Various security vendors and software testing organizations met in Seoul last week, forming the Anti-Malware Testing Working Group. The main task of this coalition is to determine the best way to conduct behavioral tests on security software.
Some of the big names were present, such as Panda, F-Secure, and Symantec, as well as testing organizations, such as AV-Test.org and Virus Bulletin.
Behavioral tests are time-consuming but important since the style of test replicates how PCs encounter malicious software on the Internet, such as through Trojan horse programs in e-mail attachments or through browser exploits, Marx [He works for AV-Test] said.
Those tests are seen as superior to signature-based tests, in which the virus detection engine is run against a batch of thousands of malware samples. But signature tests do not cover other security technologies used to detect a threat, such as if a new program starts communicating with a remote server over the Internet.
The desire to establish a common standard appears to be genuine, according to Ars Technica. The report from the ground is that the various companies seem genuine in creating an effective standard for measuring the performance of their product and that no pressure was put on product testers to lean towards any specific direction in their testing.
If you recall, there was a huge furor some time back over the exact mix of virus used to test any particular antivirus product (see the blog post “Not all AV tools are created equal: Uproar from AV vendors kicks off round two“). The reason is that results can be adversely affected and manipulated by throwing in an arcane virus that might not even exist anymore, except in labs.
So, having a generally accepted way of testing appear to make sense.
However, the question that I want to pose is whether antivirus software is the right way forward, or should other techniques such as whitelisting be favored instead. If you are not sure what whitelisting is, I wrote a piece on it just a couple of weeks back titled “Securing from the inside: Whitelisting.”
What is your opinion pertaining to the state of AV software?