The last seven days has seen the AV industry once again shoot itself in the foot. We’ve seen an avalanche of mud slinging, hearsay and all out attack on various new vendors by the traditional AV club, and it was all based on a myth. If a so called “bomb just dropped in endpoint security” then it must have been a dud. This blog post gives a summary of what happened and the official statements from the vendors pushed into the firing line. I also give my perspective as a technical specialist on Next Gen AV and my opinion on what is really going on here. (Skip to summary)

Changes at VirusTotal

On 4th May 2016, Google’s VirusTotal (aka VT) online malware detection service posted to their blog a revision to their policies. VT itself is effectively three services in one place.

  1. VT has a web front end that allows Joe Public to upload and search for pieces of malware and see how many AV engines would detect them, if at all. These engines (57 integrated partners as at 10/05/2016) are the core function within each vendor’s full AV product, but due to VT utilising them within its command line scanner, VT does not take advantage of more advanced features such as behavioural analysis or real time cloud interaction. So for you and me, VT gives you a very good feel of how many vendors’ basic detectors would handle a piece of malware.
  2. VT’s massive store of malware is available to download via an API for those paying for its subscription package. It’s not cheap, but it does give access to a massive repository of malware being constantly updated. Of course this database does contain non-malware files that get uploaded too. If you want to analyse a lot of malware samples the VT subscription is good option.
  3. The paid API can also provide results with the available samples, e.g. Piece of malware X was detected as malicious by 48 vendors out of 57 (Example analysis here) And this API can of course be automated. So this means that a product could integrate the API, specify a threshold of vendor detection % and now be a fully fledged AV scanner, quickly checking the hash of a file under analysis against the VT database of results.

The change to VT policy on 4th May was a narrowing of the API results service (number 3 above), restricting the provision of results in the API to only the integrated vendors within VT that provide their detection engine for analysis. VT said, “all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services.”

And this is where it all kicked off…. big time.

The Anti-Next Gen Brigade

Alex Eckelberry
Alex Eckelberry (Malwarebytes board member)

Later that day on 4th May, Alex Eckelberry (board member of VT contributing vendor Malwarebytes) released a blog post calling into question the practices of some endpoint security vendors. He states, “Using VirusTotal information without any contribution back to the community is patently unfair.” He goes on to summarise the situation:

“It’s big news. It levels the playing field. No longer will antivirus companies see their hard work taken by some sexy startup that’s raised millions of dollars on the false promise of “next generation” endpoint or other such nonsense, while bashing the very companies that they’re effectively stealing the intellectual property of. And perhaps, we’ll see what their products are really made of. Because without VirusTotal as a crutch, companies that rely on it are going to see their detection rates take a hit.

“Poetic justice, indeed.”

“If you’re an IT manager who has been duped by sparkly marketing materials to buy-in to one of these “next-generation” endpoint products, take a hard look at their actual detection capabilities. If they’ve been using VirusTotal results but not contributing back, their ability to detect malware just took a potentially serious hit. This is serious.”

Alex’s post caused a big stir in the AV industry, and led to a large number of comments and requests for exactly which vendors Alex was pointing the finger at. Subsequently, he and a few other commentators called out Cylance, SentinelOne, Palo Alto Networks and CrowdStrike as being amongst these “false promise” vendors “effectively stealing the intellectual property of” contributing VT vendors.

Trend Micro jumped on the bandwagon too with a blog post, stating, “…some companies were taking from VirusTotal without giving back is the fact that some of these non-contributors have also been using the data and analysis in VirusTotal to power their so-called “next gen” patternless security solutions.”

Unsurprisingly, some vendors got very upset about all this, especially Cylance and SentineOne, and here’s why….. the claims against them are 100% false. 

The Reaction….by Cylance

Stuart McClure (CEO Cylance)
Stuart McClure (CEO Cylance)

Cylance’s CEO Stuart McClure replied to Alex’s original blog stating, “This announcement does *not* impact Cylance one iota. We have a completely independent conviction engine using math and algorithms, learning from the past to predict the future. We would be happy to educate anyone who is interested. Alex, we would not be against a retraction of your claims to the contrary. Completely up to you.”

