Vulnerabilities / Threats

8/25/2016
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CrowdStrike Integrates Scanning Engine With VirusTotal

Machine Learning engine first in virus-scanning service to provide confidence levels with results, vendor says.

UPDATED 6:50 PM E.T. -- In a détente of sorts, security vendor CrowdStrike Inc. has integrated its antivirus engine with VirusTotal about three months after the malware scanning service raised concerns about companies like it not contributing to the community.

CrowdStrike’s Machine Learning Engine brings a new approach for detecting malware and will give VirusTotal users a new source of information for determining the level of maliciousness of malware samples, the company announced Thursday.

“The technology we released on VT detects unknown files very well because it is not signature-based," says Sven Krasser, CrowdStrike’s chief scientist.

“The machine-learning engine is unique as it is also the first engine in VirusTotal to provide a confidence level as a result of its analysis,” he said. It gives users of VirusTotal a way to make more granular decisions about exactly how malicious a particular file might be, rather than the simple “pass” or “fail” metrics that are currently available.

At least two other security vendors are expected to integrate their scanning engines with VirusTotal in response to the concerns raised by the service in May, Reuters reported Thursday.  More are likely to follow suit soon in moves that could boost overall malware protection for users, the news agency said quoting anonymous sources close to the matter.

The Google-owned VirusTotal is a collaborative multi-engine virus-scanning service. It allows subscribers, which include many of the biggest vendors of anti-malware products, to submit a suspicious file and have it scanned against multiple engines to see how many of the engines flag the file as malware.

Anti-malware software vendors have used VirusTotal for years to detect new malware samples and to develop signatures against them for use in their own products.

In May, VirusTotal dropped a bombshell when it abruptly announced a change in its terms by requiring all subscribers to integrate their own detection scanners with the service in order to receive antivirus results from it.

VirusTotal said the change was needed to ensure that all vendors benefiting from the service also contributed to it.

The decision exposed a rift in the industry between some vendors of traditional signature-based antivirus products like Symantec and Trend Micro and vendors of signature-less products like CrowdStrike, SentinelOne, Palo Alto Networks, and others.

All of the scanning engines in VirusTotal are from the vendors of signature-based products. Their argument was that VirusTotal gave vendors of next-generation products an easy way to determine if files were malicious or not without having to do anything to make that determination on their own. While newer vendors disparaged older signature-based tools, they were still benefiting from the results generated by the older products via their subscription to VirusTotal, some older vendors maintained.

“There are a number of endpoint products that use VirusTotal to determine if a file is malicious,” without contributing back to the community, Malwarebytes board member Alex Eckelberry had noted in a blog post following the policy change.

“The people who are actually writing detections are sharing their results with the rest of the community, while a small group of endpoint products have been boasting of their extraordinary abilities, while working off the backs of other researchers,” Eckelberry had said.

Initially at least some of the younger anti-malware software vendors brushed aside the VirusTotal policy change as a non-event and downplayed the suggestion that they were unfairly benefiting from the service while giving nothing back. Several claimed that their products were based on completely different approaches to malware detection and therefore were not impacted by the exclusion from VirusTotal.

This week’s move by CrowdStrike, and the reported moves by two other vendors, suggest that a rapprochement between the two sides may be at hand.

Editor's note: This story originally stated that CrowdStrike had been excluded from the VirusTotal community for failing to contribute to the community. It has been updated to reflect that CrowdStrike was never excluded or threatened with exclusion.

 

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/26/2016 | 1:10:35 PM
Can't forget the basics
Even nextgen AV cannot forget the basics of scanning on a signature basis. It makes sense that for this purpose ingesting virustotal would be one of the more efficient ways to accomplish this task.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.