Vulnerabilities / Threats
8/25/2016
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CrowdStrike Integrates Scanning Engine With VirusTotal

Machine Learning engine first in virus-scanning service to provide confidence levels with results, vendor says.

UPDATED 6:50 PM E.T. -- In a détente of sorts, security vendor CrowdStrike Inc. has integrated its antivirus engine with VirusTotal about three months after the malware scanning service raised concerns about companies like it not contributing to the community.

CrowdStrike’s Machine Learning Engine brings a new approach for detecting malware and will give VirusTotal users a new source of information for determining the level of maliciousness of malware samples, the company announced Thursday.

“The technology we released on VT detects unknown files very well because it is not signature-based," says Sven Krasser, CrowdStrike’s chief scientist.

“The machine-learning engine is unique as it is also the first engine in VirusTotal to provide a confidence level as a result of its analysis,” he said. It gives users of VirusTotal a way to make more granular decisions about exactly how malicious a particular file might be, rather than the simple “pass” or “fail” metrics that are currently available.

At least two other security vendors are expected to integrate their scanning engines with VirusTotal in response to the concerns raised by the service in May, Reuters reported Thursday.  More are likely to follow suit soon in moves that could boost overall malware protection for users, the news agency said quoting anonymous sources close to the matter.

The Google-owned VirusTotal is a collaborative multi-engine virus-scanning service. It allows subscribers, which include many of the biggest vendors of anti-malware products, to submit a suspicious file and have it scanned against multiple engines to see how many of the engines flag the file as malware.

Anti-malware software vendors have used VirusTotal for years to detect new malware samples and to develop signatures against them for use in their own products.

In May, VirusTotal dropped a bombshell when it abruptly announced a change in its terms by requiring all subscribers to integrate their own detection scanners with the service in order to receive antivirus results from it.

VirusTotal said the change was needed to ensure that all vendors benefiting from the service also contributed to it.

The decision exposed a rift in the industry between some vendors of traditional signature-based antivirus products like Symantec and Trend Micro and vendors of signature-less products like CrowdStrike, SentinelOne, Palo Alto Networks, and others.

All of the scanning engines in VirusTotal are from the vendors of signature-based products. Their argument was that VirusTotal gave vendors of next-generation products an easy way to determine if files were malicious or not without having to do anything to make that determination on their own. While newer vendors disparaged older signature-based tools, they were still benefiting from the results generated by the older products via their subscription to VirusTotal, some older vendors maintained.

“There are a number of endpoint products that use VirusTotal to determine if a file is malicious,” without contributing back to the community, Malwarebytes board member Alex Eckelberry had noted in a blog post following the policy change.

“The people who are actually writing detections are sharing their results with the rest of the community, while a small group of endpoint products have been boasting of their extraordinary abilities, while working off the backs of other researchers,” Eckelberry had said.

Initially at least some of the younger anti-malware software vendors brushed aside the VirusTotal policy change as a non-event and downplayed the suggestion that they were unfairly benefiting from the service while giving nothing back. Several claimed that their products were based on completely different approaches to malware detection and therefore were not impacted by the exclusion from VirusTotal.

This week’s move by CrowdStrike, and the reported moves by two other vendors, suggest that a rapprochement between the two sides may be at hand.

Editor's note: This story originally stated that CrowdStrike had been excluded from the VirusTotal community for failing to contribute to the community. It has been updated to reflect that CrowdStrike was never excluded or threatened with exclusion.

 

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/26/2016 | 1:10:35 PM
Can't forget the basics
Even nextgen AV cannot forget the basics of scanning on a signature basis. It makes sense that for this purpose ingesting virustotal would be one of the more efficient ways to accomplish this task.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.