How do you know whether your anti-virus software is protecting your staff properly? And can you be sure that it isn’t doing anything else that it shouldn’t be? The European Institute for Computer Antivirus Research (EICAR) is working with anti-virus vendors and labs on a voluntary quality certification standard to ensure that this software is up to par. It is also hoping to expand the standard to include other security product categories later in the year.
EICAR has already completed the standard for certifying anti-virus products, and is now working on a standard testing procedure, along with a standard for certifying testing labs. That won’t be completed until at least the end of this year.
Test labs can apply for certification, and EICAR will charge a licence fee. It will work with AV Test Labs, the University of Mannheim for technical support, the University of Leuven in Belgium for cryptographic issues, and the University Hannover for legal issues, said Rainier Fahs, chair of the board at EICAR.
“The standard is developed to enhance trust in IT security products and in a first step, anti-malware products,” said Fahs. He added that it would give both consumer and enterprise users more trust that products do only what they are designed for with no hidden functionality, that it complies with data privacy regulations, and that it doesn’t include any ‘third party access’ scheme. But what kind of schemes and subterfuge is he talking about?
There have been some scant instances of anti-virus programs doing things with user data in secret behind the scenes, including AVG’s Windows Phone software back in 2011, and, allegedly, Chinese firm Qihoo 360 Technology’s software in 2013. But Fahs didn’t highlight any major problems with legitimate anti-virus vendors defrauding users of their data.
Instead, this venture may be at least partly a reaction to recent news that the NSA was infiltrating anti-virus software and gleaning information from it about user activities. Kaspersky was a target here, and the firm has lent its support to the EICAR initiative.
“Recently we have seen public discussion questioning the impartiality of vendors. It seems to become more and more difficult for users to understand if their software really only does what it should and if their data is secured as it should be,” said a spokesperson for Kaspersky Lab.
“Although we and other vendors have been explaining that we have no ties to any governments and have demonstrated full transparency, these discussions are still going on,” continued the spokesperson, adding that anti-virus vendors willfully violating privacy wasn’t the main concern, because the legitimate ones are respectful of user data.
“Trust and transparency are vital for consumers and for the fight against cybercrime. Without this fundamental, consumers will not trust the industry to protect them and their information and ultimately cybercrime will flourish,” he concluded, adding that an independent quality seal could help with that.
This might explain one key part of EICAR’s commitment when announcing the standard. It will demand that compliant anti-virus software vendors provide assurance that they have not been manipulated. But how can they ensure that?
“In the worst case by source code evaluation,” said Fahs. “However, we are only at the first step and for the beginning we trust the vendors ensuring us that their products are not – at least not by the vendors – manipulated.”
That does seem to leave a window for interference by nation-state actors, who seem to be rather good at reverse-engineering software tools and then taking advantage of any weaknesses that they find. But it’s a start, and might be a useful benchmark for CIOs and their staff when evaluating suitable software to protect them against viruses.
Over time, EICAR hopes to expand this standard into other types of security product. It is working with the University of Mannheim on that, and has routers and firewalls in its sights.