Google's VirusTotal Anti-Malware API Policy Change Impacts Security Vendors

Next-gen anti-malware focuses on behavior and reputation rather than signatures. It watches networks and traffic and notes behavioral anomalies that might indicate the presence of malware or an intruder. But it is relatively new, and to a certain extent must weaken the anti-malware industry's grip on customers. VirusTotal is an online service that checks suspicious files against an array of anti-malware products and is owned by Google. VT issued a policy change on May 4 which has alarmed many security vendors - "all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services." Since the check is static, it relies heavily on the signature engines of the subscribing vendors. In its own words, it is "a collaborative service to promote the exchange of information and strengthen security on the internet." If a submitted file is found to be malicious, details are circulated to all subscribing companies – and in this sense it is an early and effective threat sharing mechanism. The check is primarily against signature engines, which we know are only part of traditional anti-malware. Taken in isolation, the effect of the test is misleading. Indeed, VT has always said precisely this. Nevertheless, over the last few years some parts of the next-gen anti-malware industry have not hesitated to use VT results to suggest that the traditional industry is failing its customers. VirusTotal also offers an API that allows subscribers to integrate their own systems to the VT database. This allows vendors that detect a suspicious file to automatically check it against VT and return results to the customer as if they were their own. What impact will VT's policy change have on the next-gen malware vendors? Share your thoughts with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/