Who Tests the Testers?

As I am new here I suspect I will be viewed with some suspicion, so I am going to try and explain why I am asking this question.

I wrote in another post that I am doing research to find another anti-virus product after using a company for about 7 years and before that a company for about 2 years, and I don’t really remember too much about before that.

But when I did my research before going to my previous company I didn’t have time for too much research and relied a lot upon the experiences of some fellow staff members on the site I was running at that time. Well, co-running – being one of two user admins.

So this time I have a little more time to be able to sort through all the issues I can think of and I obviously ran smack into what seems to be a feud between CIS and another testing service and that almost makes me dizzy from trying to figure it all out and so I am looking through the pages of other testers and I am getting even dizzier with all the conflicting results and back-and-forth and I just don’t know what to make of all the testing going on and who to trust and all.

Then it hits me – who tests the testers?

I mean, where can we find out what tester to trust?

Seems there is a whole lot of behind-the-scene(s) stuff going on and us normal folk can’t be sure who to trust.

And I am already aware that “non-profit” means diddly when trying to figure out who to trust. People can still get a really good salary when working for a non-profit, so that “non-profit” label doesn’t mean squat to me.

I don’t think governments have any money for testing, so who can we turn to to sort all this testing stuff out?

Or are we just stuck going through tons of text to try and sort it out for ourselves?

Hello! First of all no suspicion at all you are with us now :slight_smile: Second of all are you talking about so called ‘independent testing labs’ like AV comparatives? If so you can’t trust them or any other. As there is a lot of evidence that they take money and add the needed results for the AV companies in order to make them look good. Who can you trust? It’s a good Q… Well I say you can only trust yourself. I never got infected with Comodo yet but using other security I did. Why? Maybe due to luck? No it’s due to Default Deny the only architecture which can protect you. All others use unreliable Default Permit architecture apart from the Comodo. The AV market today is full of brainwashing anyway it’s all about sale not protection. So who makes sure that such ‘independent testing labs’ stay in line? Nobody. But I do trust youtube guys who test such products but even I hear from some of them that if you criticize the product too much you get ‘hard words’ from the company which product are you testing. You can argue here as well that some youtube guys can’t be trusted as well. Talking about governments… They not too far away from the ‘independent testing labs’. Governments always have money but they just spend it on the wrong things.

Thank you for the response, Seany007.

I must confess, though, that I saw and let pass a thread that may have been a partial answer. I mean I saw that thread a couple of times, at least, while I have been studying this and that, and before I asked my question here in this thread. I guess I was too focused on getting some test results for CIS.

Anyway, the thread that I finally paused long enough to read is here:


That is about ISO certification for that tester you noted in your post, I think. Spelling isn’t quite the same as what I thought it should be, but it is probably the same. Mind you I am not really interested in focusing on only one tester.

Point is, though, I saw that thread a couple of times, but didn’t read it and then a little while ago it hit me that as ISO is a standards board, that thread must be an indication that there is some sort of process/protocol for the ISO folks to check a tester.

Problem is, I just tried to search for information related to ISO and anti-virus anything and came up with blanks.

Does anyone know the web page that can explain the ISO’s role in testing anti-virus products and/or the testers of such products?

I’d appreciate the help.

Oh you wanted to know this… ISO certification is for the AV-Comparatives not Comodo. AV-Comparatives is just one I talked about but it includes many others. It’s not like they need to have an ISO and that’s a problem today.

What is ISO:

The info you look for:

The info you look for:

"ISO/IEC 17025:2005 specifies the general requirements for the competence to carry out tests and/or calibrations, including sampling. It covers testing and calibration performed using standard methods, non-standard methods, and laboratory-developed methods.

It is applicable to all organizations performing tests and/or calibrations. These include, for example, first-, second- and third-party laboratories, and laboratories where testing and/or calibration forms part of inspection and product certification.

ISO/IEC 17025:2005 is applicable to all laboratories regardless of the number of personnel or the extent of the scope of testing and/or calibration activities. When a laboratory does not undertake one or more of the activities covered by ISO/IEC 17025:2005, such as sampling and the design/development of new methods, the requirements of those clauses do not apply.

ISO/IEC 17025:2005 is for use by laboratories in developing their management system for quality, administrative and technical operations. Laboratory customers, regulatory authorities and accreditation bodies may also use it in confirming or recognizing the competence of laboratories. ISO/IEC 17025:2005 is not intended to be used as the basis for certification of laboratories.

Compliance with regulatory and safety requirements on the operation of laboratories is not covered by ISO/IEC 17025:2005."

One more thing if you need more info about it type in Google:

ISO/IEC 17025:2005


Thank you for your continued assistance, Seany007.

Now I can offer something I have come across as I study this issue:

We have on that page links to documents from the Anti-Malware Testing Standards Organization.

Range is from October 2008 through February 2012.

You are welcome. Looks interesting. But it seems to me that this AMTSO is the same as ISO only more specific. But once again it’s not mandatory.

Also it comes with some controversy: “The wider security community and even testers find it hard to trust an organization whose membership includes a preponderance of security vendors.”