Hi exile360, For the infected system rescue test the infections were live. The test is in two sections. There is the On Demand Scan test AND Infected System Rescue test. The methodology for each is displayed at the start of each section (possibly a bit confusing as both tests are in the same post) For reference, I have pasted the methodology used below: 1. Windows XP Professional Service Pack 3 is installed and updated with all important updates. An image of the Operating System is created with internet access. 2. A clone of the Imaged system is made for each program to be used in the test. 3. An individual program is installed with default settings on each of the Cloned systems. 4. A Snapshot is taken of each cloned system. 5. Any real time protection is disabled. 6. On each Cloned system the folder containing the fifteen samples of malware is placed. 7. All the programs are fully updated. 8. Each malware sample is executed individually, with the system being rebooted after each execution, until all fifteen samples have been executed. 9. A second snapshot of the cloned system is taken, allowing us to know all changes / infections. 10. All differences between the first and second snapshots are noted. 11. Real Time protection and other default methods of detection/prevention used by the applications are turned on. 12. The test is conducted by performing a full system scan and allowing the application to perform its detection and removal activities. 13. Once the application finds no malware / reports a clean system, the cloned system is compared to the first snapshot so an assessment of cleanup effectiveness can be made. Best regads, Chris