Key quote: "Marx of AV-TEST said that some newer companies secretly relied on data supplied by older companies while marketing themselves as a cut above the older technology. "They are using traditional methods, too," he said. Some of the newer companies said they do not share their evaluations for competitive reasons."
The above sentiment may ring a bell for those of you who follow the news. It's the exact same behavior we heard from Theranos: Startup makes headlines as breakthrough technology, but under the hood nothing works and they rely on decades-old technology for actual testing. When asked about their technology (even by their investors!) their reply is "we can't tell you more because competition."
These garbage companies, shrouded in secrecy and enjoying the hype, should be outed for what they are: snake oil.
This is a good move being completely spun around to make it sound like Google is bullying startups. Snake oil should be outed as such, and if those hyped SV darlings like to shroud themselves and their shady techniques in a veil of secrecy (or rather, thick dense clouds of smoke), then they shouldn't be part of an information-sharing network like VirusTotal.
This only affects organisations that don't contribute back into the community - leechers in otherwords.
Virustotal has always been a platform whose data is enriched by the community for the benefit of all and so Cylance, Crowdstrike, etc can frankly go suck balls if they don't want to contribute.
> “We were more than willing to work with them, but they didn’t have a way for us,” said Tomer Weingarten, chief executive of SentinelOne, a firm that acknowledges it was cut off from the feed against its will. “This is a step back.”
> Weingarten said SentinelOne had added a new data feed to replace VirusTotal and predicted that VirusTotal will become less relevant as companies are excluded.
Even Microsoft's offering has an "advanced membership" through which they encourage users to share specimen of detected suspicious activity back to the mother ship. If Sentinel One can detect, they should be able contribute back?
> The company claims to have a number of customer wins with a malware detection rate of over 90% for zero-day threats.
SentinalOne probably approached VirusTotal with specific requirements about how they wanted to contribute back, and VirusTotal said 'you can contribute the same way everyone else does.' The rest is marketing BS.
It's likely they are using an engine based almost entirely on run-time heuristics - that is, stopping malware when it behaves suspiciously. VirusTotal does "scan-time" analysis of files where the file is never run, only checked against AVs. If they have no "traditional" signatures, they wouldn't be compatible with this method.
Article puts a really negative spin on what can only be a good move. Why should leechers be allowed to make huge sums of money on the back of the rest of the communities work?
It doesn't seem like a coincidence that this is coming right after OSVDB shut up shop ( https://blog.osvdb.org/2016/04/05/osvdb-fin/ ), it's a good move by industry to shut out leechers and over hyped snake oil companies.
Why are they not contributing back? I fail to see any real competitive advantage to gain. Even if you happen to protect against a threat that is not publicly known, you can't really advertise that without a) making it publicly known b) making yourself sound like a jerk.
Because they have nothing to contribute. Snake oil. You can't share with VirusTotal the data you stole from them, which probably is the only one they have.
The article may be biased (I'm in agreement, spin zone) but the policy change on Virus Total's part is real news. With all the security people around HN I'm not surprised to see that people want to discuss it.
"Some security companies rely completely on the database, essentially freeloading, said executives on both sides of the divide, and did not want to share their analysis for fear of being found out."
Let me see if I can try to simplify the underlying problem here (I dabble in this space):
Little bit os background: writing pattern matching signatures is hard, adding a bunch of "known malicious" hashes to your malware database is easy.
So, company A with a staff of folks writing pattern matching signatures has its engine added to VirusTotal and virus total shares/sell hashes found by that engine to folks that pay for its API. Company B, without a staff of engineers writing pattern matching signatures, signs up for VirtualTotal API and creates its malware database based purely on the hashes other actual engines create.
Two important things to keep in mind, when this happens at the scale of VirusTotal (basically all real engines are participating) the end result "hash database" is, essentially, bullet proof since it's likely that any sample used to test its effectiveness will be run by VirusTotal first.
We (I run scanii.com a malware/content detection API service) run into this all the time with folks either abusing or just not understanding the reason VT exists.
>bullet proof since it's likely that any sample used to test its effectiveness will be run by VirusTotal first.
Nope. There are lots of situations where exploit kits will automatically re-compile and re-pack malware on-demand in ways sufficiently complex that they eliminate any signatures and evade AV detection.
A lot of companies are using VT as a filter for known bad to prevent even having to deal with such samples, but many unknown bad samples still exist and make it past the VT engine, only to be picked up by behavioral detection.
Conversely, a small number of known bad samples that are caught by VT can slip by behavioral detection engines that are gated by VT, causing infection (when VT is removed) where it would otherwise be prevented. Of course, in these cases, it is the fault of the behavioral vendor for not having sufficient behavioral detection, but relying on VT does make that easier. For instance, many companies have a loop where they can take samples detected by VT, run them constantly through an automated analysis lab, and see whether or not their behavioral analysis detects each sample. In the cases where it fails, that sample has a direct line to analysts who can reverse engineer it, come up with new behavioral patterns, and add it to training sets for any machine learning based detection. In this sense, not having VT support makes everything less safe.
The next issue is that companies like this simply can't be run on VT's platform because they're too heavy, as the article mentions. I think a good middle ground here would be to turn this analysis loop into a feedback loop by adding one more step: in cases where behavioral detects and VT does not, submit the report to VT in a standardized format so it can be added to their corpus.
> On Wednesday, the 12-year-old service quietly said it would cut off unlimited ratings access to companies that do not share their own evaluations of submitted samples.
Not sure why the headline spins google as the bad guy here. The system works best if all companies contribute, and clearly there's some who are not contributing.
I am a little confused. VirusTotal has public and private APIs. Are these companies losing access to those APIs? If so, what if you aren't a security company but want to use it for virus detection of uploaded files?
They are specifically targeting companies who follow VirusTotal's distribution feed, from what I can tell. This gives them all files submitted to VT and their corresponding reports, but they're not sharing their analysis of these files.
If you're not an AV and you just rely on VT reports, this shouldn't affect you.
The above sentiment may ring a bell for those of you who follow the news. It's the exact same behavior we heard from Theranos: Startup makes headlines as breakthrough technology, but under the hood nothing works and they rely on decades-old technology for actual testing. When asked about their technology (even by their investors!) their reply is "we can't tell you more because competition."
These garbage companies, shrouded in secrecy and enjoying the hype, should be outed for what they are: snake oil.