VirusTotal Move Stirs Conflict in Anti-Virus MarketNext-Generation AV Vendors Clash with Industry Stalwarts
New rules set by the widely used malware database service VirusTotal will exclude security vendors for not sharing data. This move highlights ongoing tension in the multibillion dollar anti-malware industry.
See Also: Threat Briefing: Ransomware
Owned by Alphabet's Google, VirusTotal is one of the largest repositories of malware and a key source of data for security companies. It charges companies for unlimited access to its database, which helps vendors compare notes on what malware their peers are detecting.
But veteran anti-virus companies have long complained that younger anti-virus upstarts are leaning too heavily on the database, allowing them to save on research and development costs.
VirusTotal's data can be used to quickly update security products to ensure they're just as effective as competing ones, particularly for older malware samples.
Until VirusTotal changed its rules last week, vendors could access the paid version of the database without integrating their own technology into VirusTotal's scanning service. That's no longer the case, a move that may expel certain companies from accessing it.
The service is also requiring security vendors that have paid for access to the database to share their evaluations of research samples they collect.
Upstarts Abusing Service?
In a statement, Google said the policy change "is designed to make the community stronger for everyone who participates, and we are open to working with any contributor and any technology that adds value to the community."
The criticism has come from decades-old anti-virus vendors, who are facing increasing competition from hot security startups.
Raimund Genes, CTO of Trend Micro, alleges in a blog post that companies specializing in "patternless" file detection - often seen as the new edge in rooting out malware - were abusing VirusTotal's service.
Genes is taking aim at a new crop of companies that have moved away from detecting malware based on spotting patterns and writing signatures and instead on behavioral and algorithmic methods.
"Rather than build up their own research capabilities, these companies were using the research capabilities of VirusTotal contributors to power their security products," Genes writes.
"On top of this, these companies would then tout their 'patternless' solution as a competitive differentiator in contrast to those very companies that were contributing data to VirusTotal (and thus powering their products)," he says.
Response: It's a 'Non-Event'
It's an ugly fight, to be sure, and one that has caused several security companies to issue statements that largely downplay the role VirusTotal's data plays in their products.
SentinelOne, based in Palo Alto, Calif., describes the policy change as a "non-event."
The change was largely advocated by "traditional AV vendors who feel threatened by the rise of companies like SentinelOne, Crowdstrike and Palo Alto Networks," writes Tomer Weingarten, SentinelOne's CEO and co-founder.
SentinelOne doesn't use VirusTotal in its main Dynamic Behavioral Tracking engine, he says.
But SentinelOne does have a feature in its product called "cloud intelligence," which bundles malware data feeds from seven vendors, including VirusTotal, Weingarten writes. The feature is separate from its main engine and stops malware before it executes, based on known harmful code.
Malware is becoming more and more sophisticated, and even next-generation vendors can't just rely on one way of detecting malware, says Andreas Clementi, chairman of AV-Comparatives.
"Most 'patternless' products are in fact just using 'patterns' of other products, but storing the data in the cloud," Clementi says. "This makes them look sophisticated, as they are light on the system and apparently not using patterns, but they rely on the IP [intellectual property] of other vendors and data stored in the cloud."
Traditional malware , such as macro-based viruses, is still the most common. "If you can't do the basics, you can't protect the customer," Clementi writes.
Crowdstrike, based in Irvine, Calif., which specializes in endpoint protection and threat intelligence, says in a statement that its relationship with VirusTotal hasn't changed just yet.
"We understand that VirusTotal is re-examining its membership requirements," according to the statement. "We support the mission of VirusTotal and have reached out to them to explore additional ways we can collaborate for the benefit of the entire security community."
The public-facing website for VirusTotal also allows the general public to submit files, which are then scanned by more than 55 different security products for malicious code. Crowdstrike is not one of them, and other companies that are considered next-generation security products are also absent.
Palo Alto Networks says in a blog post that it would still have access to VirusTotal's file samples, although its anti-malware engine is not one of the scanners in the public-facing service.
"There is no change to the way we work with VirusTotal," the company says on its blog. "Palo Alto Networks collects files samples from as many sources as possible. VirusTotal is one of many sources we use, but we do not rely on VirusTotal or any other third-party service to provide file verdict."
A Palo Alto spokeswoman confirms that the company is still a paid subscriber of VirusTotal's data feeds. VirusTotal has maintained that it's open to working with companies to become compliant with it's new policies.
Alex Eckelberry, a security industry veteran, welcomed the changes to VirusTotal. In a blog post, he alleges that some companies have been receiving much attention for their products, but contributed little back to the anti-malware community.
"For some mysterious reason, they refuse to put their own engines on VirusTotal," he writes. "Could it be because they don't want to contribute back? Maybe. Or it could be that they just don't want everyone else to see how poorly their products actually perform."