CrowdStrike finds a bridge to Google's VirusTotal

  • Liam Tung (CSO Online)
  • 26 August, 2016 03:42

Security firm CrowdStrike is now officially a contributor to Google’s Virus Total malware database and not just a user of data shared by traditional antivirus (AV) rivals with the service.

CrowdStrike announced Thursday that it has opened its Falcon Machine Learning engine to the VirusTotal malware scanning service. In doing so, it appears to have ended an impasse that emerged over concerns that it, and several other next generation security companies, was using the Google-owned service to improve its own products without giving back to the community.

In May, VirusTotal threatened a number of next generation security firms with exclusion from the service for leveraging data supplied by traditional AV firms such as Symantec, McAfee, Kaspersky, and Trend Micro.

VirusTotal allows anyone to upload a suspected malicious file, to find out if any AV firms have already detected it. Normally, when VirusTotal users seek to check whether a file is malicious, the service will display which firm’s antivirus engines recognise that file. For a new piece of malware, VirusTotal might show that five out of 30 products recognise the file; over time, a user could expect to see more products recognise the specific malware.

VirusTotal’s reaction to those concerns was to require all virus scanning companies that want to access its database to integrate their own scanner into its interface. Contributing vendors would also need to pass a test by the Anti-Malware Testing Standards Organisation (AMSTO).

CrowdStrike has now fulfilled both these requirements and claims its offering goes over and above the norm, following validation from a third-party certifier.

Since CrowdStrike’s Falcon engine doesn’t rely on signatures -- and it scored perfect results under a third-party audit -- the company claims VirusTotal users will be now able to see whether a file is dangerous even when other AV vendors don’t have a match for the file in their databases.

“The full machine learning engine is unique as it is also the first engine in VirusTotal to provide a confidence level as a result of its analysis. This aids VirusTotal users by providing an additional level of insight into the level of maliciousness of the malware sample, rather than just a pass or fail detection result currently provided by existing engines,” CrowdStrike said in a statement.

According to Reuters, which first reported CrowdStrike’s inclusion in VirusTotal, two other next generation security companies will integrate with the service by the end of September. Reuters named Palo Alto Networks and Cylance as firms that would be affected by VirusTotal’s new policy. SentinelOne was also cut off from VirusTotal for its failure to contribute.

VirusTotal issued a brief statement on Thursday welcoming CrowdStrike to the fold.

“We welcome CrowdStrike Falcon (ML) scanner to VirusTotal. This is a machine learning engine from USA,” a representative from the Google subsidiary said.

CrowdStrike said its contribution to VirusTotal will be visible to end-users as a confidence score rather than the existing method of displaying whether or not a virus scanner recognises a particular malware variant. This could add value to the VirusTotal service by judging new threats before detections for a specific threat is widely recognised.

“Windows PE executables and DLL files submitted to VirusTotal will be processed by CrowdStrike Falcon (ML) and the results will be displayed with a confidence score that indicates the degree of certainty the engine has in a file’s maliciousness. Scoring at this level of detail allows users to make more granular and effective policy decisions," Crowdstrike said.