AV-C测试方法论与FAQ

trafly

首先自己介绍下，这个文章系列是对AV-C测试方法论与FAQ的翻译。由于时间关系，每天争取出一个小结。全文PDF总共26页。 oh my smurf! 就是不知道这个符不符合规则，我汗！

补上原文内容
Testing Methodology

1.The operating system is installed on a PC and updated to the latest available service pack, including important updates.
2. An image and a snapshot utility will be installed. Some other utilities may be installed, based on what kind of test is going to be performed and which tools are needed (for example, tools to track changes made to the system, etc.).
3. An image of the operating system is created and cloned to other (identically specified) PC’s.
4. The operating system is configured and the anti-virus product installed on the PC using default product settings.
5. An image for each PC is created and saved to an external hard disk.
6. When the test starts, all (anti-virus) products are updated at the same time, and images are actualized too. After that, PC’s are disconnected from the internet and isolated. (Depending on the test method and product, an active connection or a simulated internet may be made available).
7. The set of samples (clean set, malicious samples test-set, etc.) needed for the actual test is introduced.
8. The products are tested according to the test scope (for example, first with default settings, and then with the most paranoid settings).
9. Missed samples and any faults discovered are sent to the anti-virus vendors (in accordance with the test conditions). This applies to the published main tests.
10. Vendors get some weeks to peer-review the results and – if needed – we correct the results before we publish them.

The images of the anti-virus products of the February and August tests will also be used for the retrospective test. The images are also needed in order to be able to check at any time the same scenarios as were used during the test-phase.

When the PC’s are not used for testing, they are also used for sandboxing / sample analysis.


AV-C测试方法论与FAQ 【本译文充斥大量译者残念，SORRY。不喜请略过中括号】
注意：本文件目前正在进行更新中

最新版本：2009年4月

www.av-comparatives.org

第一节 测试方法论

• 测试用PC安装操作系统、安装最新SP包【WINDOWS XP SP3，WINDOWS 7 SP1】，包括重要更新内容
• 安装系统映像备份还原工具。基于测试的类型还有可能安装一些别的软件和工具（比如说跟踪系统变化的工具）
• 创建系统映像并克隆至其他同等规格的PC中【大家怀念赛门铁克的Ghost么？】
• 操作系统及安装的反病毒产品均使用其默认设置【Anti-Virus还是不叫反病毒了】
• 每台PC都会创建映像，并备份到外置移动硬盘中
• 测试开始时，所有反病毒产品同时开始更新，同时映像开始执行。在此之后，每台计算机都将断开互联网连接并且隔离开来（根据测试的产品和方法，有时必须保留计算机连接互联网的状态）
• 根据测试的实际需要准备样本集（白名单集clean set，病毒样本集 malicious sample test-set等）【没有把病毒样本集翻译成黑名单集、有害样本集，我表示有残念】
• 产品测试均从测试角度出发（例如，首先使用默认设置，而后使用偏执的设置）【paranoid settings，囧，好笑的一个形容词，或许这里更改为更严格的设置比较好理解而且准备，不过被paranoid深深感染了——Only paranoid alive。这种偏执的设备应该不会疯狂到让纯云查杀的软件进行断网的本地查杀，嘎嘎】
• 未命中的样本和任何发现的错误都将递交给反病毒厂商（与测试环境一起）。该条适用于已发布的主要测试。【新的问题，in accordance with the test conditions, 我有两个翻译，一如小括号，二为（在测试环境运行的情况下）。 我囧，本人倾向第一个】
• 在测试结果发布前，厂商会有几周时间进行测试结果的同业互查，有必要的话我们会在发布前进行相应的更正【peer review， 恩peer, p2p的peer，嘎嘎那就是大家都对测试结果中的竞争对手数据进行审查了，哈哈。我想到了另外一个词，counterpart，囧的很。令peer review在某词典中标注为审计用于，就是同业互查这四个字】
  

