                 The ICSA Anti-Virus Certification Scheme
            DOS/Windows/Other Platform Certification Process
   http://www.icsalabs.com/html/communities/antivirus/certification.shtml

--------------------------------------
Properties of Anti-Virus Certification
--------------------------------------
ICSA tests and certifies that anti-virus scanners pass a number of
stringent tests. The testing adheres to the following criteria: 

 - Testing performed by an independent organization Testing performed
   by an unbiased organization 
 - Tests done on the most current version of the products 
 - All major products are tested 
 - All significant platforms are used for testing 
 - Tested on an on-going basis (at least monthly) 
 - Test criteria are objective 
 - Tests are "real-world" oriented 
 - Tests check for viruses "in the wild" 
 - Test criteria are made public 
 - Tests are "peer-reviewed" 
 - Anti-virus product developers are consulted 
 - Independent anti-virus experts are consulted 
 - Large corporate users of AV products are consulted 
 - Large computer security firms are consulted 
 - Test results are made public 
 - And, the certification can be revoked for the failure of a product
   to maintain these standards. 


-----------------------------------------------------------------
The ICSA Certification Scheme for DOS/Windows and Other Platforms
-----------------------------------------------------------------
The old ICSA certification scheme required products to detect 90% of
the ICSA virus library. This was carried out on a release-by-release
basis (ie was version number dependent) and was designed to ensure 
that certified products had 'adequate' virus detection capabilities. 
While this testing methodology gave the user some information about 
the efficiency of the software, it does not fully address the real
threat. It was for this reason that the new scheme was developed. 
Note that the new scheme is still in it's infancy, and that new tests
will be being added month by month. 

When one studies the epidemiology of viruses, one notices that 
although there are 6000+ viruses known for the IBM PC or compatible, 
there are only a couple of hundred 'in the wild' (that is, actively 
spreading on PCs). A list of such viruses is maintained by Joe Wells.
By collating statistics provided by over 30 contributors from many 
different countries, Wells' tracks those viruses which are reported. 
Participants in the list include all the major anti-virus software 
developers, and several independent researchers. The list is broken 
down into two parts: an upper list, for viruses which have been seen 
by two or more participants, and a lower list, which is made up of 
those viruses seen by only one participant. 

The new ICSA certification scheme is designed to focus on the real
threat to corporate PCs: those viruses known to be in the wild. In 
order to be certified, a product must pass the following tests: 

 1. Certified products must detect 100% of all those viruses defined 
    as 'in the wild' according to the upper part of the Wild List. As
    new viruses are discovered all the time, the Wild List used is 
    the one which was current two months prior to the date of the 
    certification test. 
 2. Certified products must still detect a minimum of 90% of the ICSA
    virus 'Zoo', made up of samples of some of the 6000+ other 
    viruses known. 

These tests are carried out with the product running its default mode
of operation, with the exception of using any appropriate logging 
facilities.


-------------------------
Certification Maintenance
-------------------------
Once a product is certified, ICSA will attempt to recertify the
product a minimum of 4 times per year. Each certification attempt 
will be carried out without the prior knowledge of the developer. 
This helps to ensure that every release of the product is capable of 
meeting the certification criteria, not just a special 
'certification' version. 

If a product fails either test I or II, the vendor will be given 7 
days to supply a fix for the problem, and make this fix publicly 
available. If this time limit is not met, the product will be removed
from the certified product list available from this Web site. This 
list will be maintained in such away that a product's certification 
history (passes and failures) will be visible. 

Once a product has been decertified, certification can only be 
regained when the vendor ships through its normal distribution 
channel a version of the product which is certifiable. A special fix
just sent to ICSA for testing is not acceptable.


---------------------
Collection Management
---------------------
One of the most important factors to consider when carrying out a set
of detection tests on anti-virus software is the way in which the 
virus library is managed. It is also vital to know which vendors (if 
any) have access to the actual test samples used, and the way in 
which the library is created.

No sample used in the ICSA 'in the wild' test-set is sent out to any
vendor. However, should a virus be missed during a certification 
attempt, a replicant of that sample (note that this is not a copy of 
the actual sample) will be sent out to the vendor for inclusion in 
the next release of the product. This process ensures that vendors 
have reliable detection algorithms for each virus in the collection.

In the case of a polymorphic virus, multiple copies of each virus is 
used, to ensure that the product tested can detect that virus with 
accuracy. Copies of individual replications of each virus from within
this test-set are not made available to vendors; thus, the test is 
carried out against an 'unseen' collection of files. In order to pass
this test, the product must detect every replication in the test-set.

All viruses in the collection are attached to standard Goat files, 
ensuring that no 'first generation' samples are in the collection. 
Furthermore, should a virus be missed during certification, a check 
is made to make certain that the file is not corrupted and is 
capable of replication.


---------------------------
ICSA Certification Web Page
---------------------------
The ICSA Web page listed below will always contain the latest in
certification information and testing scheme.

http://www.icsalabs.com/html/communities/antivirus/certification.shtml
