to export the necessary information to CSV files. Based on the collected data, the algorithms developed determine whether a particular sample is undoubtedly malicious or whether it has been stopped by a security product installed – we can with certainty determine whether the protection program has stopped malicious software using the signature or proactive protection components. Analysing logs is very time consuming, so we have developed the algorithms that implement this process. We also cooperate with manufacturers – if they draw our attention to a certain issue, we look at the problem and take the necessary steps to address it. We are open to any form of cooperation that will benefit Internet users and allow us to gain more and more competence in what we do.
Why are result tables so complex?
Our motto is transparency. We wanted to show the reader as much information as possible. We decided to present the results in a more precise way than other professional testing organizations do. This means that the reader in “Advanced In-The-Wild-Malware Test” performed by CheckLab will find detailed information on the detection of each sample broken down into protective technologies that contributed to it.
How often do you publish test results?
The results are published once a month. We cannot do it every day because manufacturers need to have time to refer to the results.
What are your plans for the future?
We want to provide users with an online platform for sharing information about threats. Systematic improvement of already developed tools and methodology is a natural process.
CheckLab, who are you?
CheckLab is part of the well-known AVLab.pl portal that deals with the security and testing of products for monitoring, managing and protecting workstations. We have been actively operating on the market since 2012. AVLab tests discussed on international portals are recognized and appreciated by manufacturers. Our recommendations speak for themselves. For more information, see the “About Us” section.
Can I use the tests published on CheckLab and AVLab?
Of course. Please appreciate our work in improving the security and provide the test source.