2月份和8月份反病毒产品的映像也将用于回溯测试（respective test）。在测试过程中需要复现的时候也将使用映像。

trafly

AV-C原文内容

Sorting procedure
Samples from all sources are copied to the incoming server.
Encrypted and archived samples/collections are decrypted and extracted from archives.
Duplicate samples are weeded out.
File names are renamed to make sorting and maintenance more effective.
File extensions are renamed by a tool created in-house to its correct executable extension.
Unrecognized file formats are given the extension “.VIR” and are moved to a separate location
(for further inspection).
Samples are analyzed, using various tools (commercial tools, for example, but also tools used
and maintained by the anti-virus community) in order to recognize known garbage or non-
working samples. We also use several other static analyzers, PE parser, and so on, including our
own in-house tools.
Most known adware, hacker and virus tools, components, hoaxes, jokes, virus simulators,
commercial software, constructors, keygens (key generators), cracks, key loggers, engines,
sniffers, unviable (bad, corrupted, inactive, damaged or intended) samples, virus source code,
various garbage and disputed files, and so on. Basically, files and gray-area samples that should
not be included in the main test-sets – are sorted out. Working adware, spyware, etc. is
maintained separately for future tests based on such types of threat.
All PE malware is analyzed by a sandbox developed by people working at AV-Comparatives, and
also by various commercial sandboxes, in order to exclude non-working samples and other
garbage. Non-PE malware is also checked by some automated tools, but usually they need to be
checked manually, as are some PE files that our sandbox was not able to categorize reliably.
Viruses are verified by replication, but we do not always use the replicated samples for the tests
– we use some of them to check whether viruses were added by the vendors with reliable
accuracy, or whether some vendor only added some checksums in order to detect replicating
viruses. The latter case may be considered as unacceptable by us and can lead to exclusion of
the product concerned. If a file doesn’t seem viral or malicious we don’t include it. Instead, we
move it to the “unwanted” database. (We also do this even if, for example, all anti-virus
programs report the file as being infected – this means we don’t rely on anti-virus programs to
select which samples to include in the test-set, and we advise any other testers not to do that
either). Our test-sets do not contain samples that do not work under Microsoft Windows
NT/2000/2003/XP/Vista. Old macro samples (prior to Microsoft Office 97) are not included
either. In addition, we no longer include compromised HTML files.
Verified samples are sorted into the various categories we use; as this task is often tricky, we
also use (for example) VGrep to see how anti-virus vendors would classify a sample (e.g. as a
backdoor or worm). Sorting is based on the majority verdict. For example, if most products
classify a malicious program as a backdoor and one product classifies it as a worm, we classify it
as a backdoor too. There are only a few exceptional cases where we do not agree with the way
the majority of products classify some malware and in that case our own classification will be
applied. In case of replicating or polymorphic malware, we take care not to include a
disproportionate amount of the very same variant, in order to avoid flawed results. This is also
a reason why our test-sets often are “smaller” than others.
All samples are at some point validated. As automated systems (not to mention humans,
especially students…) are not fool-proof, it can nevertheless happen that grey-area or totally
inappropriate files also slip in (but they do get removed later from the sets).
We freeze the February and August test-sets, usually a few days before the test starts, which
means that many files which have not been fully analyzed by automated tools or by humans are
also included in the test-set. While the tests are already running we continue to check the
recently added samples too, and remove any bad samples from the test-set afterwards. As the
vendors will also receive all samples they missed in the meantime, they may also get some bad
samples, but they will be removed before the end of the test and not counted as misses in the
published report (and vendors have some weeks to report faults and bad samples).
After the tests, we look again to see whether there are any samples that were not detected by
any product. Usually we find 2-3 files that are indeed not detected by any product, and on
examination those files always turned out to be bad samples. We therefore decided that samples
determined to be undetected by all tested products will be removed from the test-set, and will
not be counted as misses in the test actually performed (since they are garbage).
In the testing month, we focus our analysis on the samples that were missed by the tested
products. We start from those samples that were missed by most products, as they have a higher
probability of being non-working.
Files reported as bad by vendors will be removed, and the results will be corrected before they
are published on the website. Due to the (approximately) two weeks (peer-) reviewing
procedure, we are also able to include in our sets fresh malware, and to analyze the samples
even when the tests are already started. This also gives vendors the opportunity to report back
testing faults or inappropriate samples, though they are not obligated to do so. This all helps to
ensure that in the end we publish correct results for our readers. Anyway, since we commenced
this methodology in research published at the begin of this year, some bad samples may still be
in the test-set, but considering the size of the test-set, they should be so few, that they have
practically no significant effect on the results and no discernable impact on the rankings or
awards given. Should we ever find out in our QA that the error margin was higher than
anticipated, or high enough to have an impact on a ranking or award, we will publish that
information.

翻译内容如下：

AV-C测试方法论与FAQ第二节
样本分类

• 所有来源的样本复制到服务器
• 所有加密和压缩的文本/文本集分别进行解密和解压缩操作
• 重复的样本副本都被清除
• 文件名均重命名以保证更有效的分类和维护
• 使用研发的工具将病毒扩展名更正为原扩展名
• 扩展名未识别的文件将被加上.VIR的扩展名并转移到一个单独的位置（以进行进一步识别）
• 样本将使用多种不同的工具进行分析（如商业工具，但也包括那些由反病毒团体/社区使用和维护的工具）。这样做可以识别已知的垃圾样本和失效样本。我们也使用其他几个静态分析器、PE分析器。这其中有的工具是我们自己研发的。
• 大多数广告程序、修改器以及病毒工具、组件、恶作剧病毒、病毒仿真工具、商业软件、构造器、序列号生成器、破解文件、键盘记录工具、引擎、嗅探器、失效的脚本，这些文件和不易界定的样本都不会包含在主要测试样本集中，从样本集中检出。而有效的广告程序、间谍程序等将被单独分类以便未来针对这些类别的文件进行进一步测试
• 所有PE类恶意程序都将采用AV-C公司自行开发的沙盒进行分析，同时也将采用多家商业公司的沙盒软件进行分析，以保证检出失效样本和其他垃圾文件。非PE类恶意程序也将采用一些自动化工具进行分析，不过这些程序往往需要人工进行检验，因为我们的沙盒对某些程序无法进行可靠的识别分类。
• 病毒都是使用复制方法进行检测的，测试中只是偶尔使用病毒复制后的样本——目的是来检查厂商对病毒了解的足够充分，还是仅对病毒提取了MD5值以检测复制的病毒。我们不认可后者的方法，并将采用该策略的产品从测试产品中清除。如果一个文件似乎并非有毒或者恶意，我们将不把它包含在病毒样本中。相反，我们把它归纳到“其他”数据库中。（虽然有可能所有的杀毒程序报告该文件已被感染，但我们仍采用该策略分类——这一位置我们并不依靠杀毒程序来进行测试集样本的筛选，同时我们也建议其他的测试机构也不要这样做）。我们的测试集中不包含那些在Windows NT/2000/2003/XP/Vista 中无法正常工作的样本。过时的宏病毒（常见于OFFICE 97）也不包含在测试集中。另外，我们也不再将感染的HTML文件加入到测试集中。
• 认可的病毒样本被分为不同的种类。由于这项任务“充满挑战”，我们也使用VGrep工具来分析反病毒厂商如何对病毒样本进行分类（如后门、蠕虫等类别）。分类将以多数认定为准。比如，如果大多数产品将一个有害程序认定为后门程序，而一个产品将其认定为蠕虫，那么我们也将该有害程序归入后门类别。仅有少数特例我们与多数产品的归类不一致，而这时我们会以自己的认定为准。针对复制性或者多态有害程序，我们将注意不把它的变种重复录入病毒样本库，以避免干扰结果的准确性。这也是我们的测试集较其他机构小的原因之一。
• 所有样本都经过某种程度的验证。因为自动化程序（也包括人，尤其是学生）并不是万能的，有时那些难以认定的、甚至是完全不合适的文件会被加入样本集（经验证后这些文件慧聪样本集中删除）
• 我们经常在测试开始前几点，对2月份和8月份的测试样本集进行冻结。这也意味着许多并未被自动化工具和人充分分析的文件将被包含在样本集中。当测试进行的时候，我们继续对新近添加的样本进行检测，并在之后删除那些无效样本。由于厂商也会同时收到那些未检测出的样本，他们也有可能收到无效样本，不过这些样本将在测试结束前移除，并且不会影响最后发布的报告的准确性（厂商会有几周时间来报告这些错误和无效样本）
• 测试结束后，我们会审视是否有所有产品都没有检测出的样本。往往我们会发现两到三个文件无法被任何产品检测到，而最终验证发现这些文件都是失效样本。因此，我们决定所有产品均无法检测的样本都将从测试集中剔除，同时不将其计算为一次未检测到事件（因为它们都是无用的垃圾）
• 在测试月中，我们会分析那些受测产品未检测到的样本，从那些被产品漏检最多的样本开始，因为这些样品有更大的几率是无效的。
• 厂商汇报的损坏文件将删除，同时在发布前对测试结果进行更正。由于有约两周时间进行自查和同业互审，我们能够将最新的恶意程序加入测试集中，并且对样本进行分析。而这一流程也将给厂商机会汇报测试错误或者举报不合适的样本，尽管他们并没有这样的义务。所有这些措施保证我们最终向读者发布的结果是准确无误的。由于我们在今年初（2009年4月）采用这套方法论进行测试，一些无效的样本仍可能包含在测试集中，但是考虑到测试集的容量，它们将不会产生重大的影响，也不会对产品评级产生决定性的影响。一旦出现我们发现有超出预期的错误，或者这些错误足以影响到评级的时候，我们会发布该信息。
  

