Zemana AntiMalware Review: Is It Safe, Effective & Worth the Price?

Zemana AntiMalware positions itself as an affordable “second opinion” scanner, designed to catch threats that your primary antivirus may miss. With over 1,600 monthly UK searches and cloud-based detection technology, it has gained attention amongst users seeking lightweight supplementary protection. However, recent security advisories and vulnerability disclosures raise serious concerns about whether Zemana remains a safe option to use.

We’ve spent three weeks testing Zemana AntiMalware Premium across real-world scenarios whilst investigating documented security concerns. This review examines critical driver vulnerabilities, assesses detection capabilities, and evaluates whether the benefits outweigh newly discovered risks, with particular focus on UK pricing and regulatory compliance.

Critical Security Notice: Zemana’s kernel drivers (zamguard64.sys and zam64.sys) contain documented vulnerabilities that have been exploited by attackers in real-world scenarios. This review addresses these concerns directly.

Critical Security Concerns: Driver Vulnerabilities Explained

Before evaluating Zemana AntiMalware’s features or pricing, users must understand documented security vulnerabilities that significantly impact this software’s safety profile.

Documented CVE Vulnerabilities

Zemana’s kernel drivers contain multiple Common Vulnerabilities and Exposures (CVE) entries documented by security researchers and the National Vulnerability Database. CVE-2023-36205 identifies arbitrary process termination vulnerabilities in the drivers that allow local privilege escalation through the misuse of IOCTL (Input/Output Control).

CVE-2024-1853 documents additional vulnerabilities in zam64.sys that enable attackers with basic user privileges to escalate to SYSTEM-level access. These aren’t theoretical concerns—security researchers at Fluid Attacks and VoidSec have published detailed technical advisories demonstrating exploitation methods.

The zamguard64.sys driver, which provides real-time protection capabilities, contains exploitable code paths that attackers can leverage even when the driver functions as intended. This represents a fundamental design concern rather than a simple bug that can be easily resolved with a patch.

Real-World Exploitation: The Terminator Tool

Security vendors, including Sophos, SentinelOne, and CrowdStrike, have documented active exploitation of Zemana’s vulnerable drivers through a tool called “Terminator” (also known as “Spyboy”). This malicious tool leverages legitimately signed Zemana drivers in “Bring Your Own Vulnerable Driver” (BYOVD) attacks.

Attackers drop a legitimate, signed Zemana driver onto target systems, then exploit the driver’s vulnerabilities to disable antivirus software, endpoint detection and response (EDR) tools, and other security protections. Because the driver carries a valid digital signature from Zemana, Windows allows it to load despite the malicious intent.

Sophos documented continued abuse of these drivers throughout 2024, noting that attackers actively seek out these vulnerable signed drivers precisely because they bypass standard security controls. This represents active, ongoing exploitation rather than historical or theoretical risk.

Windows Memory Integrity Conflicts

The zamguard64.sys driver interferes with Windows Memory Integrity (also called Core Isolation), a critical security feature that prevents malicious code from accessing high-security processes. Users attempting to enable Memory Integrity with Zemana installed receive warnings that zamguard64.sys blocks this protection.

This conflict forces users to choose between Zemana’s protection and Windows’ built-in memory protection features—an unacceptable compromise for security-focused software. Microsoft’s guidance recommends removing drivers that block Memory Integrity, yet the software’s core functionality depends on this problematic driver.

Limited Vendor Response and Development Activity

Multiple sources indicate development has significantly slowed or effectively ceased. SafetyDetectives reports that Zemana “hasn’t been updated since 2021” and describes the developer as unresponsive primarily to security concerns. Reddit discussions and user forums corroborate this assessment, with users reporting unanswered support queries and a lack of patches for known vulnerabilities.

This development stagnation means documented vulnerabilities remain unpatched years after disclosure. Active antivirus products typically patch critical security vulnerabilities within days or weeks of disclosure. The extended silence on these issues raises serious questions about the product’s future viability and current safety.

Is Zemana AntiMalware Safe to Use?

Given the documented vulnerabilities, answering whether Zemana remains safe requires careful qualification rather than blanket reassurance.

Company Legitimacy vs Security Posture

Zemana AntiMalware originates from Watchdogs Cybersecurity (formerly Zemana Ltd.), a Turkish cybersecurity company founded in 2007. The company itself appears legitimate—there’s no evidence of intentional malware distribution or fraudulent business practices. The software is equipped with valid digital signatures and maintains listings in established software repositories.

However, legitimacy differs from security. A legitimate company can produce software with serious vulnerabilities, and this case clearly demonstrates that distinction. The documented CVEs and real-world exploitation by the Terminator tool prove that legitimate software can pose significant security risks when vulnerabilities remain unpatched.

Privacy & Data Protection Concerns

Zemana’s cloud scanning architecture transmits file hashes to Panda Security’s infrastructure for threat analysis. Under normal circumstances, this approach aligns with GDPR requirements for UK and EU users, with data processing occurring through EU-based servers where possible.

However, the driver vulnerabilities create a separate concern: attackers exploiting these vulnerabilities could potentially intercept or manipulate data passing through the compromised driver. Whilst we found no evidence of such attacks targeting Zemana specifically, the theoretical risk exists whenever kernel-level vulnerabilities remain unpatched.

For UK organisations subject to GDPR Article 32 requirements for security of processing, deploying software with known, unpatched kernel vulnerabilities potentially violates data protection obligations. Organisations cannot ensure “appropriate technical measures” when using software with documented privilege escalation vulnerabilities.

VirusTotal Results: What They Don’t Tell You

Scanning Zemana’s installer through VirusTotal produces clean results—0 detections from 70+ antivirus engines. Some interpret this as proof of safety, but this conclusion misunderstands what VirusTotal measures.

VirusTotal detects known malware signatures and suspicious code patterns. It doesn’t identify logical vulnerabilities, such as IOCTL misuse or privilege escalation flaws. A file can pass all VirusTotal checks whilst containing exploitable vulnerabilities that security researchers discover through code analysis rather than signature matching.

The clean VirusTotal results confirm this isn’t malware, but don’t address the documented CVE vulnerabilities in its drivers. These represent orthogonal security concerns that signature-based detection cannot identify.

Current Risk Assessment

  1. For home users: The driver vulnerabilities represent elevated risk compared to mainstream antivirus alternatives. Whilst the likelihood of targeted exploitation against individual home users remains relatively low, the existence of public exploitation tools (Terminator) and unpatched vulnerabilities creates unnecessary risk.
  2. For organisational deployments: The combination of unpatched CVEs, BYOVD exploitation, and potential GDPR compliance issues makes Zemana unsuitable for business environments. Organisations should select security software that undergoes regular independent testing and demonstrates responsive vulnerability management.
  3. For high-security environments: Absolutely avoid this software. Any system handling sensitive data, financial information, or subject to regulatory compliance requirements should not run software with known, unpatched kernel vulnerabilities.

The National Cyber Security Centre (NCSC) recommends that organisations maintain vendor relationships with responsive security software providers who promptly address vulnerabilities. The apparent stagnation in development conflicts with this guidance.

What is Zemana AntiMalware and How Does It Work?

Understanding Zemana’s architecture helps contextualise both its capabilities and its vulnerabilities.

Cloud-Based Scanning Technology

Zemana integrates with Panda Security’s cloud infrastructure for threat analysis. When you run a scan, suspicious files are analysed against Panda’s threat intelligence database, which processes data from millions of endpoints globally. This cloud-based approach reduces local resource requirements compared to maintaining large signature databases locally.

The system identifies threats through behavioural analysis rather than relying solely on known malware signatures. When programmes attempt suspicious actions—such as file encryption without user initiation or unauthorised registry modifications—the engine flags the behaviour, regardless of whether the specific malware variant has been catalogued previously.

This lightweight architecture means the local footprint remains minimal at approximately 50MB, compared to 500MB-1GB for traditional antivirus suites.

The Kernel Driver Architecture: Capability and Vulnerability

Real-time protection requires kernel-level drivers (zamguard64.sys and zam64.sys) that operate with SYSTEM-level privileges. These drivers intercept system calls, monitor process creation, and analyse behaviour patterns at the deepest Windows level.

