Ethics and Virus Testing
Modernizing Authentication — What It Takes to Transform Secure Access
CR went out and did what many of us have considered in the past, but not actually done: With the help of consultants at ISE (Independent Security Evaluators), they created a test bed of 5,500 new viruses in order to test the products.
There's an old joke about Consumer Reports, that nobody respects their work for their own field, just for others. So a carpenter will scoff at their review of circular saws, but trust them for gas grills and washing machines. I've heard a lot of this in the discussions about virus testing.
Many in the anti-malware community are adamant that creating viruses is always a bad thing, and never necessary in order to test anti-virus software. In fact, they argue that it's not as good a methodology as the alternatives. You can find some good links to opinion on the matter in this blog entry by Sunbelt Software's Alex Eckelberry.
I've been involved in many tests of anti-virus products, and it's always tough. There are many ways you can go about the testing and they all have their strengths and weaknesses. The biggest problem is testing of heuristic protection, or protection against unknown viruses.
I have no specific opinion on the work by Consumer Reports; not being a subscriber I haven't read the actual test results, just the methodology linked to above. But it seems to me that the abhorrence of virus creation that many are expressing is an overreaction.
Let's take what seem to me to be the two main arguments against it: 1) If you create malware, there's a chance it could escape and cause damage to innocent third parties, and 2) it's not a good way to test AV.