Top 5 Best Antivirus Software for 2020
Updated: February 2020
The best antivirus for 2020. Antivirus, firewall, VPN, password manager and webcam protection.
- Protection 100% 100%
- Online Privacy 100% 100%
✓ Trusted by 50 million users around the world
✓ Protects Windows, Mac, Android, and iOS
✓ 60-days money-back guarantee
✓ VPN: Free and unlimited
Read our full Norton Review
Excellent protection at a low price. Antivirus, firewall, VPN, password manager and webcam protection.
- Protection 100% 100%
- Online Privacy 98% 98%
✓ Protects Windows, Mac, Android, and iOS
✓ 30-days money-back guarantee
✓ VPN: Free 200 mb per day
Read our full BitDefender Review
Excellent protection. Antivirus, firewall, VPN and a password manager.
- Protection 98% 98%
- Online Privacy 93% 93%
✓ Protects Windows, Mac, and Android (not iOS)
✓ 30-days money-back guarantee
✓ VPN: Free 150 mb per day
Read our full Panda Review
Very good protection. Antivirus, firewall and an optional VPN.
- Protection 95% 95%
- Online Privacy 83% 83%
✓ Protects Windows, Mac, and Android (not iOS)
✓ 30-days money-back guarantee
✓ VPN: Not included for free
Read our full BullGuard Review
Very good protection. Antivirus, firewall, an optional VPN and a password manager.
- Protection 93% 93%
- Online Privacy 85% 85%
✓ Protects Windows, Mac, Android, and iOS
✓ 30-days money-back guarantee
✓ VPN: Not included for free
Read our full McAfee Review
The Best Antivirus of the Year
Millions of users around the world trust Norton as the industry leader in antivirus technology
Free and Unlimited VPN
How We Test
Below we explain which factors go into the calculation of our editors’ rating, what each of these factors means, and the data sources we use
How We Test
Purchasing the right antivirus software is important.
Therefore we want to be 100% transparent about the data and method we use to select the best antivirus software.
We use 6 factors to select the winning software. All factors matter, but not all are equally important. Therefore, the impact they have on the final score varies. All factors, and the impact they have, can be seen here:
- Protection from Malware 50% 50%
- Impact on Performance and Speed 15% 15%
- Devices & Features 10% 10%
- User Reviews 10% 10%
- Value for Money 10% 10%
- False Positives 5% 5%
Further below, we will explain each of the factors in detail. But first, we would like to highlight where our data comes from:
The data for Protection, Performance, and False Positives, comes from AV-Test and AV-Comparatives. These are the two internationally recognized leaders in antivirus testing.
The data for the User Reviews comes from TrustPilot and the Google Play Store. Trustpilot is the most trustworthy platform in the world when it comes to the collection of objective and verified user reviews.
And the Google Play Store is the app store for Android, the most used operating system for mobile phones. It has one on of the largest database of software reviews globally.
The data for Value for Money comes from the vendor directly. These are the protection features offered and the price requested.
The data for Supported Devices also comes from the vendors directly.
Protection from Malware
Protection from malware makes up 50% of the total score
The most important feature of any cybersecurity product is, of course, the protection from malware.
Malware is a collective term which stands for a large number of cybersecurity threats, including viruses, ransomware, spyware, adware, phishing and more. In order to protect you effectively from such a diverse range of attacks, the most advanced antivirus software use three different protection methods. Below we provide more detail on each method.
All antivirus providers featured in this comparison have been tested in-depth on each of the methods.
Signature File Detection:
Signature file detection is the most classic form of malware detection. Using this method, antivirus software scan files for traces of malicious code, called digital signatures. This scanning behavior is why many people refer to antivirus software as virus scanners.
A digital signature is a unique pattern that allows security tools to recognize malware. Imagine it as the equivalent of a fingerprint a burglar would leave. Only in this case, it is a digital fingerprint left by malware in its attempt to cause damage to you or your devices.
These digital signatures are stored in a database containing hundreds of millions of malware samples. Whenever a new malware threat is uncovered by a cybersecurity company, it is added to the database.
This method of malware detection is reliable, fast, easy to operate, and scalable. However, it is not perfect. As it relies on cybersecurity companies to first recognize new threats and then updating the malware samples in the database, this method is useless against brand new malware. It is always one step behind new attacks.
Therefore, cybersecurity companies have developed a second form of file detection.
Heuristic File Detection:
Heuristic file detection is the evolution of signature-based detection. It allows antivirus tools to identify malware that have not been seen before and have not been added to any database.
It does so by looking for behavioral patterns that are typical of malware, rather than at malware signatures. Once a file is flagged as having suspicious behavior, there are generally two ways the antivirus software would move forward with its analysis:
File Emulation: Also known under the term “sandbox testing”. In this method, the antivirus software will allow the malware to operate in a safe environment called the sandbox. This is often a virtual machine where the malware can cause no harm, and the antivirus can analyze it in more detail.
In the sandbox, the potentially dangerous file is analyzed for common malicious patterns. These include rapid replication attempts, file overwrites, or any attempt to hide certain files. If any of these patterns are detected, the antivirus software takes further action to eliminate the threat.
Genetic Signature Detection: New malware are often a slightly adjusted form of existing malware. This allows the creator to reuse its malware without triggering signature-based detection.
In genetic signature detection, however, antivirus software compare the source code of potentially dangerous files with the source code of known malware. If there is a significant overlap between the two, the antivirus software takes further action to eliminate the threat.
User-Focused Protection Features:
Next to the two methods described above, there is a third way in which antivirus programs protect users from malware. Rather than a specific method, it is a collection of features designed to protect users from downloading malware or visiting dangerous websites.
If you think about it, this is the natural evolution of the cybersecurity industry. As both malware and anti-malware become increasingly sophisticated, cybercriminals look for other weak links in the chain. And often this weak link is us, the users.
The tools to protect users are varied. But some of the most common include:
Web advisors that flag suspicious or dangerous websites before you visit them.
WiFi security advisors that recommend you to avoid specific WiFi networks or use a VPN when connecting to them.
Password managers that help you create and store unique and highly secure passwords.
Hardened browsers that open encrypted web browsers when you attempt to access online banking or payment tools.
Impact on Performance and Speed
Performance impact makes up 15% of the total score
Performance impact stands for the influence of the antivirus on the operating speed of the device. Every antivirus tool requires a certain amount of resources to run, impacting the operating speed in some way. However, some do so in much more dramatic ways than others.
Performance impact can be measured in a variety of ways. The most common are the impact on download times, load speeds and the resources required to run the program in the background.
Devices and Features
Supported devices makes up 10% of the total score
In this factor, we analyze which operating software the antivirus support, and which features they offer per operating software. In many cases, the cybersecurity companies build full security suites for Windows, but offer significantly less for their antivirus for Mac, Android, and iOS.
There are some exceptions to this rule, however. And that is exactly what this factor is about.
A note on iOS:
All of the antivirus programs in this list have dedicated security apps for Windows, Mac, and Android, which is great. Two of them, however, don’t have dedicated apps for iOS.
Although it is true that Apple has designed iOS to be incredibly safe, users still fall into phishing traps, use unsafe passwords, or are tracked by their internet service provider.
Therefore, having a web advisor, password manager or VPN, is just as valuable on iOS as on any other operating software.
User Reviews make up 10% of the total score
User reviews are incredibly important as they reflect not only the product quality, but also the customer service of the companies.
As customer reviews have turned into a powerful marketing tool, it is often difficult to know which reviews to trust.
In order to get access to high quality and verified user reviews, we have consulted the Google Play Store and TrustPilot. These are the largest and most trustworthy user review databases currently available and publicly accessible.
Value For Money
Value for Money makes up 10% of the total score
Considering the amount of harm malware can cause, and how much this can end up costing, the price of an antivirus should not be the most important factor in your consideration. That being said, it definitely does matter. As all antivirus providers in this list offer excellent protection, there is no reason to pay more for an overpriced product. To research this factor, we have analyzed the pricing strategy of the various cybersecurity companies in each market they are available, and compared it to the protection and features offered.
False Positives makes up 5% of the total score
False positives are instances in which antivirus software flags a clean file as malware. All antivirus programs do this to some degree, as they are a common byproduct of heuristic file detection. Some cybersecurity products, however, produce considerably more false positives than others. Although this does not pose a security threat, it can be annoying in day to day usage.
AV-Test is a German based test laboratory that specializes in cybersecurity. It uses state-of-the-art technology and one of the largest malware databases in the world to run its tests. We consult AV-Test’s findings in the calculation of the protection and performance scores.
AV-Comparatives is an Austria based test laboratory that has been running cybersecurity tests since 1999. It is well-known to build real-world test scenario’s in which all three protection layers of the antivirus software are fully utilized. Like AV-Test, we consult AV-Comparatives findings to calculate the scores in the protection and performance categories.
