Skip to main content

Is your antivirus software in full working order?

You don't have to start a fire to check whether the smoke detectors in your house are doing their job – you just press the test button for a quick verification. Now you can test your antivirus protection in much the same way, as yesterday, the Anti-Malware Testing Standards Organisation (AMTSO) announced the release of five tools to help users verify that their antivirus protection is indeed working.

Dr Richard Ford, President and CEO of AMTSO, stated: "Whether you are a consumer or business, understanding if your endpoint anti-malware security product is configured correctly, detecting then blocking different types of attacks, is an essential element to giving the user or administrator the knowledge and comfort that their security solution is working on multiple levels to protect their valuable digital assets."

Vendor participation

The way these tests work is really quite simple. Participating antivirus vendors just agree that they will configure their product to detect specific harmless files or web pages the same way they would a malicious file. Fifteen major vendors have signed on so far, though not all of them support all of the feature checks. Tony Anscombe, AMTSO's VP of Marketing, explained that "AMTSO expect more vendors will add detection of these tools to their solutions in the future."

Each test page lists the vendors that definitely support the particular test. If your vendor is listed but your antivirus fails the test, you've got a problem... and a solution. Text on the test pages says: "Click on the name of the vendor for instructions explaining how to enable the feature in your product." At present it looks like these links just go to the vendor's main page, not to specific instructions. I assume this will be corrected before long.

What can you check?

Years ago the European Institute for Computer Antivirus Research (now simply called EICAR) proposed that all antivirus vendors agree to detect a specific, tiny, non-malicious file, thereby making it possible to verify that antivirus protection is working without actually using malware. The vast majority of antivirus products support the EICAR test file, typically detecting it with a name like "EICAR_Test_File_Not_A_Virus."

Two of AMTSO's feature check pages make use of this venerable file. One verifies that your antivirus catches it as a simple download. That's something you could do just by visiting EICAR, of course. However, the other page checks to make sure your antivirus also catches the EICAR file when delivered through a drive-by download.

Some programs that don't do serious harm to your system or your privacy can still cause trouble by, for example, plastering unwanted ads on your screen. Most antivirus programs include the option to detect these "Potentially Unwanted Programs," though this feature isn't always turned on by default. You can use AMTSO's feature check page to verify whether your antivirus supports this type of detection, and to make sure it's properly configured to do so.

Many antivirus products include phishing detection, but often this isn't very effective. A phishing web page looks exactly like the login page for a secure site, perhaps your bank account, for example. If you enter your username and password, you've just handed your bank account to a hacker. In my own tests, I'm frequently unsure whether the feature is working at all. AMTSO's phishing test page will be a huge help in those situations.

Cloud-based malware detection has many benefits, among them the fact that malware signatures exist on the server, not on every client, and any updates take place immediately. AMTSO's new CloudCar file works just like the EICAR file, except that participating vendors configure their products so only cloud-based analysis detects it. This is a particularly tough feature to check without some kind of help, since many products don't distinguish between local and cloud-based detection.

The new active AMTSO

The AMTSO was formed in 2008, and its members spent a number of years codifying best practices for testing anti-malware products. Holding several yearly meetings under the leadership of a Board of Directors served the group well during this phase.

Last year, the group restructured its leadership, adding a full set of executive officers. The set of antivirus feature check pages is the first visible success from the new leadership, and it's most impressive. Look for more to come from AMTSO in the future – and right now, you can go to the AMTSO website and make sure your antivirus is working!