About VirusTotal’s change of heart or…

Virus Total is a multi-engine malware scanner, an aggregator of security solutions. You can upload a file or provider an URL and it will check it with all available engines.  Mostly command line scanner or plain SDKs to use the engine.

The AV Industry wants to work with VT because if VT uses an engine, the company behind the engine will get all file and URL reports that they don’t detect but others do.


However, the AV Industry has a couple major issues with Virus Total, which can be summarized in one sentence: they lose business to VT.


There are obvious advantages that VT has over any AV vendor:

  • VT has over 60 engines
  • VT is available on demand
  • VT is fast because it uses now the infrastructure of Google
  • VT doesn’t require any kind of low level integration because they have an REST API available
  • VT might even be cheaper than many vendors out there (I am not very sure about this, but so I heard!). Nevertheless, even if they are not cheaper, the alternative to pay to all those vendors is much more expensive than anything what VT requests.

Normally, there are also some disadvantages that a multi-engine technology has over a single engine:

  • Latency
  • Has to deal with the reputation of each engine: some has a better detection than others
  • Support issues
  • Reports of FPs and FNs to each engine in particular

However, VT positions itself as not a multi-engine technology, but as  “a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect”.


Now, let’s see how does the AV industry lose business in favor to VT.

  1. Small security companies or security startups that need to have some additional detection capabilities rather pay to VT than to a single security vendor.
  2. Small companies or startups that need to check if their resources get flagged go to VT to have a broader view.


VT is offering an API to access their scanners, and the customers are paying for the amount of queries / time.

Everything comes to a price, even for VT:  they get many complains from customers who are unhappy with some vendors.

VT’s policy is to tell the people to go to the vendor directly if they want to complain to them about their practices or about a particular detection (FP mostly). Even with this policy, I am pretty sure that sooner or later the people unhappy will  turn to VT to ask for help. This causes troubles for VT.


This week VT published a blog post which changed the rules of the game … a bit:

A revised default policy to prevent possible cases of abuse and increase the health of our ecosystem: all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services. Additionally, new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO).


What does this mean?

A. It means that if you are an scanning company (e.g. have a security product that scans stuff) you need to put your engine in the VT in order to receive the scanning results.

For most AV companies out there, this is nothing new. They do that already.

For the companies that do have an AV product but don’t have an engine: this is a big issue.

They usually have just a cloud service containing hashes of files and they compare those hashes with those of VT. If it is not known, they upload the file from user’s computer, upload it to VT via the API and get the scan results. They store those scan results in their cloud service and I hope that they recheck it periodically (after all, everybody has false positives). These companies simply pay VirusTotal a subscription fee, and receive the information about the files. It is like they would have a lot of engines in their product. But they don’t.

With this change in their policy, it is no longer allowed to create a scanner based on VT unless the company publishes the engine in the VT and gets an approval from the AMTSO.

This is a BIG hit.

Why wouldn’t a company want to be present in the VT?

For several reasons:

  1. if part of their detection comes from heuristics taken on the machine. VT is running a command line scanner which has no information about the context.
  2. they have a very bad detection without VT (which they obviously can’t use anymore, since they would run in the VT environment)

If you want to know more insights about this, my good old friend Alex Eckelberry wrote a spicy post about it. I think that the comments are even more interesting than the post itself. (check the bottom of the article) 🙂

I will not quote him in this blog post because I am not familiar with those products and I won’t write anything about them without knowing details.


B. If you are a company which is using VT’s API to scan stuff, you may want to think twice about it.

VT is writing in their best practices and policy/TOS:

You should not to use the products, services, contents or tools provided by VirusTotal in any way that could harm the antivirus industry/URL scanning-blocking industry, whether it is directly or indirectly.


So, does not paying an AV vendor for their detection count as direct or indirect “harm”?  I would say that this is an indirect harm.

Complicated, isn’t it? I am not a lawyer, so I can’t say if this is really something that would stand in front of a judge.

But, VT must know that if they license the API to companies, this is exactly the reason why they would buy it from them.

Only a researcher that tests something would not cause an indirect harm to an AV vendor. Everybody else, who would otherwise be forced to pay for it is causing indirect harm.


NOTE: If anyone from VT is reading this, I would be interested in knowing what you think. You may contact me as well.





I am not associated with any AV company! I am no longer working for Avira for some time now, but I am working with them.

© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: