Personal opinions on additional engine usage

W

Wave

Thread author
Hello everyone! :)

I was having a talk with @Dani Santos and decided to share some personal views of my own/his, and he said I can quote him on some things... Bear in mind that everything in this thread is mine or @Dani Santos own personal view, I'm not stating that anyone else is wrong for what they are doing and I am neither hating on any other product... For example, there are many products which use other services technology which I am a big fan of.

My personal view is that it is not necessarily fair for some people to use other services technology (be it VirusTotal, MetaScan, etc.) the way they do because they make enough income to support their own technology, but also then they get all those fan-boys talking about how good this product is when there are vendors who are helping the detection rates for that company on VirusTotal getting little to no attention.

Sure, some vendors like Avast, AVG and Kaspersky are already rich as you can be so they most likely don't care about it, but what about some other not-so-rich companies that also do a lot of work on detection's?

Of course they accept the VirusTotal rules so their engine can be accessed from within the VirusTotal API but I just don't personally think it's as far as it is... Since if they do not comply and submit to VT then they won't be helping people who scan files there prior to running, but if they do then they're technology is assisting in other people making money instead of them making any money from it.

Of course there are benefits to being apart of VirusTotal, such as receiving sample/submission info, but it's just not the same...

Another point is that you have Anti-Malware products like Malwarebytes Anti-Malware and Xvirus Personal Guard, let's label them as "mediocre". Then you have a bunch of products which may have their own technology + VT assistance (or another service of your pick), but then they just label it as "next-gen" (and white-listing products come into mind here). So now you have the vendors trying to be independent and work on their own in-house engines with their limited resources getting attention but nothing compared to the ones using other peoples technology, now the ones labeling themselves as "next-gen" suddenly become famous and popular for using other peoples technology to assist in such high detection ratio's and the such...

One of my last points which I want to address is other vendors using other vendors engines... There are some which do it in a fair manner in my view, but some don't IMO. Even if you make an agreement and purchase to use another vendors technology, I still don't think it's reasonable to not put a notice anywhere or let the user know which vendor really had the detection from within the alerts or logs. Because if you do not let the user know then you're making out that your own in-house engine is necessarily better than it really is and this causes lots of misinformation for testing purposes. I won't name a vendor which does it wrong for various reasons, but I think Emsisoft hit the nail perfect for being reasonable with BD engine usage, since they mention (A) or (B) for the detection names of the engine and offer engine details from within the home-screen UI.

That being said, any vendor who copies detection's from a site like VirusTotal is absolutely useless and needs to get some real employees who are getting paid to really do their own work because when a company steals from VT for detection's it does nothing but cause misinformation in the case of FP detection's and ruin the credibility of that specific vendor. Some vendors like Kaspersky and Dr.Web already did such tests in the past and it proved that some vendors were indeed stealing detection's (adding them just because another vendor detected) instead of analyzing the threads themselves, how lazy.

Now here are some quotes from @Dani Santos since he said I could quote him for his own views also:
you are either "mediocre" like Malwarebytes Anti-Malware, Immunet, Xvirus and try to work on your own engine
or you do like all "next gen" Anti-Malware and use other Anti-Virus engines... or alternatively just copy each other thanks to a website called VirusTotal

(just for the record say on case anyone thought I was, I am not even thinking of Crystal Security by @Kardo Kristal and I think the usage in it is very fair personally, I'm thinking of other products which generate a lot of income to the developers already, so why would they need to keep using VT? They have income so they should make their own things without using other vendors technology IMO, or they should not be allowed to sell their product with VT usage... just my personal opinion).

Now before I ask a question... Please no arguments, feel free to share your own view but I don't want to see people quoting to disagree and make out that their opinions are facts because I don't want my thread to be closed. Hopefully everyone can respect each other and freely share their own opinions!

What do you guys think? :)

Once again: just personal views ;)
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Mission:

"VirusTotal’s mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services."​

"The most important rule governing VirusTotal's usage is that none of its publicly offered services/applications should be used in commercial products, commercial services or for any commercial purpose. In the same way, none of the services should be used as a substitute for security products."​

Read more at About - VirusTotal
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Agree with @Umbra . What is happening now is ridiculous and i am amazed most companies didn't remove their engines. I believe that the only reason they don't do it is because they want to have access to VT backend to detect new malware. I don't see any other reason.
 
W

Wave

Thread author
The most important rule governing VirusTotal's usage is that none of its publicly offered services/applications should be used in commercial products, commercial services or for any commercial purpose.
If that is a quote from them themselves then they are talking nonsense because there are products out there using VirusTotal for commercial usage... For example, VoodoShield and SecureAPlus

Then there are products which are 100% free like Crystal Security using it. My personal view is CS is fair to use it as it is completely free and doesn't only rely on them, but for commercial? I think it's ridiculous to sell software using data from other vendors without them being paid by the company using the data.
 

kev216

Level 21
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 6, 2014
1,044
I Agree with Umbra on this. Companies that want to use a 3th party engine, should pay the company delivering that engine like for example GData, Emsisoft or Bullguard, but not just steal detections on VirusTotal.

Products that I really skip are the ones that label themselve as 'the best made ever' and they only use for example outdated bitdefender engine, sometimes questionable if it's even licensed, but nothing else than those signatures. If you use your own technologies too, from then on I consider giving it a try.
Another thing that I find a bit annoying is that now the trend is a bit like, 'if you want another engine to your product, let's add Bitdefender engine.' It's almost getting ridiculous to see how many products are using bitdefender. (Qihoo, Emsisoft, GData, E-Scan, Trustport, Bullguard, F-secure, Immunet, Roboscan, AdAware,...) And that's only a part of the long list. I'm not saying that Bitdefender engine or those products are bad, but there are so many good engines out there, why only always those two options: 'Let's get Bitdefender, that advertises good' or 'Let's get Virustotal detections, no one knows it but we get better detections'?
 
D

Deleted member 178

Thread author
@kev216 they use BD because it is the only one delivering the up-to-date engine, having a decent detection and an affordable price. Among those selling their engines :

- Kaspersky in Zone Alarm, i heard it was expensive.
- ClamAV , used in Immunet Free, which also use BD in pro version
- Avira used in some chinese softs, forgot which one.

Etc...
 
W

Wave

Thread author
VT shouldn't allow companies to use engines from each other. It should be restricted to home users testing files. Companies should pay to get access on datas not engines.
I agree, and I think unless the product is free and using it fairly (e.g. CS) then they should pay, and a % of this money should go to the companies where the data from them is being used. E.g. a vendor wants to use VT for commercial use -> they select to use Avast, Kaspersky and Bitdefender usage from VT -> a % of this money goes to those specific vendors.

--------
As for VT detection stealing, use Xvirus Personal Guard as an example; @Dani Santos releases a new version and there is usually one or two generic detection's not for Xvirus Personal Guard but for real samples, however due to the code within the PE for Xvirus it triggers the detection. Then a bunch of dumb vendors come along, see a popular vendor detected it (regardless of it being an FP - they don't bother checking), and add a detection manually. Now you have 6 engines instead of 1 detecting Xvirus Personal Guard. Now a FP submission is sent and the original vendors which had the FP detection clean it up through white-listing the hash, but now you have a bunch of idiotic vendors detecting it through manual detection stealing who haven't cleared the FP.

I've seen this too many times, almost every-time he releases a new version with a new checksum. Why should he have to use extreme packing to evade the detection? These vendors should just do their own work, the employees get paid to work so they shouldn't be stealing detection's.

As @Lockdown already said, Eugene himself did tests and tried to expose people... Dr.Web also did tests I remember. It's completely ridiculous IMO. Sure it allows vendors to detect more malware to keep people safe, but it's not fair as they are making money from stealing work done by other vendors, and they cause a huge mess for genuine developers with FP detection's if a generic detection flags some genuine software prior to white-listing by a real vendor who analyses things themselves.
--------

@kev216 Yeah the amount of companies that use BD is ridiculously high. It's so stupid, some of them just use BD and then they advertise how they are so great... No, BD is great, they suck themselves. Companies like Emsisoft are fine with it, they have their own in-house engine which is not bad with signatures and they also have the Behavior Blocker component, but some other vendors like IObit just take the you know what.
 
D

Deleted member 178

Thread author
I don't know what you mean? I know if Nirsoft but only because I used a tool from there, and they reversed some kernel structures in the Windows NT kernel and exposed it online which I used for reference awhile back... :D But not sure what you're referring to?

because of that

and they cause a huge mess for genuine developers with FP detection's if a generic detection flags some genuine software prior to white-listing by a real vendor who analyses things themselves.

Nirsoft has issues with almost all vendors categorizing their tools as malicious.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
If that is a quote from them themselves then they are talking nonsense because there are products out there using VirusTotal for commercial usage... For example, VoodoShield and SecureAPlus

Then there are products which are 100% free like Crystal Security using it. My personal view is CS is fair to use it as it is completely free and doesn't only rely on them, but for commercial? I think it's ridiculous to sell software using data from other vendors without them being paid by the company using the data.
SAP had to remove their VirusTotal integration because VT came down on them when they changed their policy. Not sure if this is still the case or not.
 

Rolo

Level 18
Verified
Jun 14, 2015
857
Your "personal views" stopped being personal as soon as you voiced them publicly. ;)

If you're concerned about something or have a truth to share, there is nothing wrong about being bold about it.
"Boldness" and "humility" aren't at odds; "servile" and "humility" aren't synonymous either.