TrustPilot is one of the largest and most trustworthy user review platforms in the world. Its mission is to bring businesses and people together and allow them to engage in meaningful ways. Over 200.000 businesses have been reviewed in Trustpilot by more than 45 million reviews.
The Google Play Store is the app store for Android, the most used mobile operating system in the world. The Google Play Store has one of the largest software review databases in the world.
Tech enthusiast and founder of SoftwareLab. He has degrees in Engineering and Business, and has been active in the analysis of software, electronics and digital services since 2013.
Frequently Asked Questions
Below we have summed up the most commonly asked questions surrounding the topic of cybersecurity and the best antivirus software.
What Is Adware?
Adware is a universal name for computer programs that have been designed to display various advertisements on a person’s computer. Adware programs can redirect search requests, display unwanted ads in your browser, and even collect data like the kind used in marketing campaigns.
There can be both malicious and non-malicious adware programs. Malicious adware programs are those that collect marketing data without the user’s consent and that can’t be located on the computer. Such “invisible” pieces of software that operate behind the scenes can often get into a user’s computer through freeware programs, infected websites and emails, or remote installations through a backdoor.
What Is Antivirus?
An antivirus is a type of software, initially designed to aid in the removal of computer viruses. Over the years, this type of software has evolved to the point where it can also prevent various cyber threats from getting into one’s computer.
Antivirus programs are essentially suites of tools known to protect computers against malware, viruses, hijackers, keyloggers, worms, adware, spyware, spam, phishing, rootkits, and so on. These programs use the so-called “definitions” which need to be updated regularly to ensure protection against all the latest threats. They can also use sandbox detection (behavioral-based detection), data mining, or even machine learning algorithms to detect, quarantine, and ultimately remove threats.
What Is a Botnet?
Botnets, also known as zombie armies, are used by black hat hackers or crackers for a wide range of applications. In essence, a botnet is a series of linked devices (computers, smartphones, etc.), each one operating its own bot unknowingly. This kind of network can be created without the device’s owner’s consent and operated remotely by one or more individuals.
The most common use for a botnet is launching powerful DDoS attacks, stealing personal information, and sending spam, amongst other things. The combined computational power of multiple devices, hijacked and connected via bots is what makes botnets so dangerous and hard to safeguard against. Botnets can also be rented to individuals or groups that need the computing power for attacks.
What Is a Computer Exploit?
The name computer exploit can refer to software, data, command sequences, or lines of code that can take advantage of a certain software or hardware vulnerability. Using an exploit, one can either gain remote access to someone else’s device or cause significant damage to their software or hardware components. This happens as a result of unintended behavior triggered by the attacker.
Computer exploits can come in various types and are typically categorized depending on the type of vulnerability they exploit. There are also both local and remote exploits. These classifications refer to the level of access one needs to use the exploit against a computer or network of devices. Zero-day exploits are the most dangerous as there’s no protection against them.
What Is a Computer Virus?
A computer virus is one of the most common types of malware, affecting millions of operating systems every day. It’s essentially malware with the potential to replicate itself through the corruption of other programs, much like how the flu virus works. It inserts its own code into other programs thus infecting them and causing them to behave poorly or in a very specific way.
Not only is it one of the most damaging types of malware but it can also be costly due to how it can waste resources, corrupt important data, and even cause system failures. That’s not to mention its potential for use in identity theft, DDoS attacks, spreading political propaganda, terrorist propaganda, and so much more. Computer viruses don’t attack until the file or program they’re attached to is opened. As such, many can be removed before doing any harm.
What Is a Computer Worm?
A computer worm is a self-replicating malicious program that usually spreads through entire networks, causing significant traffic disruption. While not typically created to deliver any kind of payload, as most computer viruses do, a computer worm will often be used to set up a botnet.
Worms can install backdoors on user computers. This, in turn, allows someone else to control those devices, install bots, and create a zombie network that can be used for more powerful attacks or rented to others with nefarious plans and in need of high computing power. Worms can also cause traffic disruption or make systems unreliable or unavailable due to eating up a chunk of the infected device’s computing power.
What Is Computer Hacking?
Computer hacking can be used to describe two types of activities. It is sometimes used with a negative connotation when it refers to activities practiced by those with malicious intent. These individuals or groups use various computer exploits and malware programs to take control over foreign computer systems in order to either cause disruption or gain a financial advantage.
It is also a term used in association with activities practiced by coders that work against malware programs, those that create antivirus programs, firewalls, and patch various system vulnerabilities. As such, hacker is usually used to describe a security hacker while cracker is the term associated with individuals with malicious intent.
