Google launches VirusTotal Monitor
Google announced the new paid VirusTotal service VirusTotal Monitor today designed to provide customers with daily reports for files uploaded to the service.
One of the core goals of VirusTotal Monitor is the mitigation of false positives. The detection of false positives, the incorrect detection of malicious code in files, is a huge problem for software and security companies, and end users.
Software may not reach distribution levels that it should have reached without the detection of false positives, and it may in extreme cases even be removed from user systems. Software companies lose business and reputation because of that.
Similarly, the detection of false positives may have reputation damaging effects on antivirus companies. End users on the other hand may not be able to run software that they should be able to.
In short, false positives are bad for anyone involved. Google tried to limit false positives in 2015 with the introduction of the Trusted Source project.
VirusTotal Monitor
VirusTotal Monitor is an attempt to address the issue. Basically, what it unlocks is the ability to upload files to VirusTotal for monitoring. Software companies can upload their library of programs to VirusTotal to have them checked automatically on a regular basis.
VirusTotal creates reports and notifies companies if any of the supported antivirus engines detect malware, sypware, potentially unwanted software or other issues in the uploaded files.
Companies and developers can react more quickly to the issue to resolve it before it hits the entire userbase.
VirusTotal Monitor is a new service that allows software developers to upload their creations to a private cloud store in VirusTotal. Files in this private bucket are scanned with all 70+ antivirus vendors in VirusTotal on a daily basis, using the latest detection signature sets.
VirusTotal Monitor shares files with antivirus vendors that flagged a file and notifies them about the issue so that it can be addressed if it is indeed a false positive.
Files also remain absolutely private, not shared with third-parties. It is only in the event of a detection that the file will be shared with the antivirus vendor producing the alert. As soon as the file is detected, both the software developer and the antivirus vendor are notified, the antivirus vendor then has access to the file and its metadata (company behind the file, software developer contact information, etc.) so that it can act on the detection and remediate it if it is indeed considered a false positive. The entire process is automatic.
The key word that describes the main advantage of VirusTotal Monitor is automation. Files are scanned automatically, and both vendors and antivirus companies are notified automatically when hits are detected.
Developers can use the online dashboard to check the status of files and scans there as well but they may also use the provided REST API and email notifications.
Closing Words
VirusTotal Monitor is a paid service but it is unclear at this point in time how much it will cost. It appears that Google wants to start building the service with large companies and invite smaller developers later to the party.
While it is certainly possible to test any file in real-time on VirusTotal, the main advantage that VirusTotal Monitor offers is that it will run constant checks on uploaded files. While you can do the same on a day-by-day basis (and you should), automation makes this a lot easier. The more a library grows the more comfortable it gets.
Anything that drops the number of false positives is a good thing in my opinion. Lets hope that Google will set reasonable prices for smaller developers and developers of freeware.
Now You: How do you handle false positives? (via Bleeping Computer)
Any information on how exactly a software vendor signs up for the paid service? Not on the VT site or in the blog.
Hope you can post it – we’re a small software publisher and some engines hammer us with FP’s that average users go “OMG it’s malware.”
There is no direct sign up option right now but you can request a quote: https://support.virustotal.com/hc/en-us/requests/new?subject=Premium%20services
The page is broken – Submit button does nothing. Tried Chrome, FF, IE, all add-ons disabled, no blockers, multiple PCs and still nothing.
I know not your’s to fix, but as you are making us aware of it, can you contact them about it? How ironic: we check your software for bugs, pay us…um, but our web submit form is broken?
Now that legit companies’ software may send home without legal trouble your discussions in the room where your phone or computer is, everything you type on keyboard, your browser passwords or every place you’ve been, I’m not sure trusting Google to detect malware is a good idea.
But don’t trust me I’m an extremist.
An extremist would be sure.
As you, as many of us, I wonder about what I ignore for sure, which means practically everything.
Yes nice but it’s not working let say I just wanted to try the file
http://chrisandriessen.nl/downloads/#files%2FFalcon10
But Eset says no this is malware and we do not allow you to access the page.
So then I check the file with the Virustotal or the file is alright.
https://www.virustotal.com/#/url/0c488c6a61d744740e1565a00c3cb564d94fdf262fd459a41a8a6d469ac9430f/detection
And what do I see the virus total check who is saying its oke? So what happened the program Eset says no and virus total says that Eset says yes. So who is lying to me and can I trust Virustotal?
Paulus, most antivirus solutions use other means to determine if an app may be malicious. Maybe ESET is basing this on the newness of the file or domain, or other factors. Just wait a day or so and try again, or report the issue to ESET so that they can look into it.
I’ve received 2 false positives in the last 2 months using Avast Internet Security. My initial reaction was to quarantine them, report it to Avast, and wait for an Avast update to resolve the problem. I hope Avast subscribes to this service and does daily updates to minimise this kind of problem in the future, but I am not holding my breath. I hope Avast tests Microsoft Updates like 1803 before Microsoft releases an Update to customers as well.
I forced an Avast Internet Security Update today but still says I have backlevel Java and Irfanview, which is not true. I think I will reconsider using this product on Windows 10 Home x64 1803, even though I won a free license.
“How do you handle false positives?”
First of all I don’t know if a file diagnosed as positive is undoubtedly positive, secondly I don’t know if a file diagnosed as a false positive is undoubtedly healthy. On what basis should I be confident?
When it comes to analyzing a file with VirusTotal I tend to believe that a file diagnosed as healthy (not 1 positive), or diagnosed as positive by and few and non-major companies, is most likely to be healthy, but the doubt of course increases.
Yet, some applications diagnosed as positive by several top companies appeared nevertheless to be totally clean. This hasn’t occurred often, but I do have in mind several NirSoft applications spotted as positive when NirSoft developing a dirty application is less likely than me winning at a $300M lotto.
How do I react to a false positive? Depends on the developer, his reputation, news I may gather on the Web, but I’ve never seen an accusation be denied by the accuser once the false positive recognized : like always, fast to point and slow to deny. I’ve never read on VirusTotal ‘This file was previously analyzed as positive but it appears it is not (or no longer is)”, unless implicitly when re-scanning a given file (which is what I do if the analyze date is old).
The idea is that no system is perfect (hence ‘VirusTotal Monitor’), that bad guys remain free and good guys get jailed. The second idea is that, as far as I’m concerned, I know non universal argument to allow me to decide with certitude. It’s all in probabilities fed by sources’ reliability, by our own quests … and sometimes by a sixth’ sense (more or less reliable? No idea).