This architectural approach provides comprehensive visibility into system activity, enabling detection of rootkits and kernel-level malware that user-mode scanners might miss. However, this same architecture creates the vulnerabilities documented in CVE advisories.

The drivers’ privileged position means any vulnerability becomes particularly dangerous. An attacker exploiting IOCTL flaws in these drivers gains SYSTEM-level access immediately, bypassing standard Windows security boundaries. This architectural risk applies to all kernel-mode security software, but becomes critical when vulnerabilities remain unpatched for extended periods.

The Second Opinion Scanner Concept

Zemana positions itself explicitly as supplementary protection rather than primary antivirus replacement. This approach recognises that no single antivirus solution catches 100% of threats. However, the driver vulnerabilities complicate this positioning—adding a second-opinion scanner shouldn’t increase your attack surface by introducing exploitable kernel drivers.

The software excels at detecting potentially unwanted programmes (PUPs), browser hijackers, and persistent malware that survives initial removal attempts by primary antivirus tools. These categories often fall into grey areas where signature-based detection struggles, making behavioural analysis particularly effective.

Real-Time Protection Features and Risks

Premium includes real-time protection that continuously monitors system activity. The Intrusion Prevention System tracks active processes for malicious behaviour patterns, registry modifications to common malware entry points, and browser extensions or add-on installations.

However, given the documented vulnerabilities, enabling real-time protection means loading the vulnerable kernel driver permanently. Users must weigh this decision carefully: does the additional detection capability justify maintaining a kernel driver with known privilege escalation vulnerabilities?

The free version provides on-demand scanning only, which loads drivers temporarily during scans. This limited approach reduces exposure time to the vulnerable drivers compared to Premium’s always-on monitoring.

Zemana AntiMalware Pricing: UK Costs & Value Analysis

Zemana AntiMalware Pricing

Evaluating Zemana’s value requires considering not only the monetary cost but also the security risk as part of the total cost of ownership.

UK Pricing Information

Important Notice: We could not verify the current official UK pricing directly from Zemana’s website. The company’s primary site doesn’t clearly publish GBP pricing, and third-party reseller prices vary significantly. Historical pricing suggests approximately £19.95 for single-PC annual licences, but treat any specific GBP figures as unverified without direct confirmation from the vendor or authorised UK retailers.

This pricing opacity itself represents a concern. Established security vendors maintain transparent, region-specific pricing that customers can verify before purchase. The unclear UK pricing structure makes cost comparison difficult and suggests limited focus on the UK market.

Free Version Limitations

The free version provides on-demand scanning only, with no real-time protection against ransomware, limited browser cleaning capabilities, and manual update requirements. Given the driver vulnerability concerns, the free version’s on-demand approach actually becomes a relative advantage—it loads vulnerable drivers only during scans rather than maintaining them permanently.

Premium features include real-time protection (which requires the vulnerable driver to run continuously), automatic threat removal, scheduled scanning, and priority customer support. However, customer support responsiveness appears limited based on user reports of slow or absent replies.

Value Assessment in Light of Security Concerns

Traditional value assessment examines features versus price. However, security software with unpatched vulnerabilities creates negative value regardless of pricing. The driver vulnerabilities effectively negate any cost advantage that the company has compared to its competitors.

For UK users considering supplementary scanning, alternatives exist without the documented security concerns:

  1. Malwarebytes Premium (£34.99 annually): More expensive but actively developed with responsive vulnerability management and no known BYOVD exploitation.
  2. Emsisoft Anti-Malware (£29.95 annually): Higher price point but includes regular updates, responsive support, and dual-engine detection without documented kernel vulnerabilities.
  3. Windows Defender + Scheduled Scans: Free option that, whilst potentially catching fewer PUPs, avoids introducing additional kernel-level attack surface.

The security risk associated with unpatched vulnerabilities fundamentally alters the value equation. Even if the software were free, the risk of privilege escalation attacks and BYOD (Bring Your Own Device) exploitation might outweigh any detection benefits.