What Is Cybercrime?
Cybercrime, originally named computer-oriented crime, is any crime that involves either a computer or a network of computers. If computers, networks, or other mobile devices are used either as tools to commit the crime or the intended targets, the crime is classified as cybercrime.
Also covered under cybercrime are crimes that involve the use of telecommunication networks or services (chat rooms, emails, etc.). Cybercrimes have multiple classifications depending on the actions or tools used. As such, there are financial fraud crimes that fit under cybercrime, as well as cyberterrorism, online harassment, drug trafficking, human trafficking, and others.
What Is a DDoS Attack?
DDoS stands for distributed denial-of-service. This type of attack is often used to disrupt traffic on networks or individual servers. It works by flooding its targets with large amounts of internet traffic, thus slowing down their performance. A DDoS attack can be initiated against a target or a target’s infrastructure.
It is also important to know that most DDoS attacks are launched using what’s called a zombie network or a botnet. Because they can make use of multiple corrupted or compromised devices, these attacks can have devastating effects and disrupt the regular flow of data and information.
What Is Identity Theft?
Identity theft is a crime in which someone deliberately uses another person’s identity as a means to gain financial advantages or other benefits, while also leaving the victim to suffer consequences for the perpetrator’s actions.
When classified as a cybercrime, it means that the identity theft happened as a result of various computer exploits, hacks, use of malicious programs or suites to gather the personal identifying information necessary to gain said advantages. Identity theft can also be used to describe actions in which a person’s personal information is used by a cybercriminal to steal money from their banking account or to open new accounts and run up massive bills.
What Is a Keylogger?
A keylogger can be a hardware component or software program used to monitor and record keystrokes on a keyboard. A keylogger is usually designed to work in the background and be completely invisible to the user. Keyloggers can also be part of malicious software suites known as rootkits and set the stage for a more powerful attack.
Not all keyloggers are used with malicious intent. Some are used by companies to monitor employee activity, some by parents to monitor their kids’ online activity, while others are used in the field of cognitive writing research. However, keyloggers can also be used to steal passwords and other sensitive personal information.
What Is Malware?
Malware, or malicious software, is the term used to describe any type of software designed to grant unauthorized access to devices or networks of devices. Malware can also be used to steal, corrupt, or collect data and hamper the target computer’s or network’s processing power. Some common examples of malware include adware, spyware, keyloggers, etc.
Depending on what type of malware is affecting a system, specific actions are required to contain the situation and repair the damage. This is why the best protection against most types of malware is usually a strong antivirus suite that has adware and spyware detection functionality, a comprehensive and regularly updated virus directory, and a firewall.
What Is Phishing?
Phishing is one of the most popular techniques used in social engineering. It denotes any malicious attempt to illegally obtain confidential or personal information while posing as a trustworthy entity. Phishing is often done via email spoofing.
While most phishing attacks involve the use of fake websites and redirects to said websites via links or corrupted attachments, some phishing attacks are carried out the old-fashioned way. For example, voice phishing usually uses fake caller IDs and VOIP services to gain the target’s trust and extract confidential information.
Catphishing is a popular type of phishing in which the perpetrator attempts to lure the target into developing an emotional investment for the purpose of eventually sending money. Law enforcement may also use catphishing techniques to catch criminals.
What Is Ransomware?
Ransomware is malicious software most often used to hold various important files, programs, or entire networks hostage until a ransom is paid. It is also used to blackmail targets under the threat of releasing sensitive information publicly unless the perpetrator’s demands are met.
These types of attacks are generally launched with a Trojan virus, most likely mirroring a legitimate file that the user would download and access. What makes ransomware so dangerous is not just the difficulty of cracking decryption keys but also the difficulty in tracing back the attack to the perpetrators. That’s because most ransoms are paid in cryptocurrencies which are virtually untraceable.
What Is a Rootkit?
A rootkit is usually a collection or suite of software tools designed to grant remote access and eventually control over foreign computer systems or networks. It is often used with malicious intent such as establishing a backdoor into a system. This backdoor can then be used to install other malware.
When not used with malicious intent, a rootkit program could be used to provide end-user support for various programs and applications. Because a rootkit is not classified as a computer virus or worm, it can’t spread by itself, meaning that it has to be installed directly. As such, malware rootkit suite is often either masked as a legitimate program or hidden inside one.
What Is a Scam?
