Responsible anti-malware testing

As I have mentioned before, one of my roles here at Sophos is to work with various industry testers and ensure that Sophos products participate in relevant tests and that when they are tested they are tested fairly and sensibly. In truth, most tests conducted are pretty reasonable, are done with consent and produce consistent results.

One particular test has been brought to my attention recently, it was from Secunia and we weren’t involved in it.

This test raises, perhaps, the commonest question we are asked about such tests, namely why wasn’t Sophos involved? Sometimes we don’t know, sometimes the tester is running to a budget and we don’t fit their profile. The most common reason is that a test is aimed at the home user market and as Sophos does not have a retail product it is often excluded from these tests.

As I said, my goal is to work with testers to ensure our product is tested fairly and to then take on the chin whatever results they come up with. In some we will do well, in others we need to improve.

The Anti Malware Testing Standards Organization (AMTSO) was formed earlier this year to improve testing standards. It has taken time to develop standards for testing and the next meeting is being held here at Sophos on Thursday and Friday next week – 30/31 Oct.

At this meeting AMTSO aims to finalise their guidelines for dymanic testing of malware and also some generic testing guidelines. This will be an important milestone for AMTSO as it will be start of a series of documents that will help promote responsible testing across the industry.

The documents under discussion can be found on the AMTSO website.

I’ll post more after the meeting to update you on progress made.