The true power of CIS is in the fact that with default deny and the sandbox it is very hard to get infected. And that is without anti virus.
That's why I am not worried whether the AV gets certified or not. An AV is nice addition but nothing more than that.
Unfortunately,for many,testing is still seen as the final word on the efficacy of a security product,therefore vendors need to "play the game" to a degree.
For me a lot of the tests are of limited use when determining how good a product is.Most just put out a flat percentage of "detection",which can be misleading.
For example Product A scores 95%,Product B 90%...A must be better right? Not necessarily.
If the 5% missed by "A" are the most prevalent and/or the most damaging malware;whereas "B" misses relatively uncommon/less damaging threats;then in the real World Product B actually offers better protection.
This is before we even take into account how each product deals with the stuff it doesn't detect,in terms of mitigation such as sandboxing,etc.