trafly

AV-C测试方法论与FAQ第三节 测试实验室安全性

所有的数据库均使用加密软件（PGP）进行加密，其中某些内容至少使用了RAR3的硬加密。唯一可以解密这些文件的人是AV-C主席。所有数据库的一份加密副本保存在慕尼黑一座高度安全的大楼内。

只有被完全信任的AV-C雇员获得授权接触病毒样本，以达到在受保护的隔离计算机上分析这些样本的目的。用于在测试阶段进行非加密病毒样本集的计算机放置的房间是完全安全的，使用带有动作侦测的视频进行监控，同时报警系统直接连接到警察局和一家私人安全服务机构。同时，这一区域每天都会由外部的安全服务机构进行几次检查，以防出现未授权的接触。所有包含病毒样本的存储器都加上了清晰的标签。

AV-C仅在2月份和8月份的主要测试结束后，将未能被检出的病毒样本交给参与公开测试厂商的受信任代表人手中。我们绝不会将任何病毒样本交给未知的、不信任的厂商或者个人手中，无论他们做出何种表态。AV-C认识到病毒样本的风险，并采取反制措施来保证避免将任何危险带给公众（也就是说我们不会把这些内容交到错误的人手中）

计划将病毒集交给AV-C的人应使用公开PGP密钥进行压缩操作。

Test Lab Security
All the databases are encrypted by PGP and parts of them are at least hard encrypted by RAR3. The only person which can decrypt the files is the Chairman. One encrypted backup of the databases is kept in a highly secured building in Munich.

Only fully-trusted AV-Comparatives staff members get access to the samples for the purpose of analyzing them on protected, isolated systems. The room containing the workstations carrying unencrypted malware sets (as happens during the test period) is fully secured, under video control with motion detection and alarm systems directly connected to the police and a private security service. Additionally, the area is checked several times at day and night by an external security service, in order to avoid unauthorized access. All media containing malicious software are clearly labelled as such.

AV-Comparatives sends (missed) samples only AFTER the main tests in February and August to trusted representatives of vendors whose products were publicly tested. We do not send any samples to unknown/untrusted vendors/individuals, no matter what they say or offer. We at AV-Comparatives consider malware as dangerous and take countermeasures to avoid any endangerment to the public (e.g. by any possibility that it gets into the wrong hands).

People wishing to submit malware collections to AV-Comparatives, should encrypt the archives by using the public PGP key available at http://www.av-comparatives.org/clementi.key

trafly

AVC测试方法论与FAQ第四节 病毒样本来源与安全文件来源

病毒样本来源
AV-C公司有多种渠道获得病毒样本。和反病毒厂商一样，我们从全球各地使用诱捕的手段收集病毒样本，从病毒下载器和被感染的网站收集病毒样本。另外，我们会从我们的合作伙伴（比如电脑维护/清理服务公司）处收集样本。这些样本来源于他们提供服务的家庭用户和中小企业用户受病毒感染的电脑。我们还可以从在线扫描服务、网站的访客、以及各种收集病毒样本的组织（封闭/公开安全论坛，病毒诱捕项目、反病毒活动等）获得病毒来源。为了保证测试集的有效性、广泛性和代表性，AV-C也接受反病毒厂商提供的病毒样本。目前，有很多厂商向我们提供了病毒样本，这些厂商有的参与了测试，有的厂商没有参与测试。

AV-C鼓励任何厂商向我们发送他们从客户处收集到的样本，不过这并非厂商的义务。我们不能透露提交样本的厂商有哪些，没有提交的有哪些（部分由于保密条款的原因）。不过我们可以保证提交样本的行为不会帮助厂商获得更好的成绩。由于测试集包含了从许多不同渠道和厂商收集的样本，单一厂商提交的样本仅仅使测试集更具代表性，（并不会带来评估的倾向性）。事实上，有的厂商从未向我们提供过任何病毒样本，仍然获得了较高的评分，相反另一些厂商提供了大量样本，仍因样本检测率低的问题评分靠后。出现这种状况的原因可能是厂商通常会共享病毒样本，而大多数我们收集到的样本都已经包含在其他的测试集中，所以很难判断哪个单一渠道为我们提供了更多的病毒样本。

我们选择不披露这一信息的另一原因是有的厂商会因为公关方面的原因使用这一数据误导大众（过去曾出现过这样的案例，比如厂商对某些测试结果不满或者想给测试方施加压力）。正如我们所说，我们欢迎任何厂商根据自己的意愿提交病毒样本。测试开始前最后阶段提交的样本（尤其是“特定的”样本包）都不会被采纳，测试样本会在测试开始前的2-3周冻结，以避免出现可能的偏向性。

AV-C不会创造、修改或者封装任何病毒（无论是出于测试原因或者其他原因）。

安全文件来源
多个国家的各种杂志的CD、DVD（主要是德国、意大利和英国的杂志），以及知名的软件（大多数是从合法的下载站点下载的软件）是一个来源。安全文件集的主要来源是个人用户和许多中小企业公司的电脑（这些电脑都由我们的合作伙伴kompetenzzentrum.IT维护）。我们使用这些文件均获得所有人的许可。我们还有将一家大学应用服务器的内容用作白名单的授权（不含个人用户信息）。同样的文件将被删除多余的副本，所有的文件采用原有文件名。

原文如下

Sources of samples

AV-Comparatives have various sources from which it obtains samples. Like anti-virus vendors, we also use various traps and honeypots from all over the world, as well as samples downloaded from malware downloaders and infected websites. Furthermore, we get samples from the field which were collected by us or our partner companies (e.g. computer repair/cleaning services) on infected PC’s belonging to home users and/or small/medium business companies. We also get samples from various online scanning services and (single and large) submissions from visitors to our website, as well as various organizations that collect malware (internal and public security forums, honeypot projects, anti-malware initiatives, and so on). In order to have a test-set that is statistically valid and as large and representative as possible, AV-Comparatives also accepts samples from (security) vendors. Currently, samples submissions from about a dozen vendors are included in our tests and nearly dozen more vendors which are not included in our tests also contribute.

