A VirusTotal Policy Change Has Exacerbated the Bad Blood Between Traditional and Next-gen Anti-malware Companies
On May 4, VirusTotal (VT) dropped a bombshell that has reverberated throughout the anti-malware industry. That bombshell was a two-sentence change to VT’s policies: “all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services.” A second amendment requires new applicants to effectively be certified by the Anti-Malware Testing Standards Organization (AMTSO).
To understand the effect of these changes we need to understand four elements: the traditional anti-malware industry, the next-gen anti-malware industry, VirusTotal, and AMTSO.
The traditional anti-malware industry (formerly known as anti-virus) has existed since the beginnings of cyber security. It has invested vast sums into detecting and neutralizing malware. It was founded on a ‘blacklist’ policy: detect the malware, analyze it and add a unique signature to a blacklist. This methodology is not perfect: there is a latency between the existence of new malware and its detection and addition to the blacklist.
The industry long-ago accepted this weakness and developed ‘behavioral’ additions to improve its efficiency. The anti-malware industry can be simplistically described as ‘signature-based, plus…’. As the first security industry, it is the industry that has the most customers.
Next-gen anti-malware takes a different approach. It focuses on behavior and reputation rather than signatures. It watches networks and traffic and notes behavioral anomalies that might indicate the presence of malware or an intruder. But it is relatively new, and to a certain extent must weaken the anti-malware industry’s grip on customers.
Owned by Google, VirusTotal is an online service that checks suspicious files against an array of anti-malware products. Since the check is static, it relies heavily on the signature engines of the subscribing vendors. In its own words, it is “a collaborative service to promote the exchange of information and strengthen security on the internet.” If a submitted file is found to be malicious, details are circulated to all subscribing companies – and in this sense it is an early and effective threat sharing mechanism.
But the check is primarily against signature engines, which we know are only part of traditional anti-malware. Taken in isolation, the effect of the test is misleading. Indeed, VT has always said precisely this. Nevertheless, over the last few years some parts of the next-gen anti-malware industry have not hesitated to use VT results to suggest that the traditional industry is failing its customers.
VirusTotal also offers an API that allows subscribers to integrate their own systems to the VT database. This allows vendors that detect a suspicious file to automatically check it against VT and return results to the customer as if they were their own.
AMTSO was born for all of the right reasons. Anti-malware testing is very difficult. The introduction of statistical bias could easily favor one product over another. AMTSO strives to provide testing methodologies that are fair to everyone. But it has one major weakness: it is almost entirely composed of anti-malware vendors and anti-malware testing organizations. This leaves itself open to accusations that it is an anti-malware club designed to protect the status quo.
It is against this background that VT’s new policies should be measured. There is little doubt that its services have been abused by some companies. ESET’s David Harley explains: “It’s been quite easy for companies to pay a subscription and benefit from the work of others without sharing any information of their own. VirusTotal’s statement makes clear – again – that the company is aware of several ways in which its data is being misused.”
Independent security expert Graham Cluley explains his own concerns: “Essentially, some vendors were having their cake and eating it – basing their ‘next generation’ security products on the backs of other security vendors’ hard work, and not contributing anything back to the community.” This is done by plugging their own products into the VT API and effectively using VT as their detection engine. “To rub salt into the wound some would criticize the other security vendors for their alleged reliance on ‘traditional’ techniques, while actually exploiting that expertise at no cost to themselves!”
But while the purpose may be to prevent abuse, the reality is that VT’s two new requirements (integrating a detection scanner into VT and certification by AMTSO) effectively exclude genuine next-gen anti-malware companies from working with or benefiting from VT.
Matters might still have not erupted were it not for a subsequent blog post (by a matter of hours only) by Alex Eckelberry, a board member of anti-malware firm Malwarebytes, and a member of the advisory board of AMTSO. He says, “No longer will antivirus companies see their hard work taken by some sexy startup that’s raised millions of dollars on the false promise of ‘next generation’ endpoint or other such nonsense, while bashing the very companies that they’re effectively stealing the intellectual property of. And perhaps, we’ll see what their products are really made of. Because without VirusTotal as a crutch, companies that rely on it are going to see their detection rates take a hit.”
