Software security suffers as upstarts lose access to virus data
San Francisco: A number of young technology security companies are losing access to the largest collection of industry analysis of computer viruses, a setback industry experts say will increase exposure to hackers.
The policy change at the information-sharing pioneer VirusTotal takes aim mainly at a new generation of security companies, some with valuations of $1 billion or more, that haven't been contributing their analysis. Older companies, some with market valuations much smaller than the upstart rivals, had pressed for the shift.
Alphabet’s Google runs the VirusTotal database so security professionals can share new examples of suspected malicious software and opinions on the danger they pose. On Wednesday, the 12-year-old service quietly said it would cut off unlimited ratings access to companies that do not share their own evaluations of submitted samples.
Analysts and executives at several companies said the changes will leave some services more likely to mistakenly classify legitimate software as malicious and less able to protect their customers from real threats, at least in the short term.
“If they no longer have access to VirusTotal, their detection scores will drop,” said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry.
Some security companies rely completely on the database, essentially freeloading, said executives on both sides of the divide, and did not want to share their analysis for fear of being found out.
VirusTotal did not name any companies to be cut off. But several people familiar with the matter told Reuters the move would affect high-profile California firms Cylance, Palo Alto Networks and CrowdStrike, as well as some smaller companies.
Cylance said it gave up access to the ratings two weeks ago after deciding not to share its technology. Chief Research Officer Jon Miller said Cylance had not suffered but that others had.
"Many next-generation products are simply not functioning right now," he said, declining to say which. He said the loss of VirusTotal could help spur the companies to invest in their own innovation to catch viruses.
Asked whether it had been kicked off the service, Palo Alto said only that it had not been relying on the VirusTotal peer determinations and expected "no impact" on customers.
CrowdStrike said it was negotiating with VirusTotal and had not been cut off by Saturday. "We support the mission of VirusTotal and have reached out to them to explore additional ways we can collaborate for the benefit of the entire security community," the company wrote in an emailed statement, declining to answer further questions.
'A SHORTCUT'
VirusTotal gets about 400,000 submissions of potentially dangerous files daily, mostly from old-guard antivirus companies like Symantec Corp, Intel Corp and Trend Micro which sit on the most machines.
“It was never meant to enable new companies to use it as a shortcut by silently relying on, and benefitting from, the service without a corresponding investment,” said Trend Micro Chief Technology Officer Raimund Genes, one of many old-line tech executives who pushed for the shift.
Marx of AV-TEST said that some newer companies secretly relied on data supplied by older companies while marketing themselves as a cut above the older technology. "They are using traditional methods, too," he said.
Some of the newer companies said they do not share their evaluations for competitive reasons. Blanket copying of virus indicators has been an historic grievance at VirusTotal, with at least one victim resorting to sabotage in retaliation, Reuters reported last year.(here)
Others say the way that they detect bad programs is too intensive to integrate with VirusTotal's current system.
“We were more than willing to work with them, but they didn't have a way for us,” said Tomer Weingarten, chief executive of SentinelOne, a firm that acknowledges it was cut off from the feed against its will. “This is a step back.”
Weingarten said SentinelOne had added a new data feed to replace VirusTotal and predicted that VirusTotal will become less relevant as companies are excluded.
Through a Google spokeswoman, VirusTotal said it was trying to act in the best interest of the security community and it hoped to help companies integrate their scanners into the VirusTotal platform.