Any vendor is encouraged to send us samples they get from their customers, but no vendor is obliged to. While we are not going to disclose the names of the vendors which submit or do not submit their samples (partly because Non-Disclosure Agreements may apply), we can assure you that submitting samples to AV-Comparatives does not help a vendor to get a better score. As the test-set consists of samples from many various sources and vendors, a single vendor’s contributions just make the test set more representative – in fact, there are some vendors who do not submit anything and score very highly, and some other vendors who submit a lot are at the bottom regarding detection rates. The reason for this may be that samples are usually shared between vendors anyway and most of the samples we get are usually already in some other collections, so it is impossible to tell how much is coming from which individual source and so on.

We also prefer not to disclose this information because of the possibility that some vendors may use it to mislead the public for PR reasons (this has happened several times in the past, for example when a vendor was unhappy with some test results or wanted to put pressure on a tester) or focus on specific sources. As we’ve said, any vendor is welcome to submit us their samples if they wish to. Last-minute submissions (especially “extraordinary” collections) from vendors are not accepted; this source of samples is usually frozen 2-3 weeks before the test starts, in order to avoid possible bias.

AV-Comparatives does not create, modify or repack any malware (for testing purposes or for any other purpose).

Sources of clean files:

CD’s and DVD’s from various magazines from various countries (mainly German, Italian and English computer magazines) and well-known software (incl. most downloaded software from some legal download sites). Main source for the clean sets are PC’s owned by individual users and various (mainly European) SMB companies (maintained by our partner kompetenzzentrum.IT) which allowed us to use in our clean sets (without sensitive data). We also have access to the content of the application servers of an university (without personal data). Duplicates are weeded out and files keep their original file names.

trafly

AV-C测试方法论与FAQ第五节 参测条款

AV-C机构董事会决定参测产品名单，AV-C仅将有良好检测率的反病毒产品纳入测试厂商名单。参测产品必须使用自己研发或得到授权的杀毒引擎。参测产品必须能够使用最安全模式对完整的数据库进行一遍扫描，扫描时长合适，不导致崩溃或者出现重大问题。参测产品必须能够对子文件夹树进行扫描（依测试类型而定）。参测产品的扫描组件不应在报告模式运行时对文件或者系统做出任何移动/修改。参测产品必须全球广泛使用，有知名度，同时不出现较多的误报。下面的服务条款是一份范本，主要用于每季度进行的主要测试项目。
———————————————————————————————————————————————————————————————————————————————————
以下服务条款必须遵循并签字确认：
反病毒软件测试服务条款
该文件包含AV-C反病毒软件测试服务条款（以下简称TOS）。该文件适用于由AV-C和AV-C代表（以下简称测试方）实施的测试。

1)        测试方法

测试方使用的测试方法文件公布在测试网站www.av‐comparatives.org上。测试方保留在必要的时候改进/改变测试方法的权利。上述改变的通知会在官网进行发布至少三十天才会生效。根据条款2的内容，厂商继续参加测试意味着厂商认可这些改变的内容。

2)        参测

所有安全厂商（以下简称厂商）均有权决定是否参加测试方实施的测试。如果厂商决定参加测试，厂商有义务通过电邮或者传真的形式向测试方提交参测申请。申请中需包含厂商同意此服务条款，并同意测试方发布和使用的测试方法的内容。另外，申请必须签署日期并且由厂商授权的代表人签字，加盖公章。在公章不可用的情况下，应使用厂商官方抬头的文件用纸。没有授权签名的申请将不被接纳。厂商有义务在通过电邮和传真发送申请后，将申请原件通过顶级商务邮件在14个工作日内（含）邮给AV-C。该申请效力直到测试方收到厂商的书面撤销通知后终止。是否测试产品完全由测试方决定。

