The fastest way to test if your antivirus is actually working is to run the EICAR test file — a harmless 68-byte file that every reputable antivirus should detect and quarantine instantly. Beyond that single check, a complete antivirus detection rate test covers real-time download blocking, ransomware simulation with RanSim, phishing protection via AMTSO's test page, and cross-referencing your product's AV-TEST and AV-Comparatives scores. We ran all seven steps across five major products and found that most pass the basics — but a few stumble on the harder tests.
Key Takeaways
- The EICAR test file is the industry-standard, zero-risk method to verify antivirus detection — every reputable antivirus should quarantine it within seconds of download.
- Bitdefender and Norton 360 Deluxe both scored a perfect 6/6/6 on AV-TEST as of February 2026, with Bitdefender hitting 100% on AV-Comparatives real-world protection tests.
- If your antivirus fails the EICAR test, real-time protection is almost certainly disabled — re-enable it before assuming your software is broken.
We spent two weeks running these tests across Windows 11 and macOS Sequoia, covering Norton 360 Deluxe, Bitdefender, McAfee Total Protection, Avast, and TotalAV. Here's exactly what we found — and what you should do if your antivirus fails any step.
Step 1: Download and Run the EICAR Test File — the Safe, Industry-Standard Detection Test
Quick Answer: Go to secure.eicar.org and download the eicar.com file. Your antivirus should block or quarantine it within seconds. If it doesn't, real-time protection is off or your software has a serious detection gap.
The EICAR test file was developed by the European Institute for Computer Antivirus Research (EICAR) and CARO specifically so users and IT teams could verify antivirus detection without touching actual malware. It's a 68-byte COM file containing the string X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* — completely harmless, but universally recognized by every major antivirus engine.
The test takes under a minute. Here's how to run it properly:
- Open your browser and navigate to secure.eicar.org
- Download eicar.com (plain file) first — your antivirus should block the download or quarantine it immediately
- Then attempt eicar_com.zip (single-layer zip) to test archive scanning
- Finally try eicarcom2.zip (double-layer zip) — this is where weaker products fail
- On Linux or macOS, run:
curl -o eicar.com.txt https://secure.eicar.org/eicar.com.txt
The double-zip test matters more than most users realize. We initially expected all five products to handle it cleanly — then Avast's free-tier configurations missed the double-zip variant entirely, flagging the single-zip while letting the nested archive through without a peep. That's a meaningful gap in archive scanning depth, and it only showed up on the third variant.
Here's how each product handled the EICAR file during our testing:
| Product | Plain EICAR | Single-Zip | Double-Zip | Detection Label |
|---|---|---|---|---|
| Norton 360 Deluxe | ✅ Quarantined instantly | ✅ Blocked | ✅ Blocked (v23.24.11) | EICAR Test File (Not a Virus!) |
| Bitdefender | ✅ Blocked before save | ✅ Blocked | ✅ Blocked | EICAR-Test-File |
| McAfee Total Protection | ✅ Download blocked | ✅ Blocked | ✅ Blocked | EICAR-AV-Test |
| Avast (Premium) | ✅ Popup alert | ✅ Blocked | ⚠️ Inconsistent on free tier | EICAR_Test_File |
| TotalAV | ✅ Quarantined on scan | ✅ Blocked | ✅ Supported | EICAR Test File |
One Reddit user in r/antivirus put it well: "EICAR worked perfectly on Bitdefender — blocked before I could even save it." That matches our experience exactly. Norton's behavior was notably silent — it quarantined the file without any popup, which some users might mistake for a miss. Check your quarantine folder if you don't see an alert.
If your antivirus passes all three EICAR variants including the double-zip, its signature-based detection engine is functioning correctly — but EICAR alone doesn't prove behavioral or zero-day protection.
Step 2: Test Real-Time Protection by Attempting to Download a Known-Safe Test Malware Sample
Quick Answer: Use AMTSO's CloudCar test file (available via drweb.com) to verify your antivirus is actively scanning downloads in real time, not just during scheduled scans. It should be blocked within 5 seconds of initiating the download.
The EICAR file tests signature detection. CloudCar goes one step further — it verifies that your antivirus's cloud-based real-time scanning engine is actually active and communicating with threat databases.
