Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/25/2016
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CrowdStrike Integrates Scanning Engine With VirusTotal

Machine Learning engine first in virus-scanning service to provide confidence levels with results, vendor says.

UPDATED 6:50 PM E.T. -- In a détente of sorts, security vendor CrowdStrike Inc. has integrated its antivirus engine with VirusTotal about three months after the malware scanning service raised concerns about companies like it not contributing to the community.

CrowdStrike’s Machine Learning Engine brings a new approach for detecting malware and will give VirusTotal users a new source of information for determining the level of maliciousness of malware samples, the company announced Thursday.

“The technology we released on VT detects unknown files very well because it is not signature-based," says Sven Krasser, CrowdStrike’s chief scientist.

“The machine-learning engine is unique as it is also the first engine in VirusTotal to provide a confidence level as a result of its analysis,” he said. It gives users of VirusTotal a way to make more granular decisions about exactly how malicious a particular file might be, rather than the simple “pass” or “fail” metrics that are currently available.

At least two other security vendors are expected to integrate their scanning engines with VirusTotal in response to the concerns raised by the service in May, Reuters reported Thursday.  More are likely to follow suit soon in moves that could boost overall malware protection for users, the news agency said quoting anonymous sources close to the matter.

The Google-owned VirusTotal is a collaborative multi-engine virus-scanning service. It allows subscribers, which include many of the biggest vendors of anti-malware products, to submit a suspicious file and have it scanned against multiple engines to see how many of the engines flag the file as malware.

Anti-malware software vendors have used VirusTotal for years to detect new malware samples and to develop signatures against them for use in their own products.

In May, VirusTotal dropped a bombshell when it abruptly announced a change in its terms by requiring all subscribers to integrate their own detection scanners with the service in order to receive antivirus results from it.

VirusTotal said the change was needed to ensure that all vendors benefiting from the service also contributed to it.

The decision exposed a rift in the industry between some vendors of traditional signature-based antivirus products like Symantec and Trend Micro and vendors of signature-less products like CrowdStrike, SentinelOne, Palo Alto Networks, and others.

All of the scanning engines in VirusTotal are from the vendors of signature-based products. Their argument was that VirusTotal gave vendors of next-generation products an easy way to determine if files were malicious or not without having to do anything to make that determination on their own. While newer vendors disparaged older signature-based tools, they were still benefiting from the results generated by the older products via their subscription to VirusTotal, some older vendors maintained.

“There are a number of endpoint products that use VirusTotal to determine if a file is malicious,” without contributing back to the community, Malwarebytes board member Alex Eckelberry had noted in a blog post following the policy change.

“The people who are actually writing detections are sharing their results with the rest of the community, while a small group of endpoint products have been boasting of their extraordinary abilities, while working off the backs of other researchers,” Eckelberry had said.

Initially at least some of the younger anti-malware software vendors brushed aside the VirusTotal policy change as a non-event and downplayed the suggestion that they were unfairly benefiting from the service while giving nothing back. Several claimed that their products were based on completely different approaches to malware detection and therefore were not impacted by the exclusion from VirusTotal.

This week’s move by CrowdStrike, and the reported moves by two other vendors, suggest that a rapprochement between the two sides may be at hand.

Editor's note: This story originally stated that CrowdStrike had been excluded from the VirusTotal community for failing to contribute to the community. It has been updated to reflect that CrowdStrike was never excluded or threatened with exclusion.

 

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/26/2016 | 1:10:35 PM
Can't forget the basics
Even nextgen AV cannot forget the basics of scanning on a signature basis. It makes sense that for this purpose ingesting virustotal would be one of the more efficient ways to accomplish this task.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.