Ever wondered whether your antivirus really works at blocking real viruses, or which options can actually protect you against ransomware? If you want to determine whether an antivirus is any good, it’s best if you actually test each one against real Windows malware. Find out how to do that in a safe way in this guide.
When choosing a computer to use for these tests, we recommend opting for an old computer that you don’t care about much or a cheap, new computer that does not have any of your personal files on it yet.
Warning: this guide involves downloading real malware – programs that are designed to cause real damage to your computer and data. If you take enough precautions, you should be safe. But be prepared for anything.
Install a Windows Virtual Machine
Since we are running a Windows virtual machine (VM), try to start with a computer that uses something other than the Windows operating system, such as macOS or Linux. By having the host run a different operating system than the VM, there is less chance that a virus infecting your VM can break through to infect your actual host system.
We are using Parallels Desktop for Mac on macOS to run a Windows VM in this guide. Install Parallels with Windows 11; it’s very easy and takes just a few clicks to get set up.
Other Virtualization Options
If you have a different host OS or prefer to use another provider, you can choose another virtualization software instead of Parallels. There are many options, depending on your host operating system. A few good options follow:
- Installing a legal Windows VM
- Installing a Windows VM on macOS with VMware Fusion
- Installing Windows with VirtualBox on Linux
Protect and Harden Windows
You can limit the possibility that malware will spread by preparing various programs and settings before downloading and testing the malware.
Install, Update, and Configure an Antivirus
At this point, you want to install the antivirus program of your choice on your VM. In this guide, we are using the default Windows Defender.
- Open the Settings app and click “Privacy & security -> Windows Security.”
- Click “Virus & threat protection.”
- Scroll down a bit and click “Manage settings.”
- On the next screen, ensure all of the security options are toggled on, especially the “Real-time protection” option.
- Click the back button in the top-left corner, then scroll down to click “Protection updates.”
- Click “Check for updates” to ensure Windows Defender can identify the latest threats.
Tip: Did you know that you can switch between Windows 10 and Windows 11 using a virtual machine?
Create a Non-Administrator User Account
The default account on a Windows VM is usually an administrator account. It is riskier to run malware with an admin account, as it can make changes to the operating system without requiring a password.
- Open “Settings -> Accounts.”
- Click “Other users.”
- Click “Add account.”
- Click “I don’t have this person’s sign-in information.”
- Click “Add a user without a Microsoft account.”
- Type in a name and password for the user.
- Scroll down to fill out all the security questions, then click “Next.”
- The new account will be created as a “Standard User,” not an “Administrator.” Click the Windows Start button, then your current user name, and select the new username.
- Log in with the password you chose and you’re good to go.
Prepare to Run the Malware
To prepare your VM to run the malware and test it, you’ll need the follow few items:
You’ll have to install Python 2.7, a safe program, to run the malware repository that will be downloaded later.
- Open the Settings app and search for “App execution aliases” in the search bar.
- Scroll down to find any items named “python3.exe” or “python.exe” and toggle them all off.
- Download Python 2.7 from its official website. You most likely want the “Windows x86-64 MSI installer” file.
- Go through with installing. In the customize steps, make sure you have “Add python.exe to Path” enabled.
- Download and install the Microsoft Visual C++ Compiler for Python 2.7.
Download and Install theZoo
- View theZoo on GitHub. theZoo is a popular open-source program that will safely browse a collection or a “zoo” of known malware. Click “Code -> Download ZIP.” Rest assured, nothing bad will happen to your computer from just downloading this .ZIP file. All of the malware remains encrypted and locked until you complete the final step below.
- Extract the downloaded .ZIP and enter the folder. You should see various .PY files and a “malware” folder.
- Right-click an empty space in the file explorer and click “Open in Terminal.”
- Install and update additional Python modules that theZoo needs to operate. Type the command
pip install --user --upgrade "pip==20.3.4"and hit Enter.
- Input the following
pip install pyreadlinecommand.
pip install --user -r requirements.txt.
- You should see the message “Successfully installed pyminizip-0.2.6.” Don’t worry about the warning messages.
Configure Parallels Settings for Maximum Security
- Shut down your Windows VM.
- Press on the gear icon of your Windows VM in the Parallels Control Center.
- Go to “Hardware -> CPU & Memory -> Manual,” then reduce the “Processors” and “Memory” to less than half of your physical system amounts. To be safe, reduce to two processors and 4 GB of memory.
- Click “Shared Printers,” then uncheck “Share Mac printers with Windows 11.”
- Go to “Network -> Source menu” and select “Disconnected.”
- Select “Security” and check the “Isolate Windows from Mac” option.
- Click the power button on your Windows VM in the Parallels Control Center.
- Log back in to the non-administrator user you created earlier.
Even if you aren’t using Parallels, you can apply similar settings to most other virtualization software.
Tip: did you know that you can remove a virus from your PC without an antivirus? Learn how by following our guide.
Run the Malware
- To run the malware, open a Terminal window in theZoo folder as shown previously.
python theZoo.pyand hit Enter.
- Read the End User License Agreement (EULA), then enter “YES.”
- Inside theZoo console, enter the
helpcommand to see various commands. Enter
exitto leave theZoo at any time.
search ransomwareto list all ransomware. You should see a list like the one below.
- Select one of the malware using
<id>with the leftmost number next to the malware listed). For example, enter
use 352to select the Petya ransomware.
getto download the selected malware.
- You should promptly receive a Windows Defender notification indicating that it blocked something.
Success! This means you have good protection. While most good antivirus programs will just silently block any malware from being downloaded, you’ve verified it!
During our testing, we sometimes found the antivirus to be a bit too strong. After running the
get command, we occasionally received the below error message. We didn’t know what the problem was at first but soon realized that our antivirus had preemptively removed the zipped-up malware before we could run any commands. If you see this error message, consider giving your antivirus a passing grade.
If you’re interested in protecting your Windows PC, check out this guide on identifying legitimate Windows processes.
Frequently Asked Questions
What is the best way to protect from computer viruses and malware?
Microsoft has done a superb job beefing up Windows security, so you can consider it unnecessary to install third-party antivirus programs. Keeping Windows Defender up to date and with real-time protection enabled is the best way to protect your Windows PC. In the test we ran, Windows Defender immediately blocked any malware we tried to download.
What is the EICAR test file?
EICAR stands for the European Institute for Computer Antivirus Research. The EICAR test file is a completely harmless computer executable program designed to test whether antivirus programs actually work. When the file is run, all it does is print out the text “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!”
While using the EICAR test file is a safe and easy way to test whether your antivirus works, this approach has a few flaws. For instance, computer security developers have to specifically add the EICAR test file definition into their programs to detect it. Thus, some legitimate antivirus programs don’t bother to block the EICAR test file, as it poses no real threat to users.
It also means that a fake antivirus could block the EICAR file to “pass” the test while offering no protection to your computer at all! Secondly, the test file contains no real malicious code, so you won’t be testing the full capabilities of your antivirus, which usually involves terminating programs with suspicious behaviors or blocking ransomware code from executing.
Is it possible for malware to escape a virtual machine and infect the host system?
While it is rare, it is possible. When testing with theZoo, it’s important to only select existing malware that is known to not have the capability to escape the VM guest system and infect the host system.
Additionally, because malware is designed to target and exploit only a specific operating system like Windows, it is more secure to use different operating systems for the host and guest system.
Image credit: Pexels. All screenshots by Brandon Li
Our latest tutorials delivered straight to your inbox