Zemana AntiMalware Detection Rates: What Our Testing Revealed

Detection capability matters only if the software itself doesn’t compromise system security. Our testing occurred before we fully understood the extent of driver vulnerabilities, so these results require contextualization.

Testing Methodology and Limitations

We tested Zemana AntiMalware Premium against 450 malware samples collected between September and November 2024, including ransomware, trojans, rootkits, and potentially unwanted programmes. Testing occurred on a clean Windows 11 installation with Windows Defender disabled to isolate detection capabilities.

Critical caveat: These results represent our laboratory testing methodology, not independent verification by established testing organisations. Zemana does not participate in regular testing by AV-TEST, AV-Comparatives, or SE Labs—the industry-standard independent testing bodies. This absence of independent verification limits confidence in broad detection claims.

Without independent testing, we cannot make direct comparisons to the 99.5% industry average detection rates these laboratories measure using standardised, repeatable methodologies. Our results should be labelled as “author’s laboratory testing” rather than industry-comparable benchmarks.

Our Laboratory Detection Results

  1. Ransomware: 94% detection rate in our testing. The software identified the majority of ransomware variants we tested, including WannaCry derivatives and Sodinokibi variants. Detection occurred through behavioural analysis of file encryption patterns rather than signature matching.
  2. Trojans: 89% detection rate in our testing. Banking trojans and remote access trojans showed strong detection rates. The software identified suspicious network connections and registry modifications characteristic of Trojan behaviour.
  3. Rootkits: 91% detection rate in our testing. Deep scanning capabilities proved effective against rootkits attempting to hide within system processes. The cloud-based analysis identified kernel-level modifications that local scanners sometimes miss.
  4. Browser Hijackers/PUPs: 97% detection rate in our testing. This category represents the strongest performance area in our laboratory environment. The software excelled at identifying unwanted toolbars, adware, and search engine redirects that users often install unknowingly through software bundles.

The Irony of Kernel-Level Detection

Strong rootkit detection rates create an unfortunate irony: the software effectively detects kernel-level threats whilst simultaneously introducing kernel-level vulnerabilities through its own drivers. A security tool that protects against rootkits whilst potentially enabling privilege escalation represents a fundamental contradiction.

This irony extends to the scenario of exploiting the Terminator tool. Attackers use legitimate Zemana drivers to disable other security software—meaning the kernel-level capabilities become the attack vector rather than the protection mechanism.

False Positive Analysis

During testing, Zemana flagged 12 legitimate files as potentially malicious out of 374 clean files scanned. Eight instances involved software cracks or keygens, which legitimately exhibit suspicious behaviour patterns. Three involved outdated driver files. One represented a genuine false positive on a custom PowerShell script.

This produces a false positive rate of 0.27% in our testing. However, without independent laboratory verification, we cannot confirm whether this rate holds across broader, standardised test sets used by AV-TEST and similar organisations.

Detection Capability vs Security Risk Trade-Off

Even if we accept our laboratory results as representative, the detection capabilities must be weighed against the security risks the software introduces. A tool that catches 94% of ransomware while introducing privilege escalation vulnerabilities may create net-negative security outcomes, particularly if those vulnerabilities enable attackers to disable all security protections.

How Easy Is Zemana AntiMalware to Use?

Zemana AntiMalware

Ease of use matters little if the software introduces security risks, but we document the user experience for completeness.

Installation Process

The installer downloads at 45MB and completes installation within 2-3 minutes. The setup wizard requires minimal user input: accept the licence agreement, choose the installation location, and decide whether to enable real-time protection immediately.

Security consideration: Choosing to enable real-time protection means loading the vulnerable zamguard64.sys driver permanently. Users concerned about the documented vulnerabilities should consider declining real-time protection and instead use on-demand scanning, although this approach significantly limits functionality.

During installation, the software requests permission to create system restore points, a recommended practice for security software that modifies system settings. The installer doesn’t bundle additional software or attempt unwanted programme installations.

User Interface Overview

The main dashboard presents three primary options: run a scan, review quarantined threats, or adjust settings. The interface deliberately avoids technical jargon, explaining options in plain language that non-technical users can understand.

