The NCSA Anti-Virus Certification Scheme DOS/Windows/Other Platform Certification Process http://www.ncsa.com/avpdcert.html -------------------------------------- Properties of Anti-Virus Certification -------------------------------------- NCSA tests and certifies that anti-virus scanners pass a number of stringent tests. The testing adheres to the following criteria: - Testing performed by an independent organization Testing performed by an unbiased organization - Tests done on the most current version of the products - All major products are tested - All significant platforms are used for testing - Tested on an on-going basis (at least monthly) - Test criteria are objective - Tests are "real-world" oriented - Tests check for viruses "in the wild" - Test criteria are made public - Tests are "peer-reviewed" - Anti-virus product developers are consulted - Independent anti-virus experts are consulted - Large corporate users of AV products are consulted - Large computer security firms are consulted - Test results are made public - And, the certification can be revoked for the failure of a product to maintain these standards. ----------------------------------------------------------------- The NCSA Certification Scheme for DOS/Windows and Other Platforms ----------------------------------------------------------------- The old NCSA certification scheme required products to detect 90% of the NCSA virus library. This was carried out on a release-by-release basis (ie was version number dependent) and was designed to ensure that certified products had 'adequate' virus detection capabilities. While this testing methodology gave the user some information about the efficiency of the software, it does not fully address the real threat. It was for this reason that the new scheme was developed. Note that the new scheme is still in it's infancy, and that new tests will be being added month by month. When one studies the epidemiology of viruses, one notices that although there are 6000+ viruses known for the IBM PC or compatible, there are only a couple of hundred 'in the wild' (that is, actively spreading on PCs). A list of such viruses is maintained by Joe Wells. By collating statistics provided by over 30 contributors from many different countries, Wells' tracks those viruses which are reported. Participants in the list include all the major anti-virus software developers, and several independent researchers. The list is broken down into two parts: an upper list, for viruses which have been seen by two or more participants, and a lower list, which is made up of those viruses seen by only one participant. The new NCSA certification scheme is designed to focus on the real threat to corporate PCs: those viruses known to be in the wild. In order to be certified, a product must pass the following tests: 1. Certified products must detect 100% of all those viruses defined as 'in the wild' according to the upper part of the Wild List. As new viruses are discovered all the time, the Wild List used is the one which was current two months prior to the date of the certification test. 2. Certified products must still detect a minimum of 90% of the NCSA virus 'Zoo', made up of samples of some of the 6000+ other viruses known. These tests are carried out with the product running its default mode of operation, with the exception of using any appropriate logging facilities. ------------------------- Certification Maintenance ------------------------- Once a product is certified, NCSA will attempt to recertify the product a minimum of 4 times per year. Each certification attempt will be carried out without the prior knowledge of the developer. This helps to ensure that every release of the product is capable of meeting the certification criteria, not just a special 'certification' version. If a product fails either test I or II, the vendor will be given 7 days to supply a fix for the problem, and make this fix publicly available. If this time limit is not met, the product will be removed from the certified product list available from this Web site. This list will be maintained in such away that a product's certification history (passes and failures) will be visible. Once a product has been decertified, certification can only be regained when the vendor ships through its normal distribution channel a version of the product which is certifiable. A special fix just sent to NCSA for testing is not acceptable. --------------------- Collection Management --------------------- One of the most important factors to consider when carrying out a set of detection tests on anti-virus software is the way in which the virus library is managed. It is also vital to know which vendors (if any) have access to the actual test samples used, and the way in which the library is created. No sample used in the NCSA 'in the wild' test-set is sent out to any vendor. However, should a virus be missed during a certification attempt, a replicant of that sample (note that this is not a copy of the actual sample) will be sent out to the vendor for inclusion in the next release of the product. This process ensures that vendors have reliable detection algorithms for each virus in the collection. In the case of a polymorphic virus, multiple copies of each virus is used, to ensure that the product tested can detect that virus with accuracy. Copies of individual replications of each virus from within this test-set are not made available to vendors; thus, the test is carried out against an 'unseen' collection of files. In order to pass this test, the product must detect every replication in the test-set. All viruses in the collection are attached to standard Goat files, ensuring that no 'first generation' samples are in the collection. Furthermore, should a virus be missed during certification, a check is made to make certain that the file is not corrupted and is capable of replication. This page updated September, 1996 by jsalzman@ncsa.com. © Copyright, 1996, NCSA ®. --------------------------- NCSA Certification Web Page --------------------------- The NCSA Web page listed below will always contain the latest in certification information and testing scheme. http://www.ncsa.com/avpdcert.html ===================================================================== ===================================================================== National Computer Security Association 10 S. Courthouse Avenue Carlisle, PA 17013 USA http://www.ncsa.com (717) 258-1816