This page is designed to give you insight into how the VB100 certification programme is set up and runs, and how your product can be enrolled to the test bench.
The VB100 certification programme is for vendors of Windows endpoint security products who seek to distinguish their product by subjecting it to independent testing.
Programme participation is available on an annual basis, with quarterly scheduled tests. To earn and retain the VB100 certified status, your product must demonstrate that it is consistently capable of detecting common malware statically, without an excessive number of false positives.
The current criteria requires detecting at least 75% of malicious test cases, along with an at most 0.05% false positives rate on clean test cases.
Products that meet the criteria receive VB100 Certified status and are featured on our website. The certified status is retained for the duration of the participation, as long as the scheduled tests are successful and the criteria are met (failing one test and recovering in the subsequent one is allowed).
VB100 covers static detection of common Windows PE-type malware.
For a comprehensive guide on how we test, please consult the VB100 test methodology.
Private tests are typically one-off arrangements that are conducted in the same manner as the public VB100 tests, however the results are shared privately with you. This makes them a great, low-commitment opportunity for a number of cases, such as:
Private tests also receive priority treatment and results can be often delivered in as little as 1-2 weeks, depending on internal schedules.
Should you only need a single, public report of your product's performance as per the VB100 framework, this can also be arranged. Such single tests, however, do not attract a VB100 certified status since the product is not subjected for periodic testing. Rather, a single test report is released for such a test.
Custom tests based on an altered methodology – or even a completely custom one – are also a possibility. Please get in touch with us at [email protected] to discuss your projects.
Pricing and certification
A few highlights:
These are the major steps you can expect:
Subject to internal schedules, as little as 1-2 weeks. Please enquire about the current schedules at [email protected].
VB100 covers static detection of common Windows PE-type malware that changes from test to test.
Our own collection of legitimate Windows program installers and the files dropped by those installers, including PE and non-PE files.
During your review of the test results, you will receive any false negatives and false positives by SHA256 and MD5 hash. Specific samples are available upon request (subject to quantity limits).
When the actual testing / data collection phase is completed, you will receive preliminary test data for your review, including:
That feedback marks the beginning of the 'dispute period', during which you can review – and if you deem necessary – contest the test results.
As part of the boarding process we will do a preliminary 'smoke test' with a limited number of test cases. This is to verify the product's compatibility with the testbed. If any compatibility issues are identified, the test can be postponed or even called off.
Sorry, neither of these are possible. One of the fundamental rules of fair testing is that any test starting out as a private test cannot be made public, nor can a public test be made private. This is to prevent 'cherry picking' the favourable results.
Yes, if we suspect that a technical issue is affecting the results. For instance, if we encounter an excessive number of false negatives / false positives, or if the results do not appear to make sense, or if the product crashes, etc. Generally, we can spot issues like these quite well, but should something avoid detection, the review ('disputes') phase, during which you get to verify your results, serves as a final checkpoint.
Generally speaking, yes we can, subject to certain limitations. For instance, if the configuration would be severely detrimental to the relevance of the report for the average use case, we may not be able to accommodate your request. Any significant deviations from default will be documented in the test report, along with the justification for those changes.
Yes, we can. We regularly test pre-release products like that, often as part of the Microsoft MVI registration process. Regarding this latter scenario, please consider that Microsoft accepts third-party tests for such purposes at their discretion, so be sure to verify their latest requirements with them.
Both annual VB100 plans and private tests are available in a highly competitive and adaptive pricing model that follows the value generated for your business, so whether you are a startup or an established player in the field we have a plan to suit you. To find out more please get in touch at [email protected].
As soon as your product passes its first public test, your product receives certified status. This can take as little as 1-2 weeks (most commonly 4 weeks), depending on internal schedules.
Provided your product keeps meeting the certification criteria consistently, you keep your certified status up to 60 days after your test contract expires. We will invite you to renew your testing arrangements towards the end of your contract for onward participation and certification.
The certification is issued for a specific product edition and it does not cover any derivative products (other product editions, OEM-licensed engines, etc). This has to do with the framework of fair testing – fundamentally, a test lab may only make statements about its observations and thus extending the coverage to product editions the lab did not test would be a speculative matter.
The AMTSO certification ensures that you receive a testing service that is within the established parameters of what the industry considers to be fair testing. This benefits you directly as a vendor, and indirectly through the increased credibility of the reports issued by VB.
Ultimately, these are described by the Standard and we recommend that you familiarize yourself with it. In practical terms, you only need to register to AMTSO’s contact list and complete a form before and after the test is concluded, to provide your feedback on how the testing was done.
AMTSO audits and certifies our tests periodically. Collecting vendor feedback after the test is part of that process, so your test can only become certified after the test report has been released by VB. Reports for tests that seek AMTSO compliance contain a link to a page detailing the test on the AMTSO website; it is this page that AMTSO updates upon completing its audit.
Ready to get the conversation started? Please email us at [email protected].