With most antivirus products, I can easily identify the country of origin.
Bitdefender comes from Romania, for example, and while Kaspersky is a global corporation, it originated in Russia.
Emsisoft is an exception.
The staff that creates and maintains Emsisoft Anti-Malware is distributed all over the world, from the US to New Zealand and beyond.
Regardless of its homeland, Emsisoft earned good scores in our malware protection and ransomware protection tests, and a much-improved score in our antiphishing test.
The new Cloud Console offers comprehensive remote management, if you have the technical skills to get it configured.
It's a good choice for the right customer, though not up to the standards of our Editors' Choice antivirus products.
Just under $40 is the most common price for standalone antivirus.
Nearly a third of the products I follow hit that price.
Emsisoft cost the same years ago, but more recently it's just $29.99 (which had previously been the semi-permanent sale price).
You can get three Emsisoft licenses for $49.99 per year, or five for $69.99.
At $59.99 per year, Symantec Norton AntiVirus Plus costs a bit more, though it does include spam filtering, password management, online backup, and more.
McAfee looks expensive, with a $59.99 per year subscription, but that lets you install it on every Windows, macOS, Android, and iOS device in your household.
As with many modern security products, you begin your Emsisoft adventure by creating an online profile.
From the profile you can start a 30-day free trial or enter your license code.
When you launch the Emsisoft installer, it downloads and installs the latest code.
Once the main window comes up, you'll notice that the Protection panel displays a No Protection warning and offers a Fix Now link.
Just give it a few minutes to finish installing, updating, and configuring its components.
You don't even need to click Fix Now.
Four big panels dominate the main window's light-colored background: Protection, Scan & Clean, Logs, and Settings.
A left-rail menu effectively duplicates the effect of clicking the panels; the icon you use most is the one that brings you back to the main screen.
Emsisoft's combination of greens, blues, and whites gives it a pleasant appearance, quite different from the tough-looking slate-gray tones found in some competitors.
Scan Choices
Right in the Scan & Clean panel, you can click links to run a quick scan, a malware scan, or a custom scan.
Clicking the panel itself brings up a page with clear descriptions of each scan.
The quick scan scans only active programs, looking for traces of malware.
The malware scan looks in "all places that malware typically infects."
What about the familiar full scan of your entire computer, seen in most other antivirus utilities? To get that, you choose custom scan.
By default, it scans the entire C: drive, which is probably what you want.
The custom scan page includes several settings to configure just how the scan proceeds, but they come preconfigured for the best protection.
Don't change them unless you know what you're doing.
A full custom scan of a standard clean test system took one hour and 45 minutes, a bit more than the current average of one hour and 12 minutes.
A second full scan ran in close to the average time.
On the other hand, the malware scan ran in five and a half minutes, and a quick scan in 30 seconds.
I recommend a full scan after installation, to root out any existing problems.
After that, real-time protection should take care of any new problems.
If you skip that initial custom full scan, you'll get it anyway, eventually, because Emsisoft schedules such a scan for once per week.
You can edit that scan, or add other scans on a monthly, weekly, or daily schedule.
Note that, by default, Emsisoft won't launch a scheduled scan when in Silent Mode.
Silent Mode kicks in when it detects that your system is busy with a resource-intensive game or application.
There's one more scan you should consider.
Clicking Emergency Kit Maker on the scan page gets you the option to create your own self-contained Emsisoft Emergency Kit.
This is a standalone executable that you can copy to a removable drive and use to scan other computers, perhaps ones so badly infested by malware that you can't install the full antivirus.
This isn't a bootable rescue system like you get with Kaspersky or Bitdefender Antivirus Plus, but it can be a useful tool.
Little Help From the Labs
Independent antivirus testing labs around the world have as their sole goal evaluating security products and reporting on how well they perform their essential tasks.
I follow four such labs, and I'm impressed by any product that shows up in results from all four.
Among these are F-Secure Anti-Virus, Kaspersky, Norton, and Trend Micro.
Alas, Emsisoft is at the other end of the spectrum.