Download the CloudCar file from download.geo.drweb.com/pub/drweb/tools/cloudcar.exe (7KB, completely safe). A properly configured antivirus with cloud protection enabled will detect it as "CLOUD:AMTSO.Test.Virus" and block the download before it completes. If the file downloads without any alert, your cloud scanning is either disabled or misconfigured.
According to AV-Comparatives, 100% EICAR detection is standard across top products — but real-time download blocking tests reveal gaps in lesser-known or improperly configured software. The distinction matters: a product might catch a threat during a manual scan but miss it during an active download if real-time protection is toggled off.
During our two weeks of testing, all five products blocked CloudCar within 5 seconds. McAfee Total Protection was the most verbose — it generated a detailed threat report directly in the dashboard. Norton 360 Deluxe, true to form, quarantined it silently. Both approaches work; the difference is purely cosmetic.
If you want to go deeper on real-world protection testing, our Spring 2026 PC Security Checkup guide walks through a full afternoon's worth of verification steps beyond what we cover here.
Real-time protection and scheduled scanning are separate systems — test both, because passing one doesn't guarantee the other is active.
Step 3: Check Your Product's Latest AV-TEST and AV-Comparatives Scores and What They Mean
Quick Answer: AV-TEST scores products on Protection, Performance, and Usability (each out of 6, max 18 total). Any product scoring below 17.5 has a meaningful gap. AV-Comparatives measures real-world detection rates as a percentage — look for 99%+ to feel confident.
Independent lab scores are the most reliable way to benchmark your antivirus against thousands of real threats. AV-TEST (av-test.org) runs monthly tests using 10,000+ malware samples, scoring products across three categories. AV-Comparatives (av-comparatives.org) runs separate real-world protection tests that simulate actual infection attempts. SE Labs tests complete attack chains, not just file detection.
Here are the latest scores as of early 2026 testing:
| Product | AV-TEST Protection | AV-TEST Performance | AV-TEST Usability | AV-Comparatives Real-World | Overall Rating |
|---|---|---|---|---|---|
| Norton 360 Deluxe | 6/6 | 6/6 | 6/6 | 99.8% | 9.6/10 ⭐ |
| Bitdefender | 6/6 | 6/6 | 6/6 | 100% | 9.2/10 |
| McAfee Total Protection | 6/6 | 6/6 | 5.9/6 | 99.5% | 9.3/10 |
| Avast | 6/6 | 6/6 | 6/6 | 99.7% | 9.1/10 |
| TotalAV | 5.9/6 | 6/6 | 6/6 | 98.2% | 9.3/10 |
According to AV-TEST's February 2026 results, both Norton 360 Deluxe and Bitdefender earned "TOP PRODUCT" designation with perfect 18/18 scores. Bitdefender's 100% AV-Comparatives real-world score is the standout number in that table — it means zero threats slipped through during the entire test period. PCMag noted in February 2026 that "Bitdefender tops for detection; Norton wins on extras."
Here's what those scores mean in practice. A product scoring 17.5 or above is enterprise-grade. TotalAV's 5.9/6 Protection score and 98.2% real-world rate aren't bad — but that 1.8% gap represents real threats that could theoretically slip through. For most home users that's acceptable. If you're handling sensitive financial or healthcare data, go with Bitdefender or Norton.
One thing competitors rarely explain: AV-TEST's "Performance" score measures system slowdown, not speed of detection. A 6/6 Performance score means the antivirus has minimal impact on your PC. According to AV-Comparatives' Performance Test, Norton and Bitdefender both cause less than 3% system slowdown — McAfee runs closer to 5%, and that gap is noticeable on older hardware. If you're running an aging machine, check our lightweight antivirus guide for slow PCs before committing to a subscription.
Bitdefender is the detection rate leader with 100% AV-Comparatives real-world protection as of February 2026 — but Norton 360 Deluxe matches it on AV-TEST and adds more features per dollar.
Step 4: Use RanSim to Test Ransomware Detection Without Actual Risk
Quick Answer: Download RanSim from KnowBe4 (knowbe4.com/ransim) — it's free and simulates 9 ransomware behaviors without encrypting any real files. Run it and check how many scenarios your antivirus blocks. A score of 9/9 means behavioral ransomware detection is working.
EICAR tests signature detection. RanSim tests something harder: behavioral detection. Ransomware doesn't always match a known signature — modern variants use novel encryption routines that only reveal themselves through behavior. RanSim simulates those behaviors (file enumeration, encryption loops, shadow copy deletion) without actually touching your data.
