Antivirus Vendors Measured Performance(12/19/2019 11:25pm to 12/26/2019 11:25pm UTC)

How to interpret these numbers

This page shows the relative performance of the Antivirus solutions hosted by VirusTotal. We rank antivirus performance in 2 dimensions: The severity of the kind of Malware they are able to detect, and how well they are able to detect any Malware.

  • The severity is our estimate of what class of malware was detected. If it is spyware or an undesirable application, its severity is low. If it is a Bot designed to hijack your computer, ransomware or any type of malware which will compromise your data, it is ranked 100.
  • The detection rate is calculated over all malware reported in this period. This measures of how effective each vendor is with respect to the others.

Bubbles toward the top right represent the best performers

How we get these numbers

MetaFlows' network antivirus extracts files in real time from the traffic being transmitted across our customers' networks. We send the hash of dangerous file types to VirusTotal. 55+ antivirus at once will tell us if they have seen malware in that particular file. If the file is unknown (VirusTotal has not seen it before), we send the file to the MetaFlows Sandbox where it is detonated in a controlled environment to find zero-day exploits.

We also show the MetaFlows Sandbox numbers to implicitly also compare antivirus performance with zero-day threat detection. The sandbox, will always have severity of 100 but may detect a variable number of zero-day threats depending on the week. The sandbox detection rate can be interpreted as the relative incidence of zero-day threats vs. known threats.

Antivirus Vendor Avg Priority (avgp) Total Priority (totp) Relative Detection Rate (tpr = tph / gh) Severity (avgp * tpr) Prevalence (totp * tpr)

The table below the bubble graph shows the sortable raw data. The first column is the invariant extracted from the events. If you have an account with MetaFlows, you can click on certain invariants to see if your sensors have detected it. The other columns should be self-explanatory. Hovering over a bubble or set of overlapping bubbles shows the raw data represented by the bubble(s) selected. This selection is sticky so that you can go to the table and inspect the data or click on the links within the table. To see all rows in the table, click outside any bubble.