By Joseph Menn
SAN FRANCISCO Aug 24 Some information security
companies that were shut out of the leading system for sharing
data on malicious software are revealing more about how their
own systems work in hopes of rejoining the cooperative effort, a
shift that should improve protections for customers throughout
the industry.
CrowdStrike, one of the most prominent young security
companies threatened with exclusion from some shared services,
said it has integrated part of its system for detecting
malicious software with VirusTotal, the main industry repository
for disclosing and rating risks of malware and suspect files.
Alphabet Inc's Google runs the VirusTotal database
so security professionals can share new examples of suspected
malicious software and opinions on the danger they pose. In May,
the 12-year-old service said it would cut off unlimited ratings
access to companies that do not share their own evaluations of
submitted samples.
CrowdStrike is opening up a machine-learning process for
malware evaluation, after discussions with VirusTotal on how to
make the systems compatible.
"It will be very helpful to have the engine out so people
can see for themselves how well it is working," CrowdStrike
Chief Technology Officer Dmitri Alperovitch told Reuters ahead
of a public announcement on Thursday.
VirusTotal did not respond to a request for comment. People
familiar with the situation told Reuters said that two other
"next-generation" security companies are expected to integrate
with VirusTotal by the end of next month.
More are likely, the people said, a hopeful sign that a
serious rift between older and newer security companies can be
healed in service of the general good.
Some newer companies disparage the way that older vendors
such as Symantec Corp, Intel Corp and Trend
Micro Inc recognize malware based on signatures, or
characteristics that have been spotted before. The younger
companies say they use behavioral monitoring, machine-learning
and other modern techniques to stop fast-changing malware.
Symantec, Intel, Trend Micro and other older companies say
they also use similar new methods.
But some of the younger companies still used VirusTotal's
assessments from old-line companies, without contributing their
own evaluations. The dispute was partly based in technological
compatibility with VirusTotal's system, an issue CrowdStrike
said it and VirusTotal had solved.
Dennis Batchelder, general manager of an industry group
called the Anti-Malware Testing Standards Organization,
predicted that more new companies would re-integrate with
VirusTotal. Machine learning systems would benefit from access
to the VirusTotal database, he said.
But some of the companies who parted with the VirusTotal
ratings said they had no plans to make up.
"We did make attempts early on to engage with VirusTotal
with the hopes that they would find a way to take advantage of
our behavior-based detection model," said SentinelOne Chief
Marketing Officer Scott Gainey. "To our knowledge, those
interfaces still do not exist today."
And Stuart McClure, chief executive of Cylance Inc, pointed
out that his company and others can still get samples of
malicious software from VirusTotal, just not the opinions of
other companies about those samples.
"We don't integrate with VirusTotal," McClure said by email.
"The VirusTotal pullout has not impacted us at all."
