
Software security suffers as startups lose access to Google’s virus data - spotirca
http://venturebeat.com/2016/05/08/software-security-suffers-as-upstarts-lose-access-to-virus-data/
======
deprave
Key quote: "Marx of AV-TEST said that some newer companies secretly relied on
data supplied by older companies while marketing themselves as a cut above the
older technology. "They are using traditional methods, too," he said. Some of
the newer companies said they do not share their evaluations for competitive
reasons."

The above sentiment may ring a bell for those of you who follow the news. It's
the exact same behavior we heard from Theranos: Startup makes headlines as
breakthrough technology, but under the hood nothing works and they rely on
decades-old technology for actual testing. When asked about their technology
(even by their investors!) their reply is "we can't tell you more because
competition."

These garbage companies, shrouded in secrecy and enjoying the hype, should be
outed for what they are: snake oil.

~~~
reacweb
secrety is the main smoking gun of bad behaviour.

------
lorenzhs
This is a good move being completely spun around to make it sound like Google
is bullying startups. Snake oil should be outed as such, and if those hyped SV
darlings like to shroud themselves and their shady techniques in a veil of
secrecy (or rather, thick dense clouds of smoke), then they shouldn't be part
of an information-sharing network like VirusTotal.

In the end, this is good for everyone's security.

------
PeekPoke
This only affects organisations that don't contribute back into the community
- leechers in otherwords.

Virustotal has always been a platform whose data is enriched by the community
for the benefit of all and so Cylance, Crowdstrike, etc can frankly go suck
balls if they don't want to contribute.

~~~
newjersey
Sentinel One's position didn't make sense to me.

> “We were more than willing to work with them, but they didn’t have a way for
> us,” said Tomer Weingarten, chief executive of SentinelOne, a firm that
> acknowledges it was cut off from the feed against its will. “This is a step
> back.”

> Weingarten said SentinelOne had added a new data feed to replace VirusTotal
> and predicted that VirusTotal will become less relevant as companies are
> excluded.

Even Microsoft's offering has an "advanced membership" through which they
encourage users to share specimen of detected suspicious activity back to the
mother ship. If Sentinel One can detect, they should be able contribute back?

> The company claims to have a number of customer wins with a malware
> detection rate of over 90% for zero-day threats.

[https://en.wikipedia.org/wiki/SentinelOne](https://en.wikipedia.org/wiki/SentinelOne)

What are they saying?

~~~
iancarroll
It's likely they are using an engine based almost entirely on run-time
heuristics - that is, stopping malware when it behaves suspiciously.
VirusTotal does "scan-time" analysis of files where the file is never run,
only checked against AVs. If they have no "traditional" signatures, they
wouldn't be compatible with this method.

~~~
sjg007
Sure but then generate a signature and submit it.

~~~
iancarroll
It's not really that easy...

~~~
sjg007
It's not that hard.

------
pmx
Article puts a really negative spin on what can only be a good move. Why
should leechers be allowed to make huge sums of money on the back of the rest
of the communities work?

------
Cozumel
It doesn't seem like a coincidence that this is coming right after OSVDB shut
up shop ( [https://blog.osvdb.org/2016/04/05/osvdb-
fin/](https://blog.osvdb.org/2016/04/05/osvdb-fin/) ), it's a good move by
industry to shut out leechers and over hyped snake oil companies.

------
fridek
Why are they not contributing back? I fail to see any real competitive
advantage to gain. Even if you happen to protect against a threat that is not
publicly known, you can't really advertise that without a) making it publicly
known b) making yourself sound like a jerk.

~~~
april1stislame
Because they have nothing to contribute. Snake oil. You can't share with
VirusTotal the data you stole from them, which probably is the only one they
have.

------
roosterjm2k2
How is an article that is clearly incredibly biased on top of the front page?

Leechers who don't contribute got cut off - that sounds incredibly fair... yet
the article spins it to sound like it was malicious.

I guess the entitlement complex rolls all the way up to businesses, too...

~~~
MBCook
The article may be biased (I'm in agreement, spin zone) but the policy change
on Virus Total's part is real news. With all the security people around HN I'm
not surprised to see that people want to discuss it.

------
_Codemonkeyism
Key sentence

"Some security companies rely completely on the database, essentially
freeloading, said executives on both sides of the divide, and did not want to
share their analysis for fear of being found out."

------
cleverfoo
Let me see if I can try to simplify the underlying problem here (I dabble in
this space):

Little bit os background: writing pattern matching signatures is hard, adding
a bunch of "known malicious" hashes to your malware database is easy.

So, company A with a staff of folks writing pattern matching signatures has
its engine added to VirusTotal and virus total shares/sell hashes found by
that engine to folks that pay for its API. Company B, without a staff of
engineers writing pattern matching signatures, signs up for VirtualTotal API
and creates its malware database based purely on the hashes other actual
engines create.

Two important things to keep in mind, when this happens at the scale of
VirusTotal (basically all real engines are participating) the end result "hash
database" is, essentially, bullet proof since it's likely that any sample used
to test its effectiveness will be run by VirusTotal first.

We (I run scanii.com a malware/content detection API service) run into this
all the time with folks either abusing or just not understanding the reason VT
exists.

~~~
nickcano
>bullet proof since it's likely that any sample used to test its effectiveness
will be run by VirusTotal first.

Nope. There are lots of situations where exploit kits will automatically re-
compile and re-pack malware on-demand in ways sufficiently complex that they
eliminate any signatures and evade AV detection.

A lot of companies are using VT as a filter for known bad to prevent even
having to deal with such samples, but many unknown bad samples still exist and
make it past the VT engine, only to be picked up by behavioral detection.

Conversely, a small number of known bad samples that are caught by VT can slip
by behavioral detection engines that are gated by VT, causing infection (when
VT is removed) where it would otherwise be prevented. Of course, in these
cases, it is the fault of the behavioral vendor for not having sufficient
behavioral detection, but relying on VT does make that easier. For instance,
many companies have a loop where they can take samples detected by VT, run
them constantly through an automated analysis lab, and see whether or not
their behavioral analysis detects each sample. In the cases where it fails,
that sample has a direct line to analysts who can reverse engineer it, come up
with new behavioral patterns, and add it to training sets for any machine
learning based detection. In this sense, not having VT support makes
everything less safe.

The next issue is that companies like this simply can't be run on VT's
platform because they're too heavy, as the article mentions. I think a good
middle ground here would be to turn this analysis loop into a feedback loop by
adding one more step: in cases where behavioral detects and VT does not,
submit the report to VT in a standardized format so it can be added to their
corpus.

------
ZoFreX
"Software security suffers" [citation needed]

This article is a mix of facts and opinions and it plays pretty fast and loose
with which are which.

------
matt_wulfeck
> On Wednesday, the 12-year-old service quietly said it would cut off
> unlimited ratings access to companies that do not share their own
> evaluations of submitted samples.

Not sure why the headline spins google as the bad guy here. The system works
best if all companies contribute, and clearly there's some who are not
contributing.

------
jbaviat
An open-source equivalent to VirusTotal, built for scaling, is IRMA by
Quarkslab.

[http://irma.quarkslab.com/](http://irma.quarkslab.com/)

------
rpedela
I am a little confused. VirusTotal has public and private APIs. Are these
companies losing access to those APIs? If so, what if you aren't a security
company but want to use it for virus detection of uploaded files?

~~~
iancarroll
They are specifically targeting companies who follow VirusTotal's distribution
feed, from what I can tell. This gives them all files submitted to VT and
their corresponding reports, but they're not sharing their analysis of these
files.

If you're not an AV and you just rely on VT reports, this shouldn't affect
you.

