Google shakes up antivirus industry

For more than a decade, Google's VirusTotal has given antivirus companies the ability to detect malware and share information about new viruses. But in a sweeping change meant end 'abuse' of the system, it is limiting access to the widely used database.

A Google sign hangs in the foyer of the company's Canadian engineering headquarters in Ontario.

Peter Power/Reuters/File

May 9, 2016

Google is in the process of limiting access to a widely used database of computer viruses and malicious software in a move that is having a ripple effect across the cybersecurity industry.

VirusTotal, a subsidiary of the search giant, said last week that it was attempting to curtail abuses of the database by mandating that any companies that access it must also participate in the service to help it grow.

VirusTotal receives about 1.2 million files each day from its free, public website that will scan against some 60 antivirus programs from leading makers such as Kaspersky Lab, Symantec, and Intel. 

Companies pay to receive access to those files full of potentially new viruses and data on the consistency of malware scanners. Until the policy change, VirusTotal did not require companies to participate in scanning new files, meaning they did not add to the larger pool of malware information for the industry. 

Many cybersecurity industry experts say that amounted to getting something for nothing. 

What's more, industry insiders worry that access to VirusTotal let some antivirus companies develop software that only checked to see if VirusTotal had encountered the file before, rather than root out new strains of malware to protect their customers.

"If the rumors are true, these companies are selling a false sense of security," said Bogdan Botezatu, a senior analyst at BitDefender, an antivirus firm that participates on VirusTotal.

Ideally, he said, the community of cybersecurity firms would collaborate on creating the most up-to-date information on viruses in service of improving the overall industry, and keeping consumers safer. "VirusTotal is so important because antiviruses only work on trust and cooperation."

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

"For this ecosystem to work," VirusTotal said in a May 4 blog post, "everyone who benefits from the community also needs to give back to the community."

VirusTotal did not say how many current companies it would limit from accessing the library, and Google did not respond to a request for additional comment about the new VirusTotal policies. But the changes are already having a tangible effect on the cybersecurity industry.

According to Reuters, VirusTotal has shut out the cybersecurity firm SentinelOne, which promoted its use of the tool in marketing materials. Representatives from Crowdstrike told Reuters it was currently negotiating a way to continue using the service. 

Some firms have no qualms about leaving VirusTotal.

"People were saying that we were using VirusTotal to scan files, which we don’t," said Stuart McClure, chief executive officer of Cylance, a firm that promotes its use of artificial intelligence to detect cyberthreats. "This is good chance for us to educate people on what we actually do. VirusTotal's policies won’t affect us at all."

Still, he said, many companies may have had good reason not to share results of their own virus scans (often called "convictions") with the competition. "They would steal all of our convictions without giving us credit,” he said.

The changes to VirusTotal will not effect how the public can use the service to search files and websites for viruses and other malicious software.