A scam is any action that involves a fraudulent scheme carried out for the purpose of taking money, goods, or sensitive information from individuals or groups. In this digital age, more and more scams are done via the internet due to the ease of targeting multiple individuals or marks simultaneously.
Some notable examples of scams include auction fraud, phishing, donation scams, the Nigerian prince scam, catphishing, cold calls, chain mail, online surveys, and others. Scams can be targeted cons or simple steps in much larger cons that merely serve as a means to advance a scheme forward.
What Is Social Engineering?
Social engineering refers to any action of psychological manipulation against individuals or groups for the purpose of divulging confidential information or generally performing actions that might be detrimental to them or their organizations.
There are various types of social engineering, depending on how the manipulation is done or what it aims to achieve. Usually, a social engineering tactic is just one step in a larger con, a means to advance a plan to the next step. One of the most common tactics is that of impersonating trustworthy entities through direct contact or by phishing.
What Is Spam?
Spam is the designation used for the action of sending unwanted electronic messages in bulk. While the most popular use involves sending unwanted and unsolicited emails to trick people into giving personal or otherwise sensitive information, spam can also be used in what are known as spam marketing campaigns. Spam campaigns can be initiated via a botnet and are considered very cheap, even though they don’t appear as trustworthy to most people.
Of course, the term is not used just for emails. Spam is in fact the definition of any type of unwanted electronic message sent in bulk. This includes emails, phone messages, search engine messages, blog posts, social media posts, forum posts, classified ads, and so on.
What Is Email, IP, or DNS Spoofing?
Spoofing is the practice of altering any number of forms of communication coming from unknown sources to appear as though they are coming from trustworthy sources.
IP spoofing is used to disguise a computer in order to gain access to an otherwise restricted network or to hide one’s activity online.
Email spoofing often involves the use of fake email accounts that look almost legit, carrying links or attachments that either ask for confidential information or lead to other websites that can spread malware.
DNS spoofing is usually done to divert traffic from trustworthy websites to fake websites that can spread malware programs. Sometimes email spoofing and DNS spoofing go hand-in-hand.
What Is Spyware?
Spyware is any type of malicious software like adware, Trojans, system monitors, or even tracking cookies that can be used to collect and transmit sensitive information from individual computers or computer networks without the user’s consent.
Although spyware is typically used with malicious intent and the programs tend to run covertly without the user’s knowledge, one could also classify keyloggers as spyware. As such, not all spyware is used to steal information. Sometimes it is used to simply monitor someone’s actions to better assess their productivity, interests, or level of loyalty to their employer.
What Is an SQL Injection Attack?
An SQL injection attack is often used to spoof an identity and modify or corrupt existing data. This type of attack vector is quite common and is often used against online vendors, marketplaces, or any other business that uses an SQL database. The main purposes of these attacks include gaining access to hidden data, modifying balances, and destroying data.
The attack is performed by inserting malicious SQL code into a field for execution or database query. Although there are multiple types of SQL injection attacks, they are all considered to be less threatening when compared to other types of malware programs and exploits due to the constant improvements in the field of web security.
What Is a Trojan Horse?
A Trojan horse is the designation for malicious software that doesn’t self-replicate or propagate itself through entire networks and appears benign in nature. There are multiple types of Trojan horse viruses and they are categorized by the type of actions they perform. As such, there are remote access Trojans, backdoor Trojans, and proxy Trojans, among others.
The typical method for propagating Trojan viruses is through social engineering techniques like phishing and spoofing. The victim unknowingly downloads them to their computer, usually attached to a seemingly legitimate file or piece of software.
What Is a Zero-Day Exploit?
A zero-day exploit can be one of the hardest things to safeguard against. The reason behind this is that there is actually no way to protect against a vulnerability that no one knows about. This designation is given to exploits that are not common knowledge, meaning that only the person or persons that are taking advantage of it know about it.
Once a zero-day exploit becomes known or publicized to other coders and security experts, it is no longer called that. The exploit instead becomes known as an N-day exploit, where N stands for the number of days since the discovery of the exploit.
Below you can find all the sources we have used in our analysis
Disclaimer: SoftwareLab.org is not an antivirus, VPN or hosting service provider and does not endorse the use of the products featured on this website for unlawful means. It is the responsibility of the user to adhere to all applicable laws. We have no control over the third-party websites we link to and they are governed by their own terms and conditions. SoftwareLab.org is supported by advertisement in order to be a free-to-use resource. We strive to keep the information accurate and up-to-date, but cannot guarantee that it is always the case.