How to Safely Test Any Windows Antivirus Against Real Malware

Test Antivirus Malware Featured

Ever wondered whether your antivirus really works at blocking real viruses, or which options can actually protect you against ransomware? If you want to determine whether an antivirus is any good, it’s best if you actually test each one against real Windows malware. Find out how to do that in a safe way in this guide.

Precautions

When choosing a computer to use for these tests, we recommend opting for an old computer that you don’t care about much or a cheap, new computer that does not have any of your personal files on it yet.

Warning: this guide involves downloading real malware – programs that are designed to cause real damage to your computer and data. If you take enough precautions, you should be safe. But be prepared for anything.

Install a Windows Virtual Machine

Since we are running a Windows virtual machine (VM), try to start with a computer that uses something other than the Windows operating system, such as macOS or Linux. By having the host run a different operating system than the VM, there is less chance that a virus infecting your VM can break through to infect your actual host system.

We are using Parallels Desktop for Mac on macOS to run a Windows VM in this guide. Install Parallels with Windows 11; it’s very easy and takes just a few clicks to get set up.

Other Virtualization Options

If you have a different host OS or prefer to use another provider, you can choose another virtualization software instead of Parallels. There are many options, depending on your host operating system. A few good options follow:

Protect and Harden Windows

You can limit the possibility that malware will spread by preparing various programs and settings before downloading and testing the malware.

Install, Update, and Configure an Antivirus

At this point, you want to install the antivirus program of your choice on your VM. In this guide, we are using the default Windows Defender.

  1. Open the Settings app and click “Privacy & security -> Windows Security.”
Test Antivirus Malware Settings Windows Security View
  1. Click “Virus & threat protection.”
Test Antivirus Malware Settings Windows Security Options
  1. Scroll down a bit and click “Manage settings.”
Test Antivirus Malware Windows Security Virus And Threat
  1. On the next screen, ensure all of the security options are toggled on, especially the “Real-time protection” option.
Test Antivirus Malware Windows Security Virus And Threat Protection All Checked
  1. Click the back button in the top-left corner, then scroll down to click “Protection updates.”
Test Antivirus Malware Windows Security Virus And Threat Updates
  1. Click “Check for updates” to ensure Windows Defender can identify the latest threats.
Test Antivirus Malware Windows Security Virus Check For Updates

Tip: Did you know that you can switch between Windows 10 and Windows 11 using a virtual machine?

Create a Non-Administrator User Account

The default account on a Windows VM is usually an administrator account. It is riskier to run malware with an admin account, as it can make changes to the operating system without requiring a password.

  1. Open “Settings -> Accounts.”
Test Antivirus Malware Settings Accounts
  1. Click “Other users.”
Test Antivirus Malware Settings Accounts Other Users
  1. Click “Add account.”
Test Antivirus Malware Settings Accounts Other Users Add Account
  1. Click “I don’t have this person’s sign-in information.”
Test Antivirus Malware Add Account Microsoft
  1. Click “Add a user without a Microsoft account.”
Test Antivirus Malware Add User
  1. Type in a name and password for the user.
Test Antivirus Malware Log In
  1. Scroll down to fill out all the security questions, then click “Next.”
Test Antivirus Malware Security Questions
  1. The new account will be created as a “Standard User,” not an “Administrator.” Click the Windows Start button, then your current user name, and select the new username.
Test Antivirus Malware Switch Account To Test Malware
  1. Log in with the password you chose and you’re good to go.

Prepare to Run the Malware

To prepare your VM to run the malware and test it, you’ll need the follow few items:

Install Python

You’ll have to install Python 2.7, a safe program, to run the malware repository that will be downloaded later.

  1. Open the Settings app and search for “App execution aliases” in the search bar.
Secret Messages 3 Settings App Execution Search
  1. Scroll down to find any items named “python3.exe” or “python.exe” and toggle them all off.
Test Antivirus Malware Settings App Execution Aliases Python
  1. Download Python 2.7 from its official website. You most likely want the “Windows x86-64 MSI installer” file.
Secret Messages 3 Python Download Windows
  1. Go through with installing. In the customize steps, make sure you have “Add python.exe to Path” enabled.
Secret Messages 3 Python Install Add To Path
  1. Download and install the Microsoft Visual C++ Compiler for Python 2.7.

Download and Install theZoo

  1. View theZoo on GitHub. theZoo is a popular open-source program that will safely browse a collection or a “zoo” of known malware. Click “Code -> Download ZIP.” Rest assured, nothing bad will happen to your computer from just downloading this .ZIP file. All of the malware remains encrypted and locked until you complete the final step below.
Test Antivirus Malware Thezoo Github Code Download Zip
  1. Extract the downloaded .ZIP and enter the folder. You should see various .PY files and a “malware” folder.
Test Antivirus Malware The Zoo Master Extract
  1. Right-click an empty space in the file explorer and click “Open in Terminal.”
Test Antivirus Malware Open In Terminal
  1. Install and update additional Python modules that theZoo needs to operate. Type the command pip install --user --upgrade "pip==20.3.4" and hit Enter.
Test Antivirus Malware The Zoo Master Terminal Install Pip 20 3 4
  1. Input the following pip install pyreadline command.
Test Antivirus Malware The Zoo Master Terminal Install Pyreadline
  1. Enter pip install --user -r requirements.txt.
Test Antivirus Malware The Zoo Master Terminal Pip Install Requirements
  1. You should see the message “Successfully installed pyminizip-0.2.6.” Don’t worry about the warning messages.
Test Antivirus Malware The Zoo Master Terminal After Pip Install Requirements

Configure Parallels Settings for Maximum Security

  1. Shut down your Windows VM.
Test Antivirus Malware Parallels Control Center Power
  1. Press on the gear icon of your Windows VM in the Parallels Control Center.
Test Antivirus Malware Parallels Windows 11 Settings
  1. Go to “Hardware -> CPU & Memory -> Manual,” then reduce the “Processors” and “Memory” to less than half of your physical system amounts. To be safe, reduce to two processors and 4 GB of memory.
Test Antivirus Malware Parallels Hardware Cpu And Memory
  1. Click “Shared Printers,” then uncheck “Share Mac printers with Windows 11.”
Test Antivirus Malware Hardware Shared Printers
  1. Go to “Network -> Source menu” and select “Disconnected.”
Test Antivirus Malware Parallels Windows 11 Settings Network Disabled
  1. Select “Security” and check the “Isolate Windows from Mac” option.
Test Antivirus Malware Parallels Windows 11 Settings Security Isolate From Mac
  1. Click the power button on your Windows VM in the Parallels Control Center.
Test Antivirus Malware Parallels Control Center Power 1
  1. Log back in to the non-administrator user you created earlier.

Even if you aren’t using Parallels, you can apply similar settings to most other virtualization software.

Tip: did you know that you can remove a virus from your PC without an antivirus? Learn how by following our guide.

Run the Malware

  1. To run the malware, open a Terminal window in theZoo folder as shown previously.
  2. Type python theZoo.py and hit Enter.
Test Antivirus Malware The Zoo Master Terminal Python The Zoo
  1. Read the End User License Agreement (EULA), then enter “YES.”
Test Antivirus Malware The Zoo Master Terminal Eula Yes
  1. Inside theZoo console, enter the help command to see various commands. Enter exit to leave theZoo at any time.
Test Antivirus Malware The Zoo Console Help
  1. Enter search ransomware to list all ransomware. You should see a list like the one below.
Test Antivirus Malware The Zoo Console Search Ransomware
  1. Select one of the malware using use <id> (replacing <id> with the leftmost number next to the malware listed). For example, enter use 352 to select the Petya ransomware.
Test Antivirus Malware The Zoo Console Search Ransomware Use 352
  1. Enter get to download the selected malware.
Test Antivirus Malware The Zoo Console Petya Ransomware Get
  1. You should promptly receive a Windows Defender notification indicating that it blocked something.

Success! This means you have good protection. While most good antivirus programs will just silently block any malware from being downloaded, you’ve verified it!

Test Antivirus Malware Windows Defender Found Threats

During our testing, we sometimes found the antivirus to be a bit too strong. After running the get command, we occasionally received the below error message. We didn’t know what the problem was at first but soon realized that our antivirus had preemptively removed the zipped-up malware before we could run any commands. If you see this error message, consider giving your antivirus a passing grade.

Test Antivirus Malware Path Name Does Not Match

If you’re interested in protecting your Windows PC, check out this guide on identifying legitimate Windows processes.

Frequently Asked Questions

What is the best way to protect from computer viruses and malware?

Microsoft has done a superb job beefing up Windows security, so you can consider it unnecessary to install third-party antivirus programs. Keeping Windows Defender up to date and with real-time protection enabled is the best way to protect your Windows PC. In the test we ran, Windows Defender immediately blocked any malware we tried to download.

What is the EICAR test file?

EICAR stands for the European Institute for Computer Antivirus Research. The EICAR test file is a completely harmless computer executable program designed to test whether antivirus programs actually work. When the file is run, all it does is print out the text “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!”

While using the EICAR test file is a safe and easy way to test whether your antivirus works, this approach has a few flaws. For instance, computer security developers have to specifically add the EICAR test file definition into their programs to detect it. Thus, some legitimate antivirus programs don’t bother to block the EICAR test file, as it poses no real threat to users.

It also means that a fake antivirus could block the EICAR file to “pass” the test while offering no protection to your computer at all! Secondly, the test file contains no real malicious code, so you won’t be testing the full capabilities of your antivirus, which usually involves terminating programs with suspicious behaviors or blocking ransomware code from executing.

Is it possible for malware to escape a virtual machine and infect the host system?

While it is rare, it is possible. When testing with theZoo, it’s important to only select existing malware that is known to not have the capability to escape the VM guest system and infect the host system.

Additionally, because malware is designed to target and exploit only a specific operating system like Windows, it is more secure to use different operating systems for the host and guest system.

Image credit: Pexels. All screenshots by Brandon Li

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Brandon Li

Brandon Li is a technology enthusiast with experience in the software development industry. As a result, he has a lot of knowledge about computers and is passionate about sharing that knowledge with other people. While he has mainly used Windows since early childhood, he also has years of experience working with other major operating systems.