Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/25/2016
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CrowdStrike Integrates Scanning Engine With VirusTotal

Machine Learning engine first in virus-scanning service to provide confidence levels with results, vendor says.

UPDATED 6:50 PM E.T. -- In a détente of sorts, security vendor CrowdStrike Inc. has integrated its antivirus engine with VirusTotal about three months after the malware scanning service raised concerns about companies like it not contributing to the community.

CrowdStrike’s Machine Learning Engine brings a new approach for detecting malware and will give VirusTotal users a new source of information for determining the level of maliciousness of malware samples, the company announced Thursday.

“The technology we released on VT detects unknown files very well because it is not signature-based," says Sven Krasser, CrowdStrike’s chief scientist.

“The machine-learning engine is unique as it is also the first engine in VirusTotal to provide a confidence level as a result of its analysis,” he said. It gives users of VirusTotal a way to make more granular decisions about exactly how malicious a particular file might be, rather than the simple “pass” or “fail” metrics that are currently available.

At least two other security vendors are expected to integrate their scanning engines with VirusTotal in response to the concerns raised by the service in May, Reuters reported Thursday.  More are likely to follow suit soon in moves that could boost overall malware protection for users, the news agency said quoting anonymous sources close to the matter.

The Google-owned VirusTotal is a collaborative multi-engine virus-scanning service. It allows subscribers, which include many of the biggest vendors of anti-malware products, to submit a suspicious file and have it scanned against multiple engines to see how many of the engines flag the file as malware.

Anti-malware software vendors have used VirusTotal for years to detect new malware samples and to develop signatures against them for use in their own products.

In May, VirusTotal dropped a bombshell when it abruptly announced a change in its terms by requiring all subscribers to integrate their own detection scanners with the service in order to receive antivirus results from it.

VirusTotal said the change was needed to ensure that all vendors benefiting from the service also contributed to it.

The decision exposed a rift in the industry between some vendors of traditional signature-based antivirus products like Symantec and Trend Micro and vendors of signature-less products like CrowdStrike, SentinelOne, Palo Alto Networks, and others.

All of the scanning engines in VirusTotal are from the vendors of signature-based products. Their argument was that VirusTotal gave vendors of next-generation products an easy way to determine if files were malicious or not without having to do anything to make that determination on their own. While newer vendors disparaged older signature-based tools, they were still benefiting from the results generated by the older products via their subscription to VirusTotal, some older vendors maintained.

“There are a number of endpoint products that use VirusTotal to determine if a file is malicious,” without contributing back to the community, Malwarebytes board member Alex Eckelberry had noted in a blog post following the policy change.

“The people who are actually writing detections are sharing their results with the rest of the community, while a small group of endpoint products have been boasting of their extraordinary abilities, while working off the backs of other researchers,” Eckelberry had said.

Initially at least some of the younger anti-malware software vendors brushed aside the VirusTotal policy change as a non-event and downplayed the suggestion that they were unfairly benefiting from the service while giving nothing back. Several claimed that their products were based on completely different approaches to malware detection and therefore were not impacted by the exclusion from VirusTotal.

This week’s move by CrowdStrike, and the reported moves by two other vendors, suggest that a rapprochement between the two sides may be at hand.

Editor's note: This story originally stated that CrowdStrike had been excluded from the VirusTotal community for failing to contribute to the community. It has been updated to reflect that CrowdStrike was never excluded or threatened with exclusion.

 

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/26/2016 | 1:10:35 PM
Can't forget the basics
Even nextgen AV cannot forget the basics of scanning on a signature basis. It makes sense that for this purpose ingesting virustotal would be one of the more efficient ways to accomplish this task.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14540
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-16332
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
CVE-2019-16333
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
CVE-2019-16334
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
CVE-2019-16335
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.