Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

CrowdStrike, Invincea Integrate With VirusTotal

Development Marks Progress in Resolving Months-Long Conflict
CrowdStrike, Invincea Integrate With VirusTotal

One of the most recent brawls in the anti-virus community is edging toward a partial resolution. Two major computer security companies have agreed to integrate their detection engines with Google's VirusTotal following rule changes by the service in May that sought a more level playing field among vendors.

See Also: Mobile Apps are the New Endpoint

CrowdStrike and Invincea say in back-to-back announcements that their "machine-learning" engines will be included with dozens of others within VirusTotal.

The companies' decisions mark progress in a long-simmering feud between established computer security companies and startups that chipped away some of their market share with claims of superior technology for detecting hackers (see VirusTotal Move Stirs Conflict in Anti-Virus Market).

Other companies appear to have no intention of participating. Cylance and SentinelOne declined to answer queries on whether similar moves were planned. Meanwhile, VirusTotal maintains hope.

"We will work with these security vendors who do not list scanners currently to become compliant with this revised policy," a Google spokeswoman says in a statement. "We're open to working with any contributor and any technology that adds value to the community."

Velcro Malware Wall

VirusTotal is a Velcro sticky wall for malware: Independent researchers and security companies submit new malicious samples. VirusTotal takes the samples and runs them against more than 50 security products that detect malware, a kind of flash industry survey.

Google sells subscriptions to VirusTotal, which gives companies unlimited access to its malware repository, which is one of the largest in the world. That service can help companies figure out what their peers are detecting, and help them further by gathering sample-related comments and ratings.

That information can be used to improve products or at least help lagging ones catch up. It led to unsubstantiated charges that newer security companies were leaning too heavily on VirusTotal to keep their products current, a charge that many startups fiercely deny.

VirusTotal decided in May to exclude vendors that weren't sharing their own data and to not allow them access to the paid service. It emphasized that its repository should not be used to solely power an anti-virus product.

Most anti-virus products rely, in part, on patterns known as signatures, which describe a known malicious file and allow it to be quickly quarantined. Signatures are generated after an attack has taken place, making them a good backstop if the same sample is seen again but one that may not at first detect a malicious attack.

Newer security companies tout their "signature-less" products, which rely on a combination of behavioral analysis and other technical signs that a file may be malware. It's an effective approach, but old-line AV companies use similar methods. The startups have marketed themselves as drastically different, which has irritated established companies and caused bitter feelings throughout the industry.

Still Holding Out

Cylance, a vendor that has been in the thick of the conflict, declined to comment. But CEO Stuart McClure told Reuters that his company still has access to the repository but just not the ratings from its peers. McClure maintained that his company is unaffected by the changes.

SentinelOne also declined to comment to ISMG. But its chief marketing officer, Scott Gainey, told Reuters that VirusTotal does not have the "interfaces" to integrate with its product.

In May, Palo Alto Networks said that the changes didn't affect its product or its customers. The company maintained that its product did not rely on ratings by other vendors for suspicious files. Its malware technology is not integrated with VirusTotal.

Vendors that don't integrate their engine with VirusTotal still have limited access. The service offers a public API that allows the submission of four samples per minute. The private, subscription-based API isn't rate-limited, and it also provides information around the behavioral execution of a file, URL information, metadata including where a submission originated, as well as advanced search features.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.