Infosec freeloaders not welcome as malware silo VirusTotal gets tough

[steven36]

 

'Cause the takers gonna take, take, take

 

 

Security firms that use the Google-owned VirusTotal malware database but don't contribute to the silo are going to find themselves out on a limb.

 

For the past 12 years, researchers have been feeding samples of software nasties into VirusTotal, allowing antivirus engines to check they can detect malicious code. But the site has seen an increasing number of security startups have been using the VirusTotal data without giving back.

 

Now Google, and other contributors, have had enough and have changed the terms and conditions of the website. Put simply, if you don’t share samples, you can find your own malware elsewhere.

 

"All scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services," the site's administrators explained in a blog post.

 

"Additionally, new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO)."

 

The admins also took the opportunity to remind people that VirusTotal isn't supposed to be used as a primary antivirus engine, merely as a backup checker. It seems some outfits have been using the database as a way of providing security scanning on the cheap – by throwing users' files at the database to identify potential infects. Now the party is now over, and some of the more established hands have praised the move.

Raimund Genes, CTO at long-time VirusTotal contributor Trend Micro, complained that too many newcomers were use the website for so-called "next-gen" security systems that are anything but.

 

"We believe in information sharing, but there is no sharing here: this is just taking. This is taking from VirusTotal without giving back," he said.

 

"This is taking advantage of the goodwill and resources of VirusTotal contributors. And this is taking liberty with the truth by claiming their solutions are patternless, when in fact they do have patterns: the aggregated information on VirusTotal, contributed by those very companies they’re competing against.

 

The Source

 

[Holmes]

This should help stop malware writers from checking if there malware is detected or not making them have to test it on there own.

[pc71520]

VirusTotal strikes back...

[Batu69]

A VirusTotal Policy Change Has Exacerbated the Bad Blood Between Traditional and Next-gen Anti-malware Companies

 

On May 4, VirusTotal (VT) dropped a bombshell that has reverberated throughout the anti-malware industry. That bombshell was a two-sentence change to VT's policies: "all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services." A second amendment requires new applicants to effectively be certified by the Anti-Malware Testing Standards Organization (AMTSO).

Background

 

To understand the effect of these changes we need to understand four elements: the traditional anti-malware industry, the next-gen anti-malware industry, VirusTotal, and AMTSO.

 

The traditional anti-malware industry (formerly known as anti-virus) has existed since the beginnings of cyber security. It has invested vast sums into detecting and neutralizing malware. It was founded on a 'blacklist' policy: detect the malware, analyze it and add a unique signature to a blacklist. This methodology is not perfect: there is a latency between the existence of new malware and its detection and addition to the blacklist.

 

The industry long-ago accepted this weakness and developed 'behavioral' additions to improve its efficiency. The anti-malware industry can be simplistically described as 'signature-based, plus...'. As the first security industry, it is the industry that has the most customers.

 

Next-gen anti-malware takes a different approach. It focuses on behavior and reputation rather than signatures. It watches networks and traffic and notes behavioral anomalies that might indicate the presence of malware or an intruder. But it is relatively new, and to a certain extent must weaken the anti-malware industry's grip on customers.

 

Owned by Google, VirusTotal is an online service that checks suspicious files against an array of anti-malware products. Since the check is static, it relies heavily on the signature engines of the subscribing vendors. In its own words, it is "a collaborative service to promote the exchange of information and strengthen security on the internet." If a submitted file is found to be malicious, details are circulated to all subscribing companies – and in this sense it is an early and effective threat sharing mechanism.

 

But the check is primarily against signature engines, which we know are only part of traditional anti-malware. Taken in isolation, the effect of the test is misleading. Indeed, VT has always said precisely this. Nevertheless, over the last few years some parts of the next-gen anti-malware industry have not hesitated to use VT results to suggest that the traditional industry is failing its customers.

 

VirusTotal also offers an API that allows subscribers to integrate their own systems to the VT database. This allows vendors that detect a suspicious file to automatically check it against VT and return results to the customer as if they were their own.

 

AMTSO was born for all of the right reasons. Anti-malware testing is very difficult. The introduction of statistical bias could easily favor one product over another. AMTSO strives to provide testing methodologies that are fair to everyone. But it has one major weakness: it is almost entirely composed of anti-malware vendors and anti-malware testing organizations. This leaves itself open to accusations that it is an anti-malware club designed to protect the status quo.

 

The Issue

It is against this background that VT's new policies should be measured. There is little doubt that its services have been abused by some companies. ESET's David Harley explains: "It’s been quite easy for companies to pay a subscription and benefit from the work of others without sharing any information of their own. VirusTotal’s statement makes clear – again – that the company is aware of several ways in which its data is being misused."

 

Independent security expert Graham Cluley explains his own concerns: "Essentially, some vendors were having their cake and eating it – basing their 'next generation' security products on the backs of other security vendors' hard work, and not contributing anything back to the community." This is done by plugging their own products into the VT API and effectively using VT as their detection engine. "To rub salt into the wound some would criticize the other security vendors for their alleged reliance on 'traditional' techniques, while actually exploiting that expertise at no cost to themselves!"

 

But while the purpose may be to prevent abuse, the reality is that VT's two new requirements (integrating a detection scanner into VT and certification by AMTSO) effectively exclude genuine next-gen anti-malware companies from working with or benefiting from VT.

 

Matters might still have not erupted were it not for a subsequent blog post (by a matter of hours only) by Alex Eckelberry, a board member of anti-malware firm Malwarebytes, and a member of the advisory board of AMTSO. He says, "No longer will antivirus companies see their hard work taken by some sexy startup that’s raised millions of dollars on the false promise of 'next generation' endpoint or other such nonsense, while bashing the very companies that they’re effectively stealing the intellectual property of. And perhaps, we’ll see what their products are really made of. Because without VirusTotal as a crutch, companies that rely on it are going to see their detection rates take a hit."

 

Commenting on Eckelberry's post, Carl Gottlieb, technical director and co-founder at Cognition, wrote, "Subsequently, he and a few other commentators called out Cylance, SentinelOne, Palo Alto Networks and CrowdStrike as being amongst these 'false promise' vendors 'effectively stealing the intellectual property of' contributing VT vendors." Gottlieb's commentary is very pro next-gen – but for purposes of transparency it should be noted his company is a major reseller of next-gen Cylance.

 

Battle Lines

Now there are clear battle lines: the traditional anti-malware industry lined up against the newer next-gen anti-malware industry. Traditional is entirely supportive of VT; next-gen is appalled at the accusations against their methods.

 

For the traditional industry, Luis Corrons, technical director at PandaLabs, said that the anti-malware vendors were getting increasingly concerned that newcomers were using the endeavors of VT while simultaneously having "clear marketing messages, where they say 'antivirus is dead; this is much better than traditional antivirus' – while they were taking advantage of what they were calling the walking dead."

 

Symantec "supports the new policies and believes that they will improve the health and success of the VirusTotal ecosystem in a mutually beneficial manner."

 

Trend Micro also supports the new policy, saying:

Quote

"These changes were made in response to Trend Micro and other VirusTotal contributors seeing more and more companies that do not materially contribute to VirusTotal benefit from the data and analysis of those of us who do contribute on an ongoing basis."

 

F-Secure's Sean Sullivan told SecurityWeek, "It looks promising for the AV industry. At the very least, it should hopefully limit the false claims as to what AV tech is and isn’t."

 

Much of the traditional anti-malware industry suspects that the detection rate for a range of so-called next-gen products will simply fall away without what it considers to be freeloading support via the VT API. 

 

Against this, the next-gen industry is concerned that its good reputation is being maligned. Some even see 'conspiracy' in the proceedings. Tomer Weingarten, CEO at SentinelOne (another of the next-gen detectors) said in a blog post on Wednesday, "This aggressive promotion naturally led many to believe this change was the result of an orchestrated coup on the part of the traditional AV vendors who feel threatened by the rise of companies like SentinelOne, Crowdstrike and Palo Alto Networks. Whether this was an orchestrated attempt or not, we may never know."

 

Palo Alto Networks has posted a statement on its blog saying no change here: "There is no impact to Palo Alto Networks customers or the protections our customers receive from us. VirusTotal will continue to provide subscribers, including Palo Alto Networks, access to all file samples. There is no change to the way we work with VirusTotal." 

 

In an email exchange with SecurityWeek, Palo Alto further explained, "For further context, while we do indeed use the VirusTotal API to get samples, the recent VirusTotal policy change doesn’t affect Palo Alto Networks because we don’t rely on VirusTotal verdicts to determine the maliciousness of a file. From that perspective, the change to remove verdicts from the API doesn’t impact our ability to get samples from VirusTotal, determine the maliciousness, or produce signatures to protect our customers."

 

For its part, VirusTotal and the anti-malware industry (for without any doubt this seems to be a co-ordinated coup) feels no longer able to sit back and see its own research used to malign its capabilities. It has, however, set the entry bar rather high. Requiring registration of the detection engine with VT and certification from AMTSO (both of which are controlled by the incumbent anti-malware industry) will effectively exclude the majority of next-gen companies from inclusion.

 

The Way Forward

VirusTotal told SecurityWeek in an email response, "This update is designed to make the community stronger for everyone who participates and we are open to working with any contributor and any technology that adds value to the community. This does not reflect a change in the service that VirusTotal provides, but is a change to our policies that we believe will make our community healthier and stronger."

 

Separately, a spokesperson explained, "Each security vendor that uses VirusTotal and has a publicly available anti-virus engine or URL malware-scanning engine will be required to list its scanner in the VirusTotal public interface as a condition to receiving access to the API account and distribution feed with antivirus results." So, quite simply, if you don't take part in the online malwTrare scanning, you don't get to access the API.

 

For this to work it will require mutual respect between traditional and next-gen anti-malware. Use of VT as a marketing metric should cease; and marketing slogans like 'anti-virus is dead' should stop. For its part, traditional anti-malware should actively seek ways of integrating next-gen products into the VT community. Both are needed by users, for no single technology can catch all threats. There is no reason for them not to work in harmony in a layered defense.

 

It remains to be seen whether this can be achieved in the long term. In the short term the new VT policies have simply exacerbated the bad blood between traditional and next-gen anti-malware.

 

Article source

[luisam]

As I understand, this issue between VirusTotal and anti-malware producers should not affect directly us, VT users except maybe getting an improved anti malware diagnostic. Or so I hope!

[steven36]

35 minutes ago, luisam said:

As I understand, this issue between VirusTotal and anti-malware producers should not affect directly us, VT users except maybe getting an improved anti malware diagnostic. Or so I hope!

It want effect me because all the realtime i use is already listed there all they ask from them too use is to list there signature at VT  . If they dont want make there's public  there not really trustworthy  anyways.

[Batu69]

Thread merged.