The ICSA Anti-Virus Certification Scheme DOS/Windows/Other Platform Certification Process http://www.icsalabs.com/html/communities/antivirus/certification.

shtml -------------------------------------Properties of Anti-Virus Certification -------------------------------------ICSA tests and certifies that anti-virus scanners pass a number of stringent tests. The testing adheres to the following criteria: - Testing performed by an independent organization Testing performed by an unbiased organization - Tests done on the most current version of the products - All major products are tested - All significant platforms are used for testing - Tested on an on-going basis (at least monthly) - Test criteria are objective - Tests are "real-world" oriented - Tests chec for viruses "in the wild" - Test criteria are made public - Tests are "peer-reviewed" - Anti-virus product developers are consulted - Independent anti-virus experts are consulted - Large corporate users of AV products are consulted - Large computer security firms are consulted - Test results are made public - And, the certification can be revo ed for the failure of a product to maintain these standards. ----------------------------------------------------------------The ICSA Certification Scheme for DOS/Windows and Other Platforms ----------------------------------------------------------------The old ICSA certification scheme required products to detect 90% of the ICSA virus library. This was carried out on a release-by-release basis (ie was version number dependent) and was designed to ensure that certified products had 'adequate' virus detection capabilities. While this testing methodology gave the user some information about the efficiency of the software, it does not fully address the real threat. It was for this reason that the new scheme was developed. Note that the new scheme is still in it's infancy, and that new tests will be being added month by month. When one studies the epidemiology of viruses, one notices that although there are 6000+ viruses nown for the IBM PC or compatible, there are only a couple of hundred 'in the wild' (that is, actively spreading on PCs). A list of such viruses is maintained by Joe Wells. By collating statistics provided by over 30 contributors from many different countries, Wells' trac s those viruses which are reported. Participants in the list include all the major anti-virus software developers, and several independent researchers. The list is bro en down into two parts: an upper list, for viruses which have been seen by two or more participants, and a lower list, which is made up of those viruses seen by only one participant. The new ICSA certification scheme is designed to focus on the real threat to corporate PCs: those viruses nown to be in the wild. In order to be certified, a product must pass the following tests: 1. Certified products must detect 100% of all those viruses defined

as 'in the wild' according to the upper part of the Wild List. As new viruses are discovered all the time, the Wild List used is the one which was current two months prior to the date of the certification test. 2. Certified products must still detect a minimum of 90% of the ICSA virus 'Zoo', made up of samples of some of the 6000+ other viruses nown. These tests are carried out with the product running its default mode of operation, with the exception of using any appropriate logging facilities. ------------------------Certification Maintenance ------------------------Once a product is certified, ICSA will attempt to recertify the product a minimum of 4 times per year. Each certification attempt will be carried out without the prior nowledge of the developer. This helps to ensure that every release of the product is capable of meeting the certification criteria, not just a special 'certification' version. If a product fails either test I or II, the vendor will be given 7 days to supply a fix for the problem, and ma e this fix publicly available. If this time limit is not met, the product will be removed from the certified product list available from this Web site. This list will be maintained in such away that a product's certification history (passes and failures) will be visible. Once a product has been decertified, certification can only be regained when the vendor ships through its normal distribution channel a version of the product which is certifiable. A special fix just sent to ICSA for testing is not acceptable. --------------------Collection Management --------------------One of the most important factors to consider when carrying out a set of detection tests on anti-virus software is the way in which the virus library is managed. It is also vital to now which vendors (if any) have access to the actual test samples used, and the way in which the library is created. No sample used in the ICSA 'in the wild' test-set is sent out to any vendor. However, should a virus be missed during a certification attempt, a replicant of that sample (note that this is not a copy of the actual sample) will be sent out to the vendor for inclusion in the next release of the product. This process ensures that vendors have reliable detection algorithms for each virus in the collection. In the case of a polymorphic virus, multiple copies of each virus is used, to ensure that the product tested can detect that virus with accuracy. Copies of individual replications of each virus from within this test-set are not made available to vendors; thus, the test is carried out against an 'unseen' collection of files. In order to pass this test, the product must detect every replication in the test-set. All viruses in the collection are attached to standard Goat files,

--------------------------ICSA Certification Web Page --------------------------The ICSA Web page listed below will always contain the latest in certification information and testing scheme. http://www.icsalabs.com/html/communities/antivirus/certification.shtml

ensuring that no 'first generation' samples are in the collection. Furthermore, should a virus be missed during certification, a chec is made to ma e certain that the file is not corrupted and is capable of replication.