Commenting on Eckelberry’s post, Carl Gottlieb, technical director and co-founder at Cognition, wrote, “Subsequently, he and a few other commentators called out Cylance, SentinelOne, Palo Alto Networks and CrowdStrike as being amongst these ‘false promise’ vendors ‘effectively stealing the intellectual property of’ contributing VT vendors.” Gottlieb’s commentary is very pro next-gen – but for purposes of transparency it should be noted his company is a major reseller of next-gen Cylance.
Now there are clear battle lines: the traditional anti-malware industry lined up against the newer next-gen anti-malware industry. Traditional is
entirely supportive of VT; next-gen is appalled at the accusations against their methods.
For the traditional industry, Luis Corrons, technical director at PandaLabs, said that the anti-malware vendors were getting increasingly concerned that newcomers were using the endeavors of VT while simultaneously having “clear marketing messages, where they say ‘antivirus is dead; this is much better than traditional antivirus’ – while they were taking advantage of what they were calling the walking dead.”
Symantec “supports the new policies and believes that they will improve the health and success of the VirusTotal ecosystem in a mutually beneficial manner.”
Trend Micro also supports the new policy, saying: “These changes were made in response to Trend Micro and other VirusTotal contributors seeing more and more companies that do not materially contribute to VirusTotal benefit from the data and analysis of those of us who do contribute on an ongoing basis.”
F-Secure’s Sean Sullivan told SecurityWeek, “It looks promising for the AV industry. At the very least, it should hopefully limit the false claims as to what AV tech is and isn’t.”
Much of the traditional anti-malware industry suspects that the detection rate for a range of so-called next-gen products will simply fall away without what it considers to be freeloading support via the VT API.
Against this, the next-gen industry is concerned that its good reputation is being maligned. Some even see ‘conspiracy’ in the proceedings. Tomer Weingarten, CEO at SentinelOne (another of the next-gen detectors) said in a blog post on Wednesday, “This aggressive promotion naturally led many to believe this change was the result of an orchestrated coup on the part of the traditional AV vendors who feel threatened by the rise of companies like SentinelOne, Crowdstrike and Palo Alto Networks. Whether this was an orchestrated attempt or not, we may never know.”
Palo Alto Networks has posted a statement on its blog saying no change here: “There is no impact to Palo Alto Networks customers or the protections our customers receive from us. VirusTotal will continue to provide subscribers, including Palo Alto Networks, access to all file samples. There is no change to the way we work with VirusTotal.”
In an email exchange with SecurityWeek, Palo Alto further explained, “For further context, while we do indeed use the VirusTotal API to get samples, the recent VirusTotal policy change doesn’t affect Palo Alto Networks because we don’t rely on VirusTotal verdicts to determine the maliciousness of a file. From that perspective, the change to remove verdicts from the API doesn’t impact our ability to get samples from VirusTotal, determine the maliciousness, or produce signatures to protect our customers.”
For its part, VirusTotal and the anti-malware industry (for without any doubt this seems to be a co-ordinated coup) feels no longer able to sit back and see its own research used to malign its capabilities. It has, however, set the entry bar rather high. Requiring registration of the detection engine with VT and certification from AMTSO (both of which are controlled by the incumbent anti-malware industry) will effectively exclude the majority of next-gen companies from inclusion.
The Way Forward
VirusTotal told SecurityWeek in an email response, “This update is designed to make the community stronger for everyone who participates and we are open to working with any contributor and any technology that adds value to the community. This does not reflect a change in the service that VirusTotal provides, but is a change to our policies that we believe will make our community healthier and stronger.”
Separately, a spokesperson explained, “Each security vendor that uses VirusTotal and has a publicly available anti-virus engine or URL malware-scanning engine will be required to list its scanner in the VirusTotal public interface as a condition to receiving access to the API account and distribution feed with antivirus results.” So, quite simply, if you don’t take part in the online malware scanning, you don’t get to access the API.
For this to work it will require mutual respect between traditional and next-gen anti-malware. Use of VT as a marketing metric should cease; and marketing slogans like ‘anti-virus is dead’ should stop. For its part, traditional anti-malware should actively seek ways of integrating next-gen products into the VT community. Both are needed by users, for no single technology can catch all threats. There is no reason for them not to work in harmony in a layered defense.
It remains to be seen whether this can be achieved in the long term. In the short term the new VT policies have simply exacerbated the bad blood between traditional and next-gen anti-malware.