On May 4, VirusTotal, the free, Google-owned service that analyzes suspicious files and URLs for virus and malware detection, announced a change in its rules of engagement for participating security companies. VT’s updated requirements state that "all scanning companies will now be required to integrate their detection scanner in the public VT interface to be eligible to receive antivirus results as part of their VirusTotal API services." It is also requiring new applicants to be certified by the Anti-Malware Testing Standards Organization (AMTSO).
This change mostly affects companies representing the so-called next-gen anti-malware industry. By contrast, the traditional anti-malware companies, which have since VirusTotal’s inception generally provided their detection scanners to VirusTotal as part of their business model, will experience little disruption.
It will come as no surprise that, as the CTO for Trend Micro, I welcome the decision from VirusTotal. I share the views of my colleagues at a number of established security companies, who have long believed it is unfair that many startup companies simply grab information from VT—the combined intelligence of all contributing security players—but do not themselves contribute at all.
In this article, I will not presume to speak for all traditional anti-malware players. But I will explain our position at Trend Micro.
Can’t we just get along? Well, maybe
When VT started, there was a give and take, by design, which is best explained on VirusTotal’s own website. “The initial idea was very basic: anyone could send a suspicious file and in return receive a report with multiple antivirus scanner results. In exchange, antivirus companies received new malware samples to improve protections for their users. The gears worked thanks to the collaboration of antivirus companies and the support of an amazing community. This is an ecosystem...”
So, only if your engine was there and only if you shared your samples and technology would you be eligible to receive samples as well. The change now is simply to enforce this principle, which was always meant to guide behavior.
This is not about locking out the next-gen vendors; it’s just a clear stipulation of the rules that have been in place for some time. This is how we all benefit. Not only vendors, but all of our customers as well.
The malware naming issue
Very quickly, VirusTotal solved a huge problem for our customers, which was in the naming of malware. Let me explain.
In an enterprise environment, it’s normal to use multiple security solutions from different vendors. But what happens if one vendor detects malware on the desktop using one name, and another vendor detects malware on the gateway using a different name? Customers want to know if this is the same malware, named differently, or if they are under attack by, in fact, multiple purveyors of malware. VT solved this: the customer uploads the piece of malware to VirusTotal, receives the detection results, and based on these results can see, “Oh! This is the same piece of malware,” or that it is indeed different.
Customers have a huge interest in this. As far back as ten years ago, all of us vendors wanted to agree on using the same name. Initially, we decided that when vendors first detect a virus and provide patterns to the industry, they would use their own descriptor; but within one week, we would all agree on a common name.
But the pace of malware was so rapid, and so brutal, we all realized that we never could keep up with the attacks and adhere to the naming process as well. So VirusTotal is not only a service for showing who detects what, but also a means for establishing an identity for the malware, with names that customers can use.
Has anything changed, really?
If you consider the original rationale and collective spirit around the VirusTotal project, nothing has changed. The next-gen players are simply being asked to participate in the collective agreement, as originally conceived, to supply their detection engines in order to maintain their subscriptions to VT.
This means that it’s up to these vendors to negotiate with VT to provide their scan engines in a form that can be used. It shouldn’t be a problem, and it will allow the next-gen players to continue receiving their samples as before.
This will restore the give and take that VT was founded on. Meanwhile, nothing changes for customers who are not themselves security players. If customers send in a binary, they will receive the detection results.
A matter of fairness for the anti-malware community
Naturally, the traditional malware vendor market has a keen interest in finally seeing what the next-gen players really can detect with their engines, since they haven’t been sharing their capabilities in the past. Of course, we won’t be able to see their algorithms, but we would love to see what they can bring to the table. Before, the next-gen players were reluctant to participate in individual tests, claiming, “We are SO next-gen, you can’t test us properly!” Maybe now they finally will add their engines to VirusTotal and independent test organizations, so that their real-world detection rates and false-positive rates can be judged.
This debate is about a more fundamental issue than simply traditional anti-malware vendors versus next-gen vendors. The issue is about establishing give and take, a simple matter of fairness. VirusTotal is willing to add any of the next-gen vendors and provide them access to scan results, and this is in fact what we all would welcome.
The work of malware detection
Most of the next-gen players have had the benefit of getting these results for several years now, creating their offerings on the back of OUR work—that is, the work of traditional anti-malware players that have been working to identify malware. Our security experts have been doing the analysis, using machine learning, advanced heuristics; it’s not just the next-gen players doing this kind of work. Every day at Trend Micro we receive roughly 700,000 binary samples from our customer base, our own sourcing, and industrial exchanges including VirusTotal, AV test organizations, Symantec, McAfee, and Sophos, just to name a few. All these players are sharing their results and their resources. And every day, we condense our results and create updates that get applied to roughly 500,000 pieces of malware.
Imagine the work. Machine learning is important, but to reduce the high number of false positives requires manual analysis to secure our machine learning algorithms. I have to say that this work, until VirusTotal decided to change the rules, was being misused by those who were not investing in the research or investing in their own malware analytics to create their own clean training pool, but simply were using VirusTotal as a training pool for their own machine learning algorithms.
A training pool, by the way, is a repository to train your machine learning algorithms. If you have a large training pool of malware, the algorithms can spot common malware behavior. But if you have false positives (files wrongly identified as malware), you will poison your training pool. By relying on the combined intelligence of security companies contributing to VirusTotal, it is easy to access a clean and reliable training pool.
The next-gen vendors used all our combined capabilities and charged customers as if this represented their own work. Easy to say that you are patternless if you use the results from others!
Come on, we’re all in this together
While some have complained about the VirusTotal decision, others are quickly getting on board. CloudStrike, for example, a prominent next-gen anti-malware company, has begun negotiations with VirusTotal in order to remain part of the larger community.
My advice to other next-gen players is simple. This is a competitive market. But our competitors are actually the bad guys—the ones out there creating the malware—not each other. The traditional players have been investing a fortune in research, because our customer base will not accept a high rate of false positives. We are doing a lot of work, and we simply want the next-gen players to share their own intel, as we have done for some time now. We are all, including VirusTotal, more than happy to continue sharing with all players in the security space once they contribute their virus engines to the collective capability.
We know that many of the next-gen anti-malware companies have new, aggressive algorithms; we traditional players have aggressive capabilities on the back end, and we have invested in additional processes that include human beings. But if we are soon able to see that the next-gen teams have figured out a way to do this work with less human interaction, then I will be the first to go back to my own engineers and say, “Hey, why can’t we do this?” or “Look at how these two next-gen companies have reduced their false positives to a rate lower than ours. How can we do this better?”
There is no reason for next-gen anti-malware companies to fear some sort of competitive weakening by VirusTotal’s new requirements. We can never seize their algorithms or their scan engines; this is all up to VirusTotal, owned by Google, which I hasten to add is not a security company with bias toward any security player or mode of virus detection. I would simply like to know what players such as Cylance are really capable of.
Where the value lies
If this new transparency shows us that the next-gen teams are doing an amazing job, then frankly, one of the traditional anti-malware vendors with billions in the bank would probably want to buy them. It’s that easy. All of these next-gen companies are pre-IPO, VC-driven concerns, burning money like crazy. But as long as they don’t participate in the transparent and independent testing that the VirusTotal model now requires, who knows where the real value lies?
But let’s set aside any discussion of acquisitions for now. The greater value of VirusTotal’s decision will be realized by the consumer, who stands to benefit from a much larger pool of anti-malware capability than ever before.
TechBeacon invites responses to this article from the anti-malware community and from other parties interested in this issue. Please use the comments feature below, or send your replies directly to mike@techbeacon.com
Image credit: Flickr
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.