Emsisoft Achieves 100% Detection in January 2026 AVLab Advanced In-The-Wild Malware Test

AVLab Cybersecurity Foundation’s January 2026 Advanced In-The-Wild Malware Test introduced meaningful changes to its evaluation framework. The certification threshold increased from 99% to 99.6%, sample pre-selection grew more stringent, and browser automation improved.

Against 395 unique malware samples under this revised methodology, Emsisoft Enterprise Security + EDR delivered a 100% detection rate with an average remediation time of 1.418 seconds. The results continue Emsisoft’s streak of perfect detection in AVLab evaluations while demonstrating the product’s adaptability to evolving test standards.

Methodological changes in the January 2026 edition

AVLab implemented several substantive updates beginning in January 2026. The certification threshold increase from 99% to 99.6% reflects market expectations for endpoint protection efficacy. Products must now block all but approximately two samples per thousand to earn ‘EXCELLENT’ certification.

The pre-selection stage received enhancements to more effectively identify and eliminate Potentially Unwanted Applications (PUA/PUP) from the test set. This ensures only true malware samples remain, preventing dilution of results with borderline cases that many vendors treat differently. The mechanism for automatically downloading malware via the Opera browser was also improved, leveraging hypervisor API integration to reduce sample preparation time and increase test consistency.

AVLab notes that beginning in March 2026, the test will expand to verify privilege requirements for each sample, enabling deeper analysis of permission escalation during attack progression. These methodological refinements reflect the lab’s commitment to maintaining test relevance as attacker techniques evolve.

Threat landscape and sample composition

The January 2026 test comprised 395 malware samples, with 367 delivered over HTTP and 28 over HTTPS. The continued presence of HTTPS-delivered malware underscores a persistent reality: SSL certificates and browser padlocks indicate encryption, not safety. Attackers increasingly host malicious payloads on compromised legitimate infrastructure, with hijacked servers located primarily in Germany (91), China (71), and the United States (44) during this test cycle.

Living off the Land Binaries (LOLBins) remain central to modern attack chains. The January test recorded svchost.exe invocations (5,855), certutil.exe (4,038), and explorer.exe (2,467) among the most frequently abused tools. These statistics reflect the complexity of runtime detection: malware often executes using trusted system processes, requiring behavioral analysis rather than simple file blocking.

Emsisoft’s performance: Precision and balance

Emsisoft Enterprise Security + EDR blocked all 395 samples, achieving 100% detection and the excellent certification under the new 99.6% threshold. The defense distribution shows a balanced architectural approach: 88.86% of threats were neutralized at the web layer before execution, while 11.14% were caught during runtime by behavioral analysis.

The average remediation time of 1.418 seconds significantly undercuts the 2.21-second industry average. Remediation time measures complete threat neutralization and system restoration. Faster remediation reduces the window for data exfiltration, lateral movement, or payload deployment.

Consistency under evolving standards

The January 2026 test marked the first evaluation under AVLab’s raised 99.6% certification threshold. Emsisoft’s perfect detection demonstrates that the product’s capabilities exceed even this more demanding standard.

Methodological rigor will continue to increase. The March 2026 expansion adding permission verification will provide deeper insight into privilege escalation and attack progression. Emsisoft’s layered approach positions it to maintain performance as testing evolves alongside the threat landscape.