VirusTotal Policy Change (May 2016)

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
VirusTotal Blog: Maintaining a healthy community

VirusTotal was born 12 years ago as a collaborative service to promote the exchange of information and strengthen security on the internet. The initial idea was very basic: anyone could send a suspicious file and in return receive a report with multiple antivirus scanner results. In exchange, antivirus companies received new malware samples to improve protections for their users. The gears worked thanks to the collaboration of antivirus companies and the support of an amazing community. This is an ecosystem where everyone contributes, everyone benefits, and we work together to improve internet security.
For this ecosystem to work, everyone who benefits from the community also needs to give back to the community, so we are introducing a few new policies to make sure that our community continues to work for years into the future. First, a revised default policy to prevent possible cases of abuse and increase the health of our ecosystem: all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services. Additionally, new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO).

Finally, all VirusTotal users are fully accountable for and need to follow our existing Terms of Services and mandatory Best Practices. Its frustrating to see abuses show up and its damaging for our community. Let's remember some basics:
  • VirusTotal should not be used in any way that could directly or indirectly hinder the antivirus/URL scanner industries.
  • VirusTotal should not be used as a substitute of an antivirus solution.
  • The data generated by VirusTotal should not be used automatically as the primary indicator to blacklist/produce signatures for files. i.e. Antivirus vendors should not copy the signatures generated by other vendors without any other scrutinizing on their side.
  • VirusTotal should not be used to generate comparative metrics between different antivirus products. Antivirus engines can be sophisticated tools that have additional detection features that may not function within the VirusTotal scanning environment. Because of this, VirusTotal scan results aren’t intended to be used for the comparison of the effectiveness of antivirus products.
  • VirusTotal should not be used as deceptive means to discredit or to validate claims for or against a legitimate participant in the anti-malware industry.
  • VirusTotal renders information generated by third party products (antivirus vendors, URL scanning engines, file characterization tools, etc.), those product names are exclusive property of their respective brands, hence, use of these names in third party products and services will be done at your sole discretion. You should ask the corresponding brands for their permission.
  • In no event shall you use VirusTotal's logo, name or trademark on any customer list, public statement, press release, or in any other manner without our prior written consent in each instance.
There is a new specific email address (abuse@virustotal.com) for users and partners to report potential abuse of this new policy or our long-standing Terms of Services and mandatory Best Practices. When potential abuse is reported, we will investigate and work to adopt specific measures to combat any irregularities, if any uses can’t come into compliance we will terminate their service.

We are looking forward to working with new partners, as it will bring more value to the ecosystem. All collaborative efforts are based on the principles of benefiting the security industry as a whole and enabling the protection of end users. We also want to thank our current partners, and the entire VT community, for working with us as we pursue our mutual goal of a safer and more secure Internet for everyone.
 

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
In short, a company must have a native (their own) scanner that has been approved by the AMTSO BEFORE they can leech VT data to add to their scanners. So on the face of it, VT only scanners may be going bye bye (and Palo Alto Networks are shaking in their boots).
 

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
I'm not a big fan of any AV, but it always seemed outrageous to me that any clown could set up a Cloud with a VT API hook and create your own Malware-B-Gone product without any actual research department, whereas those they leech from spend millions on new detections (as inadequate as they may be).

Palo Alto and Cylance are going to BLEED over this one.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Makes sense to have to offer something back to be able to gain.
 
  • Like
Reactions: kev216 and upnorth

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Any effect on Voodoo Shield?
 
  • Like
Reactions: kev216

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
If a company does not have their own scanner (listed on VT itself) so that they may add to the results, but instead just employs the VT API to check MD5's in the Cloud vs VT results they may have issues.
 

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
SAN FRANCISCO (Reuters) - A number of young technology security companies are losing access to the largest collection of industry analysis of computer viruses, a setback industry experts say will increase exposure to hackers.

The policy change at the information-sharing pioneer VirusTotal takes aim mainly at a new generation of security companies, some with valuations of $1 billion or more, that haven't been contributing their analysis. Older companies, some with market valuations much smaller than the upstart rivals, had pressed for the shift.

Alphabet Inc's Google runs the VirusTotal database so security professionals can share new examples of suspected malicious software and opinions on the danger they pose. On Wednesday, the 12-year-old service quietly said it would cut off unlimited ratings access to companies that do not share their own evaluations of submitted samples.

Analysts and executives at several companies said the changes will leave some services more likely to mistakenly classify legitimate software as malicious and less able to protect their customers from real threats, at least in the short term.

“If they no longer have access to VirusTotal, their detection scores will drop,” said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry.

Some security companies rely completely on the database, essentially freeloading, said executives on both sides of the divide, and did not want to share their analysis for fear of being found out.

VirusTotal did not name any companies to be cut off. But several people familiar with the matter told Reuters the move would affect high-profile California firms Cylance Inc, Palo Alto Networks Inc and CrowdStrike Inc, as well as some smaller companies.

Cylance said it gave up access to the ratings two weeks ago after deciding not to share its technology. Chief Research Officer Jon Miller said Cylance had not suffered but that others had.

"Many next-generation products are simply not functioning right now," he said, declining to say which. He said the loss of VirusTotal could help spur the companies to invest in their own innovation to catch viruses.

Asked whether it had been kicked off the service, Palo Alto said only that it had not been relying on the VirusTotal peer determinations and expected "no impact" on customers.

CrowdStrike said it was negotiating with VirusTotal and had not been cut off by Saturday. "We support the mission of VirusTotal and have reached out to them to explore additional ways we can collaborate for the benefit of the entire security community," the company wrote in an emailed statement, declining to answer further questions.

'A SHORTCUT'

VirusTotal gets about 400,000 submissions of potentially dangerous files daily, mostly from old-guard antivirus companies like Symantec Corp, Intel Corp and Trend Micro Inc which sit on the most machines.

“It was never meant to enable new companies to use it as a shortcut by silently relying on, and benefitting from, the service without a corresponding investment,” said Trend Micro Chief Technology Officer Raimund Genes, one of many old-line tech executives who pushed for the shift.

Marx of AV-TEST said that some newer companies secretly relied on data supplied by older companies while marketing themselves as a cut above the older technology. "They are using traditional methods, too," he said.

Some of the newer companies said they do not share their evaluations for competitive reasons. Blanket copying of virus indicators has been an historic grievance at VirusTotal, with at least one victim resorting to sabotage in retaliation, Reuters reported last year.(Exclusive: Russia's Kaspersky threatened to 'rub out' rival, email shows)

Others say the way that they detect bad programs is too intensive to integrate with VirusTotal's current system.

“We were more than willing to work with them, but they didn't have a way for us,” said Tomer Weingarten, chief executive of SentinelOne, a firm that acknowledges it was cut off from the feed against its will. “This is a step back.”

Weingarten said SentinelOne had added a new data feed to replace VirusTotal and predicted that VirusTotal will become less relevant as companies are excluded.

Through a Google spokeswoman, VirusTotal said it was trying to act in the best interest of the security community and it hoped to help companies integrate their scanners into the VirusTotal platform.
 
D

Deleted member 178

I approve of these changes, and agree to all points given above.
I'm not a big fan of any AV, but it always seemed outrageous to me that any clown could set up a Cloud with a VT API hook and create your own Malware-B-Gone product without any actual research department, whereas those they leech from spend millions on new detections (as inadequate as they may be).

Palo Alto and Cylance are going to BLEED over this one.
Same here. too many softs are using the works of others without limitations.

Any effect on Voodoo Shield?

Voodooshield is an kind of anti-exe and doesn't have a homemade scanner, so they won't be allowed to use it.
 
Last edited by a moderator:
  • Like
Reactions: kev216

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Voodooshield is an kind of anti-exe and doesn't have a homemade scanner, so they won't be allowed to use it.
VoodooShield ?
"Cool, thank you! I am certain everything will be fine... VS does have its own scanning engine, it has VoodoAi, and I am more than happy to share it. It is pretty darn accurate now, just wait 3-6 months from now, it is going to be even better. I think adding a malware classifier that specializes in zero day and unknown malware would be a benefit to everyone. As I was saying before... for files less than a week old (or whatever), if VoodooAi has a high scored probability, we could put that file "on probation" (or whatever), until the traditional blacklist engines have time to do their thing, or maybe they can move that file up in the queue and give it a little extra attention. Just a thought!"
 
D

Deleted member 178

Ah , that is the new thing they added; good for them.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Virus Total changed.
Accept it, adapt to it, then implement something better.

Just like many security firms had to adapt to patchguard on 64bits Windows
 
  • Like
Reactions: enaph and upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top