3)        参测软件、许可证

厂商有义务提供完全可用的产品版本，以及所有必需的许可证（测试方需要的情况下）。厂商有义务把负责人的信息提供给测试方，以便测试中心和其取得联系。测试方不得将产品或者用于测试目的的许可证分发给任何第三方。测试完成后，测试方应将软件返还厂商或者书面确认所有的软件副本都已销毁。测试方不得在未获书面许可的前提下，透露厂商LOGO，使用厂商名称以在某种意义上表明两者之间的关联。

4)        参测费用

厂商（或第三方）需要为测试方提供的多种服务支付费用（比如在营销材料中使用测试方LOGO、多种测试中测试方消耗的时间/精力等）。测试费用每个季度结算，时间在测试完成并发布之后。

5)        提交样本

测试方接受厂商每月提供的样本集。如果厂商不同意测试方将所有厂商未检出的样本提交给其他厂商这一行为（惯例是厂商总会接收到所有未检出的样本），测试方将不接受厂商提供的样本。

6)        样本分发限制条款

基于信任的原因，厂商可能要求测试方限制样本的分发到指定的其他厂商处。厂商有义务明确说明哪些厂商适用于这种样本分发限制。测试方会分别审核这些要求，测试方审核后，会通知厂商是否同意该要求。测试方建议在这种情况下，厂商不要在审核期内提交更多的样本。如果厂商对这一结果不满，厂商可以决定不提交或者终止向测试方继续提交样本。一旦有针对某厂商的信任问题提出，并且测试方审核认为该问题的确存在，测试方会自行决定从所有测试中提供一定数量的未检出样本。

7)        未检出样本

厂商必须有病毒实验室以接受测试方按需测试后提交的未检出样本。测试方提供未检出样本是有前提的——厂商必须在最安全设置下通过测试方完整的测试集检测的最低标准。

测试方会提供未检出样本给厂商以便厂商确认测试结果的有效性。测试方会把厂商产品未检出的样本提供厂商，仅在厂商同意上一条款的内容。如果适用于样本分发限制条款，厂商会接收到测试方选取的一定数量的样本，同时会获得一份含有未检出样本CRC32校验码的日志记录。在适用的情况下，测试方还会告知厂商为什么会启动样本分发限制条款，以便厂商可从其他厂商处接收到其它未检出的样本，或者在厂商自己的样本库中去搜索这些样本。

原文如下：
Conditions for participation
Which products are to be tested is decidedby the board of AV-Comparatives e.V. - AV-Comparatives prefers to include inits tests only anti-virus products with good detection rates. The product must useits own or licensed engines. The product must be able to finish a scan of thefull database using the most secure possible detection settings within a reasonabletime, without crashing or causing major problems. Products must be able to scana subdirectory tree (depending from the type of test). The scanner should notmove or change in any way the files or the system during the scan when runningin report-only mode. The product should be a well-known anti-virus product usedworldwide and should not produce too many false positives. The below TOS is anexample and mainly applies to the main tests which results get publishedquarterly.

Additionally, the following Terms ofService agreement has to be accepted and signed:
Terms of Service for Anti-Malware SoftwareTesting
This document contains Terms of Service(hereinafter referred to as “TOS”) for Anti-Malware Software Testing by AV-Comparatives whichare applied to tests performed by AV-Comparatives e.V. or its representatives(hereinafter referred to as “the Tester”).

1)        Test Methods.

The methods used by the Tester aredescribed in a document published on the Test center website www.av‐comparatives.org.The Tester reserves the right to improve and/or change the methods as necessary.Notice of such changes will be published on the www.av‐comparatives.orgwebsite at least 30 (thirty) days before they take effect. Agreement with changesnotified is implied by continuing to participate in testing, subject to termsin （2.）

2)        Participation.