It does have a toehold in the lab results realm, but barely.
At present, it has only one lab test result.
I closely track four of the many tests regularly performed by the researchers at AV-Comparatives.
These tests include a basic malware protection test, a real-world dynamic protection test, a test specifically focusing on removal of existing infestations, and a performance test.
A product that passes a test receives Standard certification; those that go beyond the minimum requirements can earn Advanced or Advanced+ certification.
Emsisoft earned Advanced in the malware removal test.
This test uses malware samples that all the tested products are known to detect.
It challenges each product to clean up existing malware infestations.
In past years Emsisoft has participated in more tests with this lab, and earned a fair number of Advanced and Advanced+ certifications.
Lab Test Results Chart
I use an algorithm that normalizes lab tests to a 10-point scale and produces an aggregate score.
However, results from one test just aren't enough for an aggregate.
All I can say is, when it did participate in more testing, Emsisoft did well.
Kaspersky Anti-Virus, Avira, and Norton are among the products tested by all four labs.
Kaspersky earned perfect scores in all but one of the latest tests, for an aggregate score of 9.9 points.
Avira and Norton tallied to 9.8 and 9.6, respectively.
Good Malware Protection
When I don't get a lot of help from the labs, my own hands-on malware protection testing becomes more important.
To start the test, I simply open a folder containing a collection of malware that I have curated and analyzed myself.
For many products, the minimal access that occurs when Windows Explorer checks the file's name, size, and creation date for display is enough to trigger an on-access scan.
For others, the trigger involves copying samples to a new location.
Like Cylance, McAfee AntiVirus Plus($19.99 at McAfee), and a few others, Emsisoft waits until just before a process launches to check it for malware.
That means a bit more work for me, as I must launch every single sample.
Fortunately, Emsisoft caught all but a small number of the samples before they could even launch.
This resulted in a slide-in notification from the antivirus, along with a Windows error message explaining that the file contained a virus.
A couple items managed to launch but got caught later.
Overall, Emsisoft detected 91 percent of the samples, right in the middle for products tested with this sample set.
In a couple cases, Emsisoft requested a restart to fully clean a sample that dropped some files before it was captured.
I observed that on restart, Emsisoft launched a scan before Windows started.
That's a good time to wipe out Windows-dependent malware.
Emsisoft's overall score of 8.9 points is decent, but quite a few others have done better.
Webroot SecureAnywhere AntiVirus($18.99 for 1-Device on 1-Year Plan at Webroot) detected 100 percent of these samples and scored 9.7 points.
Windows Defender missed a few, with 98 percent detection, but thorough blocking of the ones it detected helped it beat out Webroot and take 9.8 points.
Emsisoft includes a powerful behavior-based detection system that even works against ransomware (more about that later).
For a sanity check, I installed 20 old Daxdi utilities, now uncommon, choosing those that hook into Windows to perform their duties.
Emsisoft correctly left almost all of them alone.
It did quarantine a component of one installer as suspicious, but the utility seemed to install and run correctly.
Malware Protection Results Chart
Because gathering and analyzing a new selection of malware takes a long time, I don't refresh the collection often.
For a look at how each antivirus handles up-to-the-minute malware, I use a feed of recent malware-hosting URLs generously supplied by MRG-Effitas, a London-based security testing firm.
As I go down the list, launching each URL, I find many that are already defunct, even though they're just a day or two old.
For those still viable, I note whether the antivirus blocks access to the URL, eliminates the malware payload, or simply fails to react.
When I have 100 data points, I run the numbers.
The actual analysis happens below the browser level, so it works with any browser.
However, the browser just displays an error message when Emsisoft blocks a page—a slide-in from the antivirus explains what happened.
Trend Micro does something similar when blocking a dangerous or fraudulent URL that's secured using HTTPS.
Emsisoft's blog posts point out that, unlike some competing products, this one never sends the URLs you visit to the cloud for checking.
Rather, it sends a hash of the domain, for comparison with hashes of known dangerous domains.
There's no possibility of Emsisoft or its employees gathering a history of your web browsing.
Working my way through the URLs, I noticed that I never saw an Emsisoft notification about deleting a dangerous download.
That's because this tool responds to scanning requests by Internet Explorer, Edge, and Chrome, returning its verdict through the browser.
If you see a message like "filename.exe contained a virus and was deleted," that's Emsisoft at work.
In the end, Emsisoft blocked browser access to 33 percent of the malware-hosting URLs and flagged another 60 percent as malware.
Its total score of 93 percent is good, but quite a few current products have done better.
McAfee stands out with 100 percent protection in this test, and Trend Micro Antivirus+ Security is close behind with 99 percent.
Much Improved Phishing Protection
Phishing websites don't rely on malware to steal sensitive login credentials.
Rather, they rely on inattentive users.
They mimic financial sites, shopping sites, and even gaming sites, displaying a convincing login page.
If you enter your username and password, the fraudster owns your account.
These sites get taken down quickly, but the criminals just pop up another one.
To test phishing protection, I start by gathering hundreds of reported fraudulent URLs, with a preference for those too new to have received analysis and blacklisting.
I launch each simultaneously in a browser protected by the antivirus under test, and in instances of Chrome, Firefox, and Microsoft Edge protected only by their built-in antiphishing filters.
Only verified phishing sites that load properly in all four browsers count toward the totals.
New since my last review, the Emsisoft Browser Security extension installs in Chrome, Edge, and Firefox for additional protection against phishing.
The same browser-independent component that blocks malware-hosting URLs also aims to block phishing frauds, but in testing the browser extension did virtually all the heavy lifting.
It was responsible for all but one of the detection events.
Phishing Protection Results Chart
Last time I ran this test on Emsisoft, with no browser extension, it detected just 18 percent of the fraudulent sites.
Only IObit Malware Fighter Pro, Comodo, and Ashampoo have scored lower.
This time Emsisoft managed 85 percent detection, the same as ESET NOD32 Antivirus and adaware.
That's the median for this test, meaning as many products scored higher as scored lower.
It's a big improvement over being in the cellar, but there's still room for improvement.
Kaspersky and McAfee both achieved 100 percent detection, steering the browser away from every single verified fraud.
Bitdefender came in second, with 99 percent detection.
Ransomware Protection With Emsisoft
Malware coders are always working on new attacks, new hiding techniques, and new ways to get past antivirus protection.
If they manage to slip a Trojan or a botnet past your protection, that's not good, but very likely an update will wipe out the problem within a few days.
But if the zero-day attack involves ransomware, you're up the creek.
Your files are already encrypted, and removing the ransomware won't bring them back.
That's why many antivirus tools now include an extra layer of protection against ransomware.
Emsisoft's ransomware protection isn't separate from its general Behavior Blocker.
Fortunately, Emsisoft doesn't couple behavioral protection with the regular real-time protection of the File Guard component the way Trend Micro, Avira Antivirus Pro($30.99 (30% Off) at Avira), and a few others do.
I had no trouble turning off File Guard while leaving ransomware protection active.
Why do this? The point is to simulate a zero-day attack that gets past ordinary real-time protection.
My Emsisoft contact warned me that this might not get an accurate result, noting that "we do not tune the Behavior Blocker for samples that we know are detected by our heuristics." He need not have worried.
Emsisoft detected and blocked all my file-encrypting ransomware samples, identifying them as suspicious or dangerous.
Well, one of them ran for a half-hour without every attempting to encrypt files.
With no behavior, the behavior blocker naturally didn't react.
This tool's ransomware protection focuses on the widespread problem of file-encrypting ransomware.
The ransomware style that encrypts your whole disk is much less common.
And indeed, Emsisoft didn't stop my one disk-encrypting ransomware sample from taking over the test system.
Fortunately, it was a virtual machine; reverting to an earlier snapshot eliminated the effects.
As a further test, I configured one of the samples that Emsisoft definitely foiled so it would launch at startup, and rebooted the test system.
Last time around, that was enough to foil the Behavior Blocker; this time, the ransomware bit...