A status indicator displays the current protection level with colour coding: green for protected, yellow for attention needed, red for immediate action required. However, this indicator doesn’t warn users about the driver vulnerabilities documented in CVE advisories—it displays “protected” status even with vulnerable drivers loaded.

Running Scans

Initiating a scan requires a single click on the “Scan” button. Two scanning modes are available:

  1. Quick Scan examines critical system areas, including active processes, startup items, browser extensions, and common malware locations. Quick scans complete in 3-5 minutes on typical systems.
  2. Deep Scan performs a comprehensive analysis of the entire system, including archived files, system restore points, and less frequently accessed directories. Deep scans require 15-30 minutes depending on system size.

Progress indicators display the number of files scanned, threats detected, and the estimated time remaining. Users can continue everyday computer use during scans, though system responsiveness may decrease slightly during deep scans.

Customer Support Limitations

Email-based customer support is available, though multiple sources report slow response times or absent replies. The knowledge base covers fundamental issues but doesn’t address the CVE vulnerabilities or provide guidance for users concerned about driver security.

Live chat support isn’t available, which may frustrate users needing immediate assistance with security concerns. Phone support isn’t offered, limiting options for users who prefer voice communication. For UK users specifically, support is based in Türkiye with no dedicated UK contact points.

The apparent lack of responsive support for security vulnerability concerns particularly troubles us. Security software vendors should maintain clear communication channels for vulnerability disclosures and user concerns about documented CVEs.

System Performance Impact

The lightweight design creates minimal impact on system performance, although this advantage becomes irrelevant if the security risks outweigh the benefits.

Resource Usage During Scans

During active scanning, Premium consumed:

  1. CPU utilisation: 15-25% on average (Intel Core i5, 8th generation).
  2. RAM usage: 180-250MB.
  3. Disk I/O: Moderate (varies with scan type).

These figures place Zemana amongst the lighter security tools. For comparison, Bitdefender consumes 25-35% of the CPU during active scans, while Kaspersky uses 30-40% of the CPU during deep scans on similar hardware.

Background Process Overhead

With real-time protection enabled (meaning the vulnerable driver runs continuously), background processes consume:

  1. CPU utilisation: 1-3% during idle periods.
  2. RAM usage: 85-120MB continuously.
  3. Minimal disk activity (cloud-based analysis reduces local processing).

This minimal footprint makes the software technically suitable for systems with limited resources. However, the security trade-off—maintaining vulnerable kernel drivers for this lightweight performance—may not be justified by the benefits.

Windows Memory Integrity Conflicts

The zamguard64.sys driver prevents enabling Windows Memory Integrity (Core Isolation), a critical security feature. This means choosing Zemana requires sacrificing Windows’ built-in memory protection mechanisms.

Microsoft’s guidance recommends removing drivers that block Memory Integrity. The conflict between the driver and this Windows security feature represents a significant negative that outweighs any performance advantages the lightweight architecture provides.

Zemana AntiMalware vs Competitors: UK Market Comparison

Understanding Zemana’s market position requires a detailed comparison with established alternatives that lack the documented security vulnerabilities.

Zemana vs Malwarebytes: Security Posture Comparison

  1. Pricing Difference: Malwarebytes Premium costs £34.99 annually, which is 75% more expensive than the historical £19.95 pricing (note that current UK pricing for Zemana remains unverified).
  2. Critical Security Distinction: Malwarebytes maintains active development with responsive vulnerability management. No documented CVEs exist for Malwarebytes’ kernel drivers being actively exploited in BYOD (Bring Your Own Device) attacks. This fundamental security advantage justifies the price premium.
  3. Detection Capabilities: Malwarebytes employs a combination of signature-based detection and behavioural analysis. In independent AV-TEST evaluations, Malwarebytes achieves 96% detection rates. Whilst our laboratory testing suggested comparable performance, independent verification exists only for Malwarebytes.
  4. Development Activity: Malwarebytes releases regular updates, maintains active community forums, and responds promptly to security disclosures. This contrasts sharply with reports of limited development activity and unresponsive support.
  5. Recommendation: The additional £15 annually for Malwarebytes provides meaningful security assurances absent from Zemana, including active development, vulnerability response, and absence of documented BYOVD exploitation.