Having said that, I'm not sure I follow what you're saying; it seems to be a few things.
Are you saying the following?

1. Commercial products are violating VT's AUP/EULA/Rules
2. Commercial products are plagiarizing each other
3. Commercial products are using #1 as a means to do #2

Does that sum up what you're suggesting? Did I miss anything?
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Having said that, I'm not sure I follow what you're saying; it seems to be a few things.
OP could contact VirusTotal using the Email contact address with any concerns about the exploitation of VirusTotal. SecureAPlus stated they removed VT Integration or found middle-ground, according to their blog post. I believe these should be taken up with the developers' forum or support team.

Not in the "Space Bar as it's currently posted in.
 

Dani Santos

From Xvirus
Verified
Top Poster
Developer
Well-known
Jun 3, 2014
1,136
Your "personal views" stopped being personal as soon as you voiced them publicly. ;)

I don't think that's how it works. Do you ever read journals? There often are articles with the journalist personal opinion with a warning at the beginning of the page saying it's a opinion and not actual news. ;)

If you're concerned about something or have a truth to share, there is nothing wrong about being bold about it.
"Boldness" and "humility" aren't at odds; "servile" and "humility" aren't synonymous either.

Having said that, I'm not sure I follow what you're saying; it seems to be a few things.
Are you saying the following?

1. Commercial products are violating VT's AUP/EULA/Rules
2. Commercial products are plagiarizing each other
3. Commercial products are using #1 as a means to do #2

Does that sum up what you're suggesting? Did I miss anything?

What he was saying is his personal view about what Vt brings to the security industry and how unfair is the advantage the companies that use and abuse the service compared with the ones that don't. By abuse I mean the unverified copy of signatures that some companies do (there are Kaspersky and Dr.web articles about this) and the Api use that commercial products marked as "next gen" which advertise themselves as the future and market the "common antivirus signatures" as outdated, but are dependent in their signatures. (I'm excluding free fair use on products like process monitor and crystal security).

OP could contact VirusTotal using the Email contact address with any concerns about the exploitation of VirusTotal. SecureAPlus stated they removed VT Integration or found middle-ground, according to their blog post. I believe these should be taken up with the developers' forum or support team.

Not in the "Space Bar as it's currently posted in.

Isn't the Space bar for all off topic related threads? He isn't sharing any exploitation of Virustotal. He is sharing his opinion on a known issue in the antivirus industry.
 

Rolo

Level 18
Verified
Jun 14, 2015
857
I don't think that's how it works. Do you ever read journals? There often are articles with the journalist personal opinion with a warning at the beginning of the page saying it's a opinion and not actual news. ;)
OP could contact VirusTotal using the Email contact address with any concerns about the exploitation of VirusTotal. SecureAPlus stated they removed VT Integration or found middle-ground, according to their blog post. I believe these should be taken up with the developers' forum or support team.

Not in the "Space Bar as it's currently posted in.

This is where philosophy (theory) and fact (practice) get a little blurred. For example:

"It is my personal opinion that Dani and Spawn should stop abusing their children."
What I've just said isn't "just" my personal opinion, is it?
My opinion is loaded with facts that I've not established.

I'm not suggesting the OP didn't establish any facts; I am suggesting that the OP isn't "just" personal opinion--which is fine if the facts aren't in dispute. However, one does not get a free pass from factual scrutiny merely by labeling it "personal view".

Even so, that wasn't my point; my point is that one need not be bashful if speaking from fact.

However, I am unclear what the facts are vs. opinion.

As far as "next-gen" this and "antiquated that"--well, that's marketing-speak. Misleading, fallacious arguments in marketing and hype is far from a new thing; hence, I ignore all of it (this actually goes to the other controversial topic: ad blockers).

This is why I'm here on MT: to listen to what others (frequently more experienced than I) have to empirically (and even authoritatively) say on such matters--especially those with whom I'm inclined to disagree, for they may very well see or understand something I do not (and vice versa).

So, if VT is being used against VT's rules, then, yeah, that's a problem for all.
 
W

Wave

Thread author
So, if VT is being used against VT's rules, then, yeah, that's a problem for all.
It's not being used out of it's rules, I just personally think that regardless of the rules, the usage is not always fair.

My other opinion is that too many vendors take from other vendors, such as through detection theft based on VT intelligence (e.g. they see a new submission and add it just because another vendor detected it without checking it themselves), or use the same engines from the same vendor too much (e.g. too many products use the BD SDK and it's ridiculous now IMO).

If you were Avast and had your engine on VirusTotal to help people identify threats when scanning new downloads at VirusTotal, how would you feel if a company was using VT for commercial uses alongside their own engine to use your intelligence without paying money to your own company?

That's an example.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top