Researcher bashes cert programs for giving high marks to flawed AV programs

Prominent security researcher Tavis Ormandy believes the antivirus certification process is systemically flawed.
Prominent security researcher Tavis Ormandy believes the antivirus certification process is systemically flawed.

A new blog post by security researcher Tavis Ormandy chastised security software certification programs, claiming many if not all are “meaningless,” as antivirus products often receive high grades from evaluators despite having multiple low-hanging vulnerabilities.

To substantiate his claims, Ormandy recently evaluated an anti-virus program from Comodo Group and found numerous flaws including weak authentication, incorrect access control lists, “hundreds of critical memory corruption flaws” and “even more serious design laws and logic errors.”

And yet, Comodo announced on Mar. 1 that ICSA Labs, an independent division of Verizon, awarded the company an “Excellent in Information Security Testing” award following a certification process.

Although the blog post singled out Comodo, Ormandy was clear that the problem broadly affects the entire antivirus industry. “I don't think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced,” Ormandy added.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS