VirusTotal Policy Change Sparks Battle Between Security’s ‘Old Guard’ And New Generation

Google-owned VirusTotal says everyone needs to contribute to security threat information sharing, blocks access to latest threat information to companies who don’t play ball

VirusTotal, the Google-owned virus information service that allows subscribers to stay up to date with the latest cybersecurity threats, has altered its policy to limit who can use the service.

The change has prompted some security experts to warn that certain companies will no longer have access to the platform, hampering their ability to protect customers from security threats.

But others have applauded the change, claiming the shift will make the security industry more responsible.

Security clash

Computer data security concept © Amy Walters - FotoliaVirusTotal, launched 12 years ago, works on the basis of security companies sending in suspicious files or software for analysis, and in return getting a report with the results. These reports are also sent to all other users.

Antivirus companies who subscribed were able to effectively stay up to date with on the latest threat landscape.

But the company has now changed its policy in response to users that were getting all the benefits of VirusTotal, but weren’t contributing. Last Wednesday, VirusTotal cut off unlimited ratings access to companies that do not share their own evaluations of submitted research samples.

Everyone contributes

“This is an ecosystem where everyone contributes, everyone benefits, and we work together to improve internet security,” VirusTotal said in a blog posted last Wednesday.

“For this ecosystem to work, everyone who benefits from the community also needs to give back to the community, so we are introducing a few new policies to make sure that our community continues to work for years into the future.”

virustotalNow, unless a user or company is actively contributing to the information-sharing, they won’t be allowed access to new information on the latest threats.

“All scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services,” the new policy demands.

TechWeekEurope has requested comment from both Google and VirusTotal, but both have declined to comment at the time of publishing.

Whilst VirusTotal named no names, sources told Reuters that Palo Alto Networks was one such company hitching a free ride without contributing to the platform.

But a Palo Alto Networks spokesperson told TechWeekEurope: “There is no impact to Palo Alto Networks customers or the protections our customers receive from us.

“VirusTotal will continue to provide subscribers, including Palo Alto Networks, access to all file samples. There is no change to the way we work with VirusTotal. VirusTotal is one of many sources we use, but we do not rely on VirusTotal or any other third-party service to provide file verdict.”

Some users, such as security firm Trend Micro, actively pushed for the policy change.

“It was never meant to enable new companies to use it as a shortcut by silently relying on, and benefitting from, the service without a corresponding investment,” Trend Micro chief technology officer Raimund Genes told Reuters.

Safer place

The platform, which was acquired by Google in 2012, receives more than one million submissions a day from around the world, and describes itself as “a space where the antivirus industry and malware researchers can meet end-users in an effort to make internet a safer place”.

Most of the world’s biggest cybersecurity providers use VirusTotal, including AVG, McAfee, and Kaspersky.

security and privacyBogdan Botezatu, E-threat analyst at Bitdefender, told TechWeekEurope that the changes will ultimately better serve the public.

“As a responsible member of the security community, Bitdefender supports the recent changes in the VirusTotal terms of service. Moreover, we particularly appreciate the recourse to the Anti-Malware Testing Standards Organisation’s (AMTSO) best practices and what this means going forward – a more professional and transparent community, and one that can ultimately better serve the public,” said Bogdan.

Richard Barger, CIO at ThreatConnect, said that the policy change was borne out of a clash between the “old and the new” security vendors.

“VirusTotal, as this de facto monolith, finds itself in the centre of the controversy. Many of the established anti-virus and endpoint community have shared scanning technologies as well as malicious files with VirusTotal, where other vendors have not, and are simply piggybacking on the detection ratios of other more established solutions and brands,” he said.

“It appears that VirusTotal is being very careful not to play favourites and wants to make sure that the entire security community is playing on a level playing field while maintaining their best interests as well,” Barger added.

‘Unwilling’

But other security researchers, including Scott Gainey, senior vice president at SentinelOne, think that VirusTotal’s policy change is counterintuituve to the goals of the security industry.

“It seems VirusTotal’s actions were aimed at trying to hurt next-generation endpoint protection companies rather than find a productive way in which they can benefit from our unique value.  In the end this is really a non-event for our customers as we’ve already migrated over to a new vendor to replace an unwilling partner in VirusTotal,” said Gainey.

“We believe this decision will ultimately hurt VirusTotal as they’re closing an opportunity to work closely with next gen technologies, likely due to pressures coming from the security ‘old guard’ of AV vendors that are threatened by the move towards companies like SentinelOne.”

TechWeekEurope will update this article accordingly if it hears back from Google and TotalVirus.

Take our big data breach quiz here!