Full Disclosure mailing list archives
About VirusTotal/Hispasec
From: "Bernardo Quintero" <bernardo () hispasec com>
Date: Fri, 3 Sep 2004 21:11:12 +0200
I'm also rather suspicious of your promotion of Virus Total. Hispasec, as far as I can tell (Spanish being something I have to have translated via online services), has no antivirus or similar product of its own,
Obviously, we don't develop any antivirus product. We don't either distribute any antivirus solution or have interest in any specific AV vendor.
yet it has set up, and some folk seem to be promoting, what is effectively a sample collection mechanism. I've also heard vague
Sincerely, we have no hidden intentions, and we don't have any business model behind VirusTotal, but we accept suggestions in that field ;) VirusTotal is more a system that lets users have a second opinion about suspicious file that, by any reason or other, are not detected as 'dangerous' by the AV they have installed in their system. The program were developed as an inner-use tool for our laboratory to keep monitorized update responses of AV engines against new malware, knowing that way when exactly they started to detect them. We're requested frequently for consulting about antivirus solutions, and we've been doing tests and studies in that field for technical magazines and companies for years. Once we had it working in our lab, we thought it would be something useful for the community for having that second opinion I told you about. We made it a lovely wrapper (the web interface) and we offered it as a free service. About files received, we've developed a distribution system for giving that files to AV vendors that don't detect a suppossedly infected file (or that they detect with heuristics). This system is not active now, and I hope to make a formal proposal (free) and have consensus with them to see if they like that system. If we finally activate that system, VirusTotal will accept new commands so users could choose if they want that files to be sent to AV vendors or not. I don't really see any problem about suspicious binaries, but in in the case of documents I understand that users should be able to use the service and make it knowing that file is not going to be sent to any lab (a matter of privacy). I think the best way is to keep that 'not-sending' option, so a user can decide anytime when they send a new file to make it enter the distribution system or not.
rumblings that Hispasec/Virus Total does not have suitable licenses for at least some of the scanners used in its service (and strongly suspect that several of the AV vendors whose products are currently used would not allow their products to be licensed for use in a service of the
No AV engine in VirusTotal is being used againsg the will of their vendors. We've asked permission to all developers themselves or distributors of that products here in Spain (just by geographical reasons, as it is our country). We're planning to increase the number of engines used (we're working on it) as other AV vendors have asked us to be part of the project with their solutions.
- the different results could be due to differences in the update schedule at virustotal.com (some vendors offer their fastest updates only for premium licenses, which virustotal may not have).
VirusTotal is configured to look for new updates of all AVs in the system every 5 minutes. The updating system is basically the same that a registered used have in their own system. Obviouslly, AV vendors have stressed the importance of keep that procedure as pure as possible for not being 'harmed' against others.
- maybe some products are used with optimized settings (for example maximum heuristic detection) and others with default settings.
The parameters used in each engine are discussed with the developers, as we look for a behaviour as close as possible to the one a user could experience in their system.
Unless for (a purely theretical) example the website would use your submission to infect others (perhaps with your address as sender) :-)
Definitively, that statement is close to paranoia, or there's simply interest in you to libel the service. Well, next week VirusTotal will accept files though a form that won't need any email to be given, so you can obtain the results directly on the web.
I believe the intension maybe good but I have some lingering suspicion of *free* service that have you send in binary maybe the elaborate works of vx traders. (cue the conspiracy theories)
Obviously not. Do you have any other suspicion or vague rumour? I think this kind of things can make people of the list get bored, so you can use the email we offer (info () virustotal com) for answering all kind of requests (it's only a suggestion). With time, and using the most usual questions and answers received through that email, we're going to publish a FAQ in the site itself. Of course, all critics and sugerences are welcome so we can improve the service or include new features. Thanks, Bernardo Quintero bernardo () hispasec com Hispasec Sistemas http://www.hispasec.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- About VirusTotal/Hispasec Bernardo Quintero (Sep 03)
- Re: About VirusTotal/Hispasec Über GuidoZ (Sep 03)