Recommendations when including detection technologies in multi-scanner services
San Francisco, 16 August 2016
In the below statement the following terms are used:
1) Multi-scanner service: a public- or private-facing file classification service that includes multiple anti-malware detection technologies in its scan pipeline. The service may also offer APIs and other feeds to improve detection efficacy.
2) Vendor: an organization that sells or plans to sell anti-malware products and solutions
If any multi-scanner service is considering including a vendor’s detection technology, AMTSO recommends having the detection technology or a product containing it certified by an AMTSO-member tester. If the multi-scanner service is considering including the detection technology in their pipeline, AMTSO recommends that they consider the following:
1) No free ride: The certification should include an attestation by the tester that the certification test was not based on that service’s available samples
2) Efficacy: Vendors cannot use the results of the multi-scanner service to market or highlight detection efficacy or deficiencies.
In addition, if a Vendor wants access to a multi-scanner service’s API and feeds to improve detection efficacy, AMTSO recommends that the service consider the following:
3) Vendor gives as well as they get: Vendor participates in balanced two-way sample sharing with others in the industry, preferably with an industry-accessible repository
4) Vendor supports, is participating in, and is playing fair in tests: Vendor commits to following AMTSO’s fundamental principles of testing. Vendor has submitted either the detection technology, or a product with the detection technology, to a public comparative test following AMTSO’s new test certification standards, which are under development, and are based on the current framework.
- Open Issue: an open issue is whether we should qualify “public comparative test” as a “whole product test”, set forth in Item 4, above. We intend to resolve this issue in Malaga. By reference, please see AMTSO’s Guidelines on Whole Product Testing.
Finally, for both the pipeline and API/feeds, AMTSO recommends:
5) Applies equally to all: That the multi-scanner service applies its policies consistently across both new entrants as well as existing detection technologies already in their its pipeline
6) The multi-scanner service makes the call: This is AMTSO’s recommendation; the service should continue to also apply its existing criteria, and review the scores from existing public comparative tests run by AMTSO members and draw their own conclusions.