Previous versions of the Standard are available for reference on our Documents page.
The AMTSO Testing Protocol Standard was approved and adopted by the AMTSO membership in May 2018. The AMTSO Standard is subject to an ongoing review process and is updated regularly to reflect changing requirements and testing techniques. The latest version was approved by AMTSO membership in November 2019.
If you have any suggestions or recommendations for the team maintaining the Standard, please use our Standards Change Request Form – we welcome input on the Standard project from anyone interested in security testing, both within and outside the AMTSO membership.
All test labs that are aiming to comply with the AMTSO Standard for a particular anti-malware test must provide AMTSO with formal notification and publish a detailed test plan prior to starting the test. This process is intended to provide vendors and other interested parties an opportunity to review the test plan and provide their input, highlighting any potential issues with the test design.
Test notifications can be issued directly by the test lab, or the test lab can use the AMTSO Contact List system to reach the right people within each targeted vendor’s organization.
Each test going through the process of complying with the AMTSO Standard is tracked against a number of metrics. You can find complete information on all tests following the Standard, including details of notifications, vendor feedback, and compliance status, via our test tracking system.
AMTSO Testing Protocol Standard compliance process
- A test lab decides to run a test under the AMTSO Standard, and creates a detailed Test Plan defining how the test will be run, including a schedule of important dates.
- The test lab issues a formal notification of the test to all vendors whose products they plan to test. Notifications can be issued directly by the test lab, or can be sent via AMTSO using the AMTSO Contact List system to reach the right people within each vendor’s organization.
- AMTSO posts the notification details publicly, and in most cases also the Test Plan. You can find all of them in our test tracking system.
- Vendors have an opportunity to review the Test Plan and provide their input, highlighting any potential issues with the test design. In return, they provide assurances that they will cooperate with the tester and refrain from interfering with the running of the test.
- The test is run and data is gathered for a final review or report.
- At the end of the test, vendors have another opportunity to comment on how the test was executed.
- AMTSO reviews all test data, including feedback from participating vendors, and confirms whether the requirements of the Standard were met.
- All information on the test, including feedback from vendors and compliance status, are posted to the AMTSO test tracking system.
As part of the Standards project, AMTSO maintains a comprehensive Contact List system, enabling testers and vendors to open lines of communication on testing matters.
One of the main aims of the Contact List is to ensure that all vendors potentially included in tests are given notification of upcoming tests, along with the proposed methodology in the form of an official AMTSO test plan. Vendors are then able to comment on any potential issues with the test plan prior to a test commencing, and can also register their interest in taking in active role in the running of the test.