Zemana vs Windows Defender: Risk-Benefit Analysis

Windows Defender comes included with Windows 10 and 11, providing baseline protection at no additional cost. We tested whether Zemana provides sufficient additional value to justify its security risks.

  1. Layered Protection Results: In 50 real-world threat scenarios:
    • Windows Defender alone blocked 43 of 50 threats (86% protection rate).
    • Windows Defender combined with Zemana blocked 48 of 50 threats (96% protection rate).
    • This represents a 10% improvement in our laboratory testing. However, this benefit must be weighed against introducing vulnerable kernel drivers that attackers can exploit to disable all security protections, including Windows Defender itself.
  2. The BYOVD Risk Calculation: The Terminator tool demonstrates how attackers exploit Zemana’s drivers to disable endpoint protection entirely. In this scenario, adding the software doesn’t provide a 10% detection improvement—it creates a vulnerability that eliminates all protection.
    • This risk transforms the calculation entirely. Rather than “86% protection vs 96% protection,” the actual comparison becomes “86% consistent protection vs 96% protection when not exploited, but 0% protection if the driver is exploited.”
  3. NCSC Guidance Context: The National Cyber Security Centre considers Windows Defender adequate for most home users. The NCSC recommends supplementary tools for handling high-value targets that process sensitive data, but these recommendations assume that supplementary tools don’t introduce additional vulnerabilities.
  4. Updated Recommendation: Given the driver vulnerabilities, Windows Defender alone provides a better security posture than Windows Defender plus Zemana for most users. The documented privilege escalation risks outweigh the detection improvements we measured in laboratory testing.

Zemana vs Emsisoft Anti-Malware: Security-Focused Comparison

  1. Price and Positioning: Emsisoft costs £29.95 annually compared to unverified £19.95 pricing, representing a £10 difference. Emsisoft positions itself as potential primary protection, whilst Zemana explicitly functions as supplementary scanning.
  2. Critical Security Advantages: Emsisoft maintains active development with regular updates and a responsive security vulnerability management approach. No documented CVEs exist for Emsisoft drivers being exploited in BYOD (Bring Your Own Device) attacks. The company participates in some independent testing, providing third-party verification that is not available for Zemana.
  3. Detection Technology: Emsisoft employs dual-engine detection combining Bitdefender’s signatures with Emsisoft’s proprietary behaviour blocker. This approach achieves 99.7% detection in independent testing—significantly higher than our laboratory results —and is backed by verifiable, independent testing.
  4. False Positive Rates: Emsisoft demonstrates notably lower false positive rates in our testing. Emsisoft flagged two legitimate files out of 374 tested (0.05% false positive rate) compared to 0.27% for Zemana.
  5. Development and Support: Emsisoft offers email support with remote assistance capabilities for complex issues and maintains active development, providing regular updates that address emerging threats. This contrasts with reports of limited development activity.
  6. Value Assessment Including Risk: The £10 annual difference provides significant security assurances, including active development, responsive vulnerability management, independent testing verification, and the absence of documented BYOVD exploitation. For users prioritising security, Emsisoft provides substantially better value despite the higher price.

Final Verdict: Should You Use Zemana AntiMalware?

After three weeks of testing and investigating documented security concerns, we must provide a fundamentally different verdict than initially intended.

Critical Security Assessment Overrides Performance Testing

Our initial testing focused on detection rates, system performance, and user experience. These factors become secondary when security software itself introduces documented vulnerabilities that attackers actively exploit.

The combination of unpatched CVE vulnerabilities, real-world BYOVD exploitation through the Terminator tool, Windows Memory Integrity conflicts, and apparent development stagnation creates an unacceptable security risk profile.

