Vulnerabilities / Threats

8/25/2016
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CrowdStrike Integrates Scanning Engine With VirusTotal

Machine Learning engine first in virus-scanning service to provide confidence levels with results, vendor says.

UPDATED 6:50 PM E.T. -- In a détente of sorts, security vendor CrowdStrike Inc. has integrated its antivirus engine with VirusTotal about three months after the malware scanning service raised concerns about companies like it not contributing to the community.

CrowdStrike’s Machine Learning Engine brings a new approach for detecting malware and will give VirusTotal users a new source of information for determining the level of maliciousness of malware samples, the company announced Thursday.

“The technology we released on VT detects unknown files very well because it is not signature-based," says Sven Krasser, CrowdStrike’s chief scientist.

“The machine-learning engine is unique as it is also the first engine in VirusTotal to provide a confidence level as a result of its analysis,” he said. It gives users of VirusTotal a way to make more granular decisions about exactly how malicious a particular file might be, rather than the simple “pass” or “fail” metrics that are currently available.

At least two other security vendors are expected to integrate their scanning engines with VirusTotal in response to the concerns raised by the service in May, Reuters reported Thursday.  More are likely to follow suit soon in moves that could boost overall malware protection for users, the news agency said quoting anonymous sources close to the matter.

The Google-owned VirusTotal is a collaborative multi-engine virus-scanning service. It allows subscribers, which include many of the biggest vendors of anti-malware products, to submit a suspicious file and have it scanned against multiple engines to see how many of the engines flag the file as malware.

Anti-malware software vendors have used VirusTotal for years to detect new malware samples and to develop signatures against them for use in their own products.

In May, VirusTotal dropped a bombshell when it abruptly announced a change in its terms by requiring all subscribers to integrate their own detection scanners with the service in order to receive antivirus results from it.

VirusTotal said the change was needed to ensure that all vendors benefiting from the service also contributed to it.

The decision exposed a rift in the industry between some vendors of traditional signature-based antivirus products like Symantec and Trend Micro and vendors of signature-less products like CrowdStrike, SentinelOne, Palo Alto Networks, and others.

All of the scanning engines in VirusTotal are from the vendors of signature-based products. Their argument was that VirusTotal gave vendors of next-generation products an easy way to determine if files were malicious or not without having to do anything to make that determination on their own. While newer vendors disparaged older signature-based tools, they were still benefiting from the results generated by the older products via their subscription to VirusTotal, some older vendors maintained.

“There are a number of endpoint products that use VirusTotal to determine if a file is malicious,” without contributing back to the community, Malwarebytes board member Alex Eckelberry had noted in a blog post following the policy change.

“The people who are actually writing detections are sharing their results with the rest of the community, while a small group of endpoint products have been boasting of their extraordinary abilities, while working off the backs of other researchers,” Eckelberry had said.

Initially at least some of the younger anti-malware software vendors brushed aside the VirusTotal policy change as a non-event and downplayed the suggestion that they were unfairly benefiting from the service while giving nothing back. Several claimed that their products were based on completely different approaches to malware detection and therefore were not impacted by the exclusion from VirusTotal.

This week’s move by CrowdStrike, and the reported moves by two other vendors, suggest that a rapprochement between the two sides may be at hand.

Editor's note: This story originally stated that CrowdStrike had been excluded from the VirusTotal community for failing to contribute to the community. It has been updated to reflect that CrowdStrike was never excluded or threatened with exclusion.

 

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/26/2016 | 1:10:35 PM
Can't forget the basics
Even nextgen AV cannot forget the basics of scanning on a signature basis. It makes sense that for this purpose ingesting virustotal would be one of the more efficient ways to accomplish this task.
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11440
PUBLISHED: 2018-05-25
Liblouis 3.5.0 has a stack-based Buffer Overflow in the function parseChars in compileTranslationTable.c.
CVE-2013-3018
PUBLISHED: 2018-05-24
The AXIS webapp in deploy-tomcat/axis in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 7.2.1.4 allows remote attackers to obtain sensitive configuration information via a direct request, as demonstrated by happyaxis.jsp. IBM X-Force ID: 84354.
CVE-2013-3023
PUBLISHED: 2018-05-24
IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 7.2.1.4 might allow remote attackers to obtain sensitive information about Tomcat credentials by sniffing the network for a session in which HTTP is used. IBM X-Force ID: 84361.
CVE-2013-3024
PUBLISHED: 2018-05-24
IBM WebSphere Application Server (WAS) 8.5 through 8.5.0.2 on UNIX allows local users to gain privileges by leveraging improper process initialization. IBM X-Force ID: 84362.
CVE-2018-5674
PUBLISHED: 2018-05-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader before 9.1 and PhantomPDF before 9.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw...