About VirusTotal/Hispasec

["Bernardo Quintero" <bernardo () hispasec com>]

> I'm also rather suspicious of your promotion of Virus Total.  Hispasec,
> as far as I can tell (Spanish being something I have to have translated
> via online services), has no antivirus or similar product of its own,

Obviously, we don't develop any antivirus product. We don't either 
distribute any antivirus solution or have interest in any specific AV 
vendor.

> yet it has set up, and some folk seem to be promoting, what is
> effectively a sample collection mechanism.  I've also heard vague

Sincerely, we have no hidden intentions, and we don't have any business 
model behind VirusTotal, but we accept suggestions in that field ;)

VirusTotal is more a system that lets users have a second opinion about 
suspicious file that, by any reason or other, are not detected as 
'dangerous' by the AV they have installed in their system.

The program were developed as an inner-use tool for our laboratory to 
keep monitorized update responses of AV engines against new malware, 
knowing that way when exactly they started to detect them.
We're requested frequently for consulting about antivirus solutions, and 
we've been doing tests and studies in that field for technical magazines 
and companies for years.

Once we had it working in our lab, we thought it would be something 
useful for the community for having that second opinion I told you 
about. We made it a lovely wrapper (the web interface) and we offered it 
as a free service.

About files received, we've developed a distribution system for giving 
that files to AV vendors that don't detect a suppossedly infected