Update: Reuters now has the story.
Update 2: I’ve updated this post with additional information, here.
VirusTotal just dropped a major bomb, and only people deep in the endpoint security ecosystem understand the ramifications of this announcement.
If you’re involved in endpoint security to any degree – as a customer or an industry person – you need to understand what just happened. It’s really, really big.
A bit of background.
VirusTotal is a multi-engine virus scanner. You upload a file, and it passes the file to a large number of commercial antivirus products, and it tells you which engines detected the file as malicious.
While there are other tools available, and some have come and gone, VirusTotal is the big dog in the space. It’s owned by Google, has massive computing and resource power and everyone in the security industry uses it.
VirusTotal shares the results with subscribers. So, you can pay to get extensive and detailed information on what has been detected at any moment of the day, and who detected it.
How antivirus companies use VirusTotal to make better detections.
It’s common practice of antivirus companies to use VirusTotal as a tool to make better signatures.
For example, if a researcher finds that two high quality antivirus engines detect a file as malicious, he/she has a high confidence that it’s actually malicious without further analysis. As an antivirus researcher, it saves an enormous amount of time.
Now, there’s absolutely nothing wrong with using VirusTotal results in research, and many antivirus companies use VirusTotal to supplement their own labs. They get samples from VirusTotal, and along with the samples, what engines detected them. If they find that a couple of high quality engines are detecting a file, they can easily add the detection to their own signatures without much further thought.
Now, there’s a next step. You could set up an an API integration with your product. If you scan a user’s machine and find an unknown file, you could upload it through an API to VirusTotal and get a disposition on the file –who detects it. From this data, you can flag a file as malicious.
In other words, you can use VirusTotal to create your own antivirus program. Easily.
It’s fine to use other engines. If you’re also contributing.
Using other engines to improve your detection rate is completely fine. If you’re also contributing back to the community yourself. In other words, if your antivirus product is also one of the participating antivirus engines.
The dirty little secret
And here’s the dirty little secret that very few people know. There are a number of endpoint products that use VirusTotal to determine if a file is malicious. Without any contribution to the community. Without giving anything in return.
They simply pay VirusTotal a subscription fee, and receive the information.
And some of these companies have been getting a lot of attention for their supposed prowess. But for some mysterious reason, they refuse to put their own engines on VirusTotal. Could it be because they don’t want to contribute back? Maybe. Or it could be that they just don’t want everyone else to see how poorly their products actually perform.
Using VirusTotal information without any contribution back to the community is patently unfair. The people who are actually writing detections are sharing their results with the rest of the community, while a small group of endpoint products have been boasting of their extraordinary abilities, while working off the backs of other researchers.
So as a customer, perhaps you can ask the next endpoint security vendor if they’re on VirusTotal. If they are, they’re contributing to the antivirus community. If they’re not, they’re not. Whatever their PR story, that’s the simple truth.
Well, the world just got a bit brighter for the many endpoint security companies that actually contribute to VirusTotal: Because VirusTotal just announced that they are requiring that all scanning companies that use their service must integrate their engines into VirusTotal. Furthermore, “…new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO).”*
It’s big news. It levels the playing field. No longer will antivirus companies see their hard work taken by some sexy startup that’s raised millions of dollars on the false promise of “next generation” endpoint or other such nonsense, while bashing the very companies that they’re effectively stealing the intellectual property of. And perhaps, we’ll see what their products are really made of. Because without VirusTotal as a crutch, companies that rely on it are going to see their detection rates take a hit.
Poetic justice, indeed.
What does this mean for the IT manager?
If you’re an IT manager who has been duped by sparkly marketing materials to buy-in to one of these “next-generation” endpoint products, take a hard look at their actual detection capabilities. If they’ve been using VirusTotal results but not contributing back, their ability to detect malware just took a potentially serious hit. This is serious.
You don’t have to believe the marketing hype. Setup a virtual machine that’s separated from your corporate network, and go to a site like MDM to find all kinds of nasty stuff. In the words of Ronald Reagan, “trust, but verify”. One nasty piece of malicious software (especially ransomware) can have serious consequences.
My compliments to the VirusTotal team for seeing this disparity and unfairness and taking such swift action. A class act, indeed.
And now, perhaps, we can all finally see what is really behind the curtain.
* Disclaimer: I am a board member of Malwarebytes (a contributing member to the VirusTotal community), and an advisory board member to AMTSO. The opinions in this blog post are my own and are not connected to these two organizations.