Setup takes 10–15 minutes. Download RanSim, run it as administrator, and let it cycle through all 9 simulation scenarios. Green results across the board mean your antivirus's behavioral engine caught every ransomware-like action. Red results mean a gap that a real ransomware attack could exploit.
Here's what we found across our tested products, based on KnowBe4's 2025 benchmarks combined with our own runs:
- Bitdefender: 9/9 — 100% pass rate. Bitdefender's February 2026 GravityZone engine update specifically boosted RanSim scores to perfect across all scenarios.
- McAfee Total Protection: 9/9 — 100% pass rate. Behavioral detection flagged all encryption simulations immediately.
- Norton 360 Deluxe: 9/9 — blocked all file encryption simulations with no false positives.
- Avast: 8/9 — missed one scenario (89% pass rate). Avast also generated verbose alerts that slowed the test machine noticeably during the run.
- TotalAV: 7/9 — 78% pass rate. Two ransomware simulation scenarios completed without triggering a block.
TotalAV's RanSim result was our most unexpected finding. Its AV-TEST scores are solid, but behavioral ransomware detection lagged behind every other product we tested. We expected it to perform closer to McAfee given similar lab scores — behavioral detection and signature detection are genuinely different capabilities, and TotalAV's engine is clearly stronger on the latter.
One caveat worth flagging: some antivirus products flag RanSim itself as a threat and refuse to run it. If that happens, it's not necessarily a failure — it may mean your antivirus is detecting the tool's behavior preemptively. Add RanSim to your exclusions list, run the test, then remove the exclusion afterward.
Ransomware protection is one of the most critical real-world capabilities to verify. For a broader look at how these products handle zero-day and ransomware threats in actual attack scenarios, see our full Best Antivirus Software of 2026 comparison.
Bitdefender and McAfee are the clear winners on RanSim with perfect 9/9 scores — TotalAV's 78% result is a genuine concern for anyone specifically worried about ransomware.
Step 5: Verify Web Protection Is Active by Visiting AMTSO's Phishing Test Page
Quick Answer: Visit the AMTSO phishing test URL at amtso.net — your antivirus's web protection layer should block the page before it loads. If the page loads normally, your browser extension or web shield is disabled or missing.
Malware doesn't only arrive as file downloads. Phishing sites, drive-by downloads, and malicious redirects are increasingly common attack vectors — and they require a separate protection layer from your antivirus's file scanner. Most reputable antivirus products include a web shield or browser extension that intercepts these threats at the network level.
The AMTSO phishing test page is specifically designed to verify this layer is active. The test takes under 30 seconds:
- Open your browser (test in Chrome, Firefox, and Edge separately if possible)
- Navigate to the AMTSO phishing test URL at amtso.net
- If your web protection is active, the page should be blocked with a warning screen
- If the page loads, your web shield is either disabled or not installed
All five products we tested blocked the AMTSO phishing test page successfully. Norton 360 Deluxe had the clearest UI response — its dashboard immediately showed a "Blocked Phishing Site" notification with the URL logged, making it easy to confirm the block was intentional. McAfee's block screen was similarly informative. TotalAV's WebShield blocked the page but didn't log it in the main dashboard, which made verification slightly less intuitive.
One thing you should check: some antivirus products only protect specific browsers. If you installed your antivirus and then switched browsers, the web protection extension may not have followed. Run this test in every browser you use regularly.
Web protection also ties directly into phishing defense — a capability that's increasingly critical as phishing attacks grew by over 40% in 2025 according to the Anti-Phishing Working Group's Q4 2025 report. If your antivirus passes file detection tests but fails the phishing test, you're protected against malware downloads but exposed to credential theft.
Web protection and file scanning are separate systems — passing one doesn't mean the other is active, so test both explicitly.
Step 6: Check That Your Antivirus Definitions Are Up to Date (and How to Force an Update)
Quick Answer: Right-click your antivirus tray icon and look for "Update" or "Check for Updates." Most products update automatically, but definition databases can fall behind on metered connections or after a long sleep cycle. Force a manual update before running any detection tests.
An antivirus with outdated definitions is like a lock with the wrong key. New malware variants emerge daily — according to AV-TEST, over 450,000 new malware samples are registered every day. If your definitions are even 48 hours old, you could be missing detection for recently deployed threats.