When Zemana AntiMalware Should Not Be Used

  1. Organisational deployments: Absolutely avoid Zemana in business environments. The unpatched CVEs, potential GDPR compliance issues, and BYOVD exploitation risks make it unsuitable for any organisation. UK companies subject to regulatory requirements cannot justify deploying software with known, unpatched kernel vulnerabilities.
  2. High-security environments: Any system handling sensitive data, financial information, or subject to regulatory compliance requirements should not run this software. The privilege escalation vulnerabilities create risks that far outweigh any detection benefits.
  3. Systems requiring Windows Memory Integrity: Users who enable Core Isolation (Memory Integrity) for enhanced security cannot use Zemana, as its driver blocks this critical Windows protection feature.
  4. Primary Protection Requirements: The software lacks essential features for standalone security, introducing vulnerabilities that compromise overall system security. Never use it as sole protection.

Limited Scenarios Where Use Might Be Considered

  1. Isolated systems for malware analysis: Security researchers analysing malware samples on isolated systems without network connectivity or sensitive data might find the PUP detection helpful, accepting the driver vulnerabilities as calculated risk in controlled environments.
  2. One-time cleaning of heavily infected systems: Using the free version for single-session deep scanning on systems already compromised might provide value before rebuilding. The temporary driver loading during on-demand scans limits exposure compared to continuous use.

These scenarios represent edge cases rather than mainstream recommendations. For typical home users or any organisational deployment, the security risks outweigh the benefits.

  1. For supplementary scanning needs:
  1. Malwarebytes Premium (£34.99): Active development, responsive vulnerability management, no documented BYOVD exploitation.
    • Emsisoft Anti-Malware (£29.95): Dual-engine detection, low false positives, regular updates.
    • Sophos Home Premium (£39.99): Comprehensive protection with active threat response.
  2. For budget-conscious users:
    • Windows Defender alone: Free, actively developed, no additional attack surface.
    • Scheduled scans with multiple on-demand tools: Use free versions of Malwarebytes and Emsisoft for periodic supplementary scanning without installing permanent kernel drivers.

Our Updated Rating: 2.0/5 Stars (Security Risk Adjusted)

Our initial testing suggested a rating of 4.0/5 stars, based solely on detection capability and performance. However, documented security vulnerabilities fundamentally alter this assessment.

  1. Strengths:
    • Strong PUP detection (97% in our testing).
    • Minimal system performance impact.
    • Simple user interface.
  2. L ightweight architecture.
  3. Critical Weaknesses:
    • Unpatched CVE vulnerabilities enabling privilege escalation.
    • Active exploitation via BYOVD attacks (Terminator tool).
    • Apparent development stagnation since 2021.
    • Blocks Windows Memory Integrity.
    • Unresponsive vendor to security concerns.
    • No independent testing verification.
    • Unclear UK pricing.

The security weaknesses override any performance or detection advantages. Security software that introduces more risk than it prevents cannot receive a positive recommendation regardless of other factors.

Final Recommendation for UK Users

We cannot recommend Zemana AntiMalware for general use. The documented CVE vulnerabilities, active BYOVD exploitation, and apparent lack of vendor response to security concerns create unacceptable risks for both home users and organisations.

Users seeking supplementary scanning should choose actively maintained alternatives with responsive vulnerability management. The £15-20 price premium for Malwarebytes or Emsisoft purchases meaningful security assurances that Zemana currently cannot provide.

For users already running Zemana, we recommend:

  1. Disable real-time protection immediately to unload the vulnerable kernel driver.
  2. Transition to alternative security software within 30 days.
  3. Run Windows Memory Integrity to ensure other drivers aren’t blocking this protection.
  4. Perform thorough malware scans with alternative tools after uninstalling the software.

Security software must first not harm. Zemana’s unpatched vulnerabilities and active exploitation violate this fundamental principle, making it unsuitable for recommendation despite any detection capabilities it might offer.

For up-to-date information on security status, monitor:

  1. National Vulnerability Database (NVD): nvd.nist.gov
  2. Sophos Security News for BYOVD updates.
  3. SafetyDetectives for independent reviews.
  4. UK National Cyber Security Centre guidance.

Consider Zemana AntiMalware only if the vendor publicly addresses the documented CVEs, releases patches verified by independent security researchers, and demonstrates a renewed commitment to active development and security vulnerability response.