NSS Labs lawsuit takes aim at CrowdStrike, Symantec and ESET

NSS Labs announced on Wednesday it had filed an antitrust suit against CrowdStrike, Symantec and ESET over what the testing firm claimed is an extensive, coordinated effort to prevent the company from testing leading antimalware products.

The NSS Labs lawsuit, which also named the Anti-Malware Testing Standards Organization, alleged CrowdStrike, Symantec, ESET and the AMTSO worked in concert to impede NSS Labs' ability to test their products. In a scathing blog post, NSS Labs CEO Vikram Phatak accused the antimalware vendors and the AMTSO of trying to suppress negative product reviews from NSS Labs.

"We filed this suit because some vendors have not been living up to their responsibility to protect consumers and they know it, and they're trying to prevent the public from knowing it too," Phatak wrote in the blog post. "If you are in the cybersecurity industry, it won't surprise you to hear that vendors often know about their products' deficiencies yet don't reveal them to consumers. What should shock you is that they are actively conspiring to prevent independent testing that uncovers those product deficiencies to prevent consumers from finding out about them."

The NSS Labs lawsuit, Phatak wrote, was filed in the hopes of "advancing transparency and accountability" in the antimalware and cybersecurity spaces.

Phatak claimed the vendors "are openly exerting control and collectively boycotting testing organizations that don't comply with their AMTSO standards -- even going so far as to block the independent purchase and testing of their products." He further claimed that the AMTSO standards are not neutral and are instead driven by the antimalware vendors themselves in an apparent effort to produce beneficial results.

The AMTSO is a nonprofit organization founded in 2008 to "improve the business conditions related to the development, use, testing and rating of antimalware products and solutions." The organization has more than 50 member companies, including CrowdStrike, Symantec and ESET.

According to the AMTSO's website, a testing lab that wants comply with the AMTSO standard for a specific antimalware test "must provide AMTSO with formal notification and publish a detailed test plan prior to starting the test. This process is intended to provide vendors an opportunity to review the test plan and provide their input, highlighting any potential issues with the test design."

It's unclear if NSS Labs participated in the AMTSO's process.

In addition to the AMTSO, Phatak's blog post about the NSS Labs lawsuit specifically criticized CrowdStrike as one of many vendors that have implemented clauses in end-user licensing agreements to prevent organizations from testing the products without the vendor's permission. CrowdStrike filed a lawsuit in federal court against NSS Labs in 2017 to prevent NSS Labs from releasing a report on its advanced endpoint protection product tests, in which CrowdStrike was given a "caution" rating; the court denied CrowdStrike's request.

CrowdStrike issued the following statement to SearchSecurity: "CrowdStrike supports independent and ethical testing -- including public testing -- for our products and for the industry. We have undergone independent testing with AV-Comparatives, SE Labs and MITRE and you can find information on that testing here. We applaud AMTSO's efforts to promote clear, consistent, and transparent testing standards. Regarding NSS, CrowdStrike is currently in litigation with them and we cannot comment on ongoing litigation."