Any vendor of security software(hereinafter referred to as “the Vendor”) has the right to decide whether to participate in tests performedby the Tester. If the Vendor decides to participate in tests performed by the Tester, the Vendoris obliged to send an application for inclusion in testing to the Tester by email or by fax. Theapplication will contain notice that the Vendor accepts this TOS and the current methods published andused by the Tester. Furthermore the application shall be dated and signed by the authorizedrepresentative(s) of the Vendor and stamped by the Vendor’s seal, or providedon official headed notepaper where a seal is not available. Applications willnot be accepted without an authorized signature. The Vendor is obliged todeliver the original of the application to the Tester by first class businessmail within 14 (fourteen) days after the delivery via email or fax. TheApplication shall remain in force until revoked by written notice to theTester. Whether or not to test a product shall remain at the Tester’s solediscretion.

3)        Software, License Keys.

The Vendor is obliged to provide a fullworking product version and all necessary license keys to the Tester uponrequest. The Vendor is obliged to supply the Tester with the name of a person responsible for contact with the Testcentre. The Tester shall not distribute the product or license keys provided for testing purposes to anythird party. Upon completion of testing, Tester shall return the software to the Vendor orcertify in writing that all copies of the software have been destroyed. The Tester shall neither displaythe Vendor logos without specific written permission, nor use the Vendor’s name or trademarks ina manner that implies endorsement by the Tester or the av-comparatives.org website.

4)        Fees.

The Vendor (or a third party) has to pay afee for the various services provided (e.g. usage of logo in marketing material and time/work spentin providing the various services, etc.). The fee has to be paid quarterly after the tests arefinished and already published.

5)        Sample Submission.

The Tester will accept submissions ofmonthly collections from the Vendor. The Tester will not accept samples from the Vendor if theVendor does not wish the Tester to send any missed samples to otherparticipating vendors that are already getting all missed samples.

6)        Restricted Distribution ofSamples.

The Vendor may request that the Testerrestricts distribution of samples to certain other vendor(s) where there is anissue of trust. The Vendor is obliged to identify clearly the other vendor(s)to which the Vendor wishes such a restrictionto apply. The Tester will review such request individually, and after review bythe Tester the Vendor will be informed as to whether the restricted distributionof samples will be applied. The Tester suggests that in such case the Vendordoes not submit further samples for the duration of the review period. If the Vendoris not satisfied with the outcome, the Vendor may decide to do not send samplesor to discontinue sending samples to the Tester. In cases where an issue oftrust arises against the Vendor and a review by the Tester shows the concern tobe valid, the Tester will provide a limited number of missed samples from anytest, at the sole discretion of the Tester.

7)        Missed Samples.

The Vendor must have an established viruslab in order to be entitled to receive missed samples after the on-demandtests. The Tester will provide the missed samples to the Vendor only if the Vendor’sproduct is successfully able to identify a given minimum of the Tester’s actualfull test set during an on-demand scan with the most secure settings.
The Tester will provide missed samples tothe Vendor so that the Vendor can verify the validity of the test results. The Tester will sendsamples missed by the Vendor’s product, unless the Vendor is subject to arestricted distribution of samples as described in the section above(RESTRICTED DISTRIBUTION OF SAMPLES). If a distributionrestriction has been applied, the Vendor will receive a limited number ofsamples selected by the Test center together with a list of missed samples in form of log with CRC32 checksums and -where possible - detailed reasons on why the restriction had to be applied, in order that theremaining missed samples can be requested from other vendors or located amongsamples in the Vendor’s own lab.

sunzhe7788

支持楼主，辛苦了

trafly

sunzhe7788 发表于 2011-8-26 14:12
支持楼主，辛苦了

多谢关注！

ycyb01

学习新的东西，学习。