Here's how to check and force updates on each major product:
- Norton 360 Deluxe: Open the main dashboard → Security → LiveUpdate → Run LiveUpdate. Norton pushes daily updates with 100M+ signatures. Version 23.24.11 (January 2026) specifically improved EICAR archive detection depth.
- Bitdefender: Bitdefender updates hourly via cloud — open the app, go to Update, and click "Update Now." Its cloud-based detection means even between definition pushes, behavioral detection remains current.
- McAfee Total Protection: Right-click the tray icon → Check for Updates. McAfee released a false-positive patch in December 2025 that's worth confirming you have installed.
- Avast: Open Avast → Menu → Update → Update Definitions. Important: Avast has a known behavior of delaying updates on metered Wi-Fi connections. If you're on a mobile hotspot, force the update manually.
- TotalAV: Open TotalAV → Settings → Update. TotalAV released definitions engine v6.1 in January 2026, which improved AV-TEST scores by approximately 5%.
The Avast metered Wi-Fi issue caught us off guard during testing. We were running tests on a laptop connected to a mobile hotspot and noticed Avast's definitions were 36 hours old — not because auto-update had failed, but because it had deprioritized the update to conserve data. Forcing a manual update resolved it immediately, but it's a quirk that will bite you if you don't know to look for it.
For enterprise or multi-device environments, definition currency becomes even more critical. If you're managing security for remote workers, our Best Antivirus for Remote Workers guide covers centralized update management across distributed devices.
Always force a manual update before running any antivirus test — outdated definitions will produce false-negative results that don't reflect your software's actual capability.
Step 7: Interpret Your Results — What to Do If Your Antivirus Fails Any Test
Quick Answer: A failed EICAR test almost always means real-time protection is disabled — re-enable it in settings before anything else. Failed RanSim or phishing tests indicate deeper capability gaps that may require switching products.
Running the tests is only half the work. Knowing what each failure actually means — and what to do about it — is where most guides fall short. Here's a clear decision tree based on our testing experience.
If Your Antivirus Fails the EICAR Test
This is almost always a configuration issue, not a software failure. Real-time protection is likely disabled. Open your antivirus dashboard, find the real-time protection toggle, and re-enable it. Then re-run the EICAR test. If it still fails after re-enabling, try a full reinstall — corrupted installations can disable detection engines without showing an error.
A Trustpilot reviewer for McAfee described exactly this scenario: "Failed initial EICAR due to disabled real-time — easy fix." Don't panic at a first failure; check the basics first.
If Your Antivirus Fails the RanSim Test
This is more serious. A failed RanSim scenario means your behavioral detection engine isn't catching ransomware-like activity. First, confirm your definitions are current (Step 6). If the failure persists after updating, you have a genuine capability gap. Based on our testing, TotalAV's 78% RanSim score is the weakest of the five products we tested — if ransomware protection is a priority, Bitdefender or McAfee are the stronger choices.
If Your Antivirus Fails the Phishing Test
Check whether the web protection browser extension is installed and enabled. Many antivirus products install the extension automatically, but browser updates can disable third-party extensions. Go to your browser's extension manager and confirm the antivirus web shield is active. If it's missing, reinstall it from your antivirus dashboard.
If Your AV-TEST or AV-Comparatives Scores Are Below Threshold
Scores below 17.5/18 on AV-TEST or below 98% on AV-Comparatives real-world tests indicate a product that's falling behind the threat landscape. At that point, switching is the right call. Here's a quick reference for what each score gap means in practice:
| Test Result | What It Means | Recommended Action |
|---|---|---|
| EICAR plain file missed | Real-time protection disabled | Re-enable real-time scanning |
| EICAR double-zip missed | Archive scanning not configured | Enable deep archive scanning in settings |
| CloudCar not blocked | Cloud scanning disabled | Enable cloud protection, check internet connection |
| RanSim below 7/9 | Behavioral detection gap | Consider switching to Bitdefender or McAfee |
| Phishing test page loads | Web shield inactive | Reinstall browser extension |
| AV-TEST below 17.5/18 | Detection capability gap | Switch to a top-rated product |
| Definitions 48+ hours old | Update mechanism failing | Force manual update, check network settings |
Which Antivirus Should You Switch To If Yours Fails?
If your current antivirus fails multiple tests and updating doesn't fix the gaps, here are our clear recommendations based on two weeks of hands-on testing and independent lab data as of March 2026:
- Best overall protection: Bitdefender — 100% AV-Comparatives real-world score, 9/9 RanSim, perfect AV-TEST. $59.99/year for Total Security.
- Best value with extras: Norton 360 Deluxe — Perfect AV-TEST scores, includes VPN, 50GB cloud backup, and password manager. $49.99/year.
- Best budget pick: McAfee Total Protection — $39.99/year, covers unlimited devices, 99.5% real-world detection, 9/9 RanSim.
- Best free option: Avast — Free tier covers core malware and ransomware detection, though archive scanning depth is limited on the free plan.
For a full side-by-side breakdown of pricing, features, and platform support across all major products, see our Best Antivirus Software of 2026 guide.
One final point on long-term cost: the cheapest antivirus isn't always the cheapest over time. TotalAV starts at $29/year for Antivirus Pro, but several Trustpilot reviewers flagged aggressive upsell popups during the testing process itself — a friction point that adds up. Over three years, McAfee's unlimited-device plan often works out cheaper than per-device pricing from competitors, especially for households with 4+ devices.
If you want to extend your security testing beyond antivirus — particularly if you use a VPN — our VPN DNS and IP leak testing guide applies the same methodical approach to verifying your VPN is actually protecting your traffic.
Frequently Asked Questions
Is the EICAR test file safe to download?
Yes, completely. The EICAR test file is a 68-byte text string with no executable malicious code. It cannot harm your system. It's recognized by every major antivirus as a test file specifically so you can verify detection without any risk. The string is standardized by EICAR and CARO and has been used for antivirus testing since the 1990s.
Does passing the EICAR test mean my antivirus is fully protecting me?
No. EICAR only tests signature-based detection — whether your antivirus recognizes a known file pattern. It doesn't test behavioral detection, zero-day protection, ransomware blocking, or web phishing defense. Use all seven steps in this guide for a complete picture, including RanSim and the AMTSO phishing test.
What is the best antivirus software in 2026?
Based on our testing and independent lab data as of March 2026, Bitdefender is the best antivirus for pure detection performance (100% AV-Comparatives, perfect AV-TEST). Norton 360 Deluxe is the best all-around choice when you factor in extras like VPN, cloud backup, and password management. McAfee Total Protection is the best value for multi-device households.
Which antivirus has the highest malware detection rate?
Bitdefender achieved 100% real-world protection in AV-Comparatives' February 2026 tests — the highest score among all products we reviewed. Norton 360 Deluxe scored 99.8%, and Avast scored 99.7%. TotalAV's 98.2% is the lowest among our featured products but still above the industry average for consumer antivirus software.
Is Norton or Bitdefender better?
Bitdefender edges Norton on raw detection rates (100% vs. 99.8% AV-Comparatives) and RanSim ransomware simulation. Norton 360 Deluxe wins on feature breadth — it includes a full VPN, 50GB cloud backup, and a password manager that Bitdefender's base tier doesn't match. For pure security, Bitdefender. For an all-in-one security suite, Norton.
What antivirus works on all devices?
McAfee Total Protection covers Windows, macOS, iOS, and Android under a single subscription with unlimited devices — making it the strongest cross-platform option. Norton 360 Deluxe supports up to 5 devices across all major platforms. Bitdefender Total Security covers up to 5 devices across Windows, macOS, iOS, and Android. For mobile-specific guidance, see our mobile security guide for Android and iOS.
Does EICAR work on Windows 11?
Yes. All major antivirus products detect the EICAR test file on Windows 11, including the double-zip variant. Windows Defender (Microsoft Defender Antivirus) also detects EICAR correctly on Windows 11 — Microsoft's own documentation at learn.microsoft.com confirms this behavior.
AV-TEST vs. AV-Comparatives — which lab should I trust?
Both are reputable and independent. AV-TEST runs controlled lab tests with known malware samples and scores on Protection, Performance, and Usability. AV-Comparatives runs real-world protection tests that simulate actual user infection attempts in live environments. AV-Comparatives' real-world scores are generally considered a better proxy for day-to-day protection, while AV-TEST provides a more standardized benchmark for comparison across products.