In turn, Alex almost immediately removed his and any other’s comments mentioning Cylance on his blog. (Good to see)

Stuart added a further response to Alex’s suspicion that Cylance’s product utilised VT:

This is just not how our product works. At all. It doesn’t upload files to anything other than our private servers. And have never uploaded to outside services like this. If we did, our customers would have killed us long ago with their bare hands and I would have probably cheered them on. Please feel free to connect with me directly via email and I can prove it to you in probably 30 seconds. Also, we encourage every customer to “test offline” which means we have zero way of uploading anything to anywhere or accessing anyone else’s results, and yet somehow magically we convict with the same core engine and efficacy.

1) if being “part of a community” means we need to share our algorithmic, unique conviction engine with Big AV so they can steal our convictions, then yes we will not be able to meet that criteria.

2a) we did participate in public AV tests (AV-TEST) and we discussed the testing extensively in a blog here:

2b) if “independent” testing actually was “independent” then we would *love* to participate in testing. Unfortunately this is not the case. I spent 3 years testing at InfoWorld Labs, probably the most “independent” testing facility I’ve ever come across and know how hard it is to be truly “independent”. The most “independent” test is the one the customer does, with their own designation of “bad”. Because no one in the industry truly determines bad “independently” enough to set the standard to test products with. As former Global CTO for a major AV company, I can assure you this to be the case.”

My Perspective on Cylance

I know Cylance’s flagship endpoint protection product “Cylance Protect” very well. I use it on a daily basis and am a fully trained up certified Cylance technical engineer, so I know what it does, how it does it and how it compares to the market. Cylance Protect does not use signatures, dat files or any kind of regular updates. It is a mathematical model based engine that sits on the client and works fully offline. Let me restate that, Cylance does not have updates and is fully offline. As such it has zero integration with VirusTotal. As for its management, whilst this is cloud based, it also does not have any API integration with VT.

So for people to specifically call out Cylance as using VT as part of its detection is just plain wrong.

The Reaction….by SentinelOne

Since SentinelOne was also called out by Alex, their Chief Marketing Officer Scott Gainey and their Chief Security Officer Ehus Shamir replied with these points of clarification on Alex’s blogs.

Scott Gainey (CMO SentinelOne)
Scott Gainey (CMO SentinelOne)

Scott Gainey (CMO):

“It doesn’t affect SentinelOne. Check our CSO’s response to Eckelberry’s latest blog. This is a non-event as VirusTotal is 1 out of 7 vendors we use in our Cloud Intelligence, not including what we collect from our opt-in customers. Cloud Intelligence is a crowdsourced service we add in to filter out legacy threats. Has nothing to do with our Dynamic Behavior Tracking (DBT) engine that’s used to detect, prevent and remediate the 100k’s of new threats that are created weekly that have yet to be detected and examined by the traditional scanning engines that rely on VirusTotal. I think the bigger story is how is VirusTotal going to evolve such that they can take advantage of the intelligence we’re collecting every day on unknown threats. We’re more than happy to work with VirusTotal to integrate – if the AV guys will let them. Right now all indications are they have no desire or intention to work with the next-generation endpoint protection companies.”

Alex also published a private email he received from Scott with further clarification detail.

Ehud Shamir (CSO SentinelOne)
Ehud Shamir (CSO SentinelOne)

Ehud Shamir (CSO):

“I thought it might be worthwhile to quickly write up what SentinelOne is doing, how it works and how it takes advantage of VirusTotal.

SentinelOne uses Dynamic Behavioral Tracking, that runs realtime, on the endpoint and utilizes advanced machine learning to detect behavioral patterns as application and code is executing on the device. We do this across Windows, Mac and Linux with our own proprietary, patent pending technology. This is our core detection engine. It works on the device – even completely OFFLINE, and is an autonomous module, that can detect, mitigate and remediate threats in real time. No connection to the cloud needed, no hashes, no signatures.

We also have something we call “Cloud Intelligence”, which is in essence our way of crowdsourcing information between all of the intelligence we gather, either from our client base (if they opt-in), and/or from third party reputation feeds, VT included. It is NOT part of our detection engine, and its entire purpose is to validate hashes, out of band, regardless of our Dynamic Behavioral Tracking engine.

VirusTotal has approached us a few weeks ago to let us know of the policy change coming, and at first we didn’t even think its applicable to us since it stated “scan engines”. SentinelOne is NOT a scan engine. We don’t scan files or check for signatures. We monitor code execution on a live system – VERY different than a scan engine, and obviously not something VirusTotal can integrate right now – as it is equipped to deal with command-line scan engines and static signatures.

We are all for better security and improving the overall state of security in the world. We were willing to work with VT to integrate our engine into their engine list, but seems like someone was really hot to “drop bombs” rather than to actually work with the vendors so everyone could enjoy better detection. We have stopped usage of all VirusTotal intelligence (which was 1 out of 7 different services we were using), until we figure out whether there’s a true intent on VirusTotal’s part to include next generation technologies (aka – not “scan” engines).”

My Perspective on SentinelOne

I’ve spoken to representatives of SentinelOne offline about this and they back up what the CMO and CSO have said above. The product is behavioural based and their additional “Cloud Intelligence” uses multiple feeds of which VT was one (and has now been easily replaced). Again, a complete misunderstanding of what SentinelOne does by the anti-next gen brigade. Additionally, integrating into VT would be technically unfeasible since there is no command line scanner. It just doesn’t work how VT would need it to for integration.

Palo Alto Networks and CrowdStrike

In this whole debacle, Palo Alto and CrowdStrike were also called out by various parties but with less ferocity. (Personally I believe this is because Traditional AV vendors don’t perceive them to be as great a threat to their business as Cylance and SentinelOne.) I’ve personally spoken offline to both vendors about the VT changes and both have stated they have had no impact at all.

The Facts

Before we get to my opinions on this, let’s state some facts.

  1. The Cylance product does not use VirusTotal at all – NO IMPACT
  2. SentinelOne did use VT in a small way as a part of its combined intelligence feed and has seamlessly swapped to another supplier – NO IMPACT
  3. Palo Alto Networks and CrowdStrike – NO IMPACT
  4. Many leading players in the traditional AV industry (including vendors, testers and independent board members) do not understand how Next-Gen AV vendors’ products work.
  5. A lot of negative allegations have been made at specific organisations which have had to be retracted.
  6. The leading Next-Gen AV vendors have a very different detection engine to the traditional vendors.
  7. C level executives are not afraid to come out swinging in defense of their products.
  8. In my conversations with the author of the VT policy change blog post Bernardo Quintero he has advised me that, “VT is open to any contributor and any technology, if any next-gen or antivirus want to contribute, we are always open and willing to collaborate with everyone.”

What’s Going on Here

So the summary is that a fairly non-event within VirusTotal has been spun and commented out of control and used as a weapon to beat down the supposedly wild claims of Next Gen AV. The reality is that the leading Next Gen vendors are not affected at all. Maybe there’s a few tiny vendors out there that will have to switch from VT to another service, but that’s fairly irrelevant to everyone.

Without question, the Traditional AV vendors have a big issue with the self branded “Next Gen” vendors, especially Cylance. This is understandable as they have proven that they don’t understand what Cylance does or how it works. The truth is that Cylance has a unique product in the marketplace, detecting 99% of all malware including zero days without any updates, all offline. Its detection rates are significantly higher than its competitors who understandably feel very threatened. Cylance labeling themselves as Next Generation makes the traditional vendors (such as Symantec, McAfee and Trend) look old hat and that frustrates them.

Within the AV industry there is a marketing war and it’s not surprising. Insiders describe this industry as traditionally “tight knit” and these “outsiders” (as some are labeling the new vendors) are rocking the boat with incredible claims of efficacy, innovation and true differentiation. The competition is calling this marketing spin, FUD and responding with their own arsenal of marketing counter-claims. It’s sad to see as it helps no one in the real world who just wants the best AV product. But the AV companies continue to attack, defend and retaliate and no wonder people are fed up with traditional AV failing to protect them.

A lesson we can all learn from this is to fact check before casting aspersions. It’s just a bit embarrassing. If the traditional AV vendors want to win back the business they’re rapidly losing to vendors such as Cylance, they need to first learn what next-gen technology actually is, and then innovate and compete. And if you want to see some real results, don’t trust any marketing or any statistics you see, test them for yourself.

Cylance has been brought up a lot in this VT saga. Mostly because they are the poster child of Next Gen endpoint products and the one that is selling like hot cakes. If you want to talk about Cylance or see it for yourself then drop me a message on Twitter. I can chat about this all day long.

The AV Bomb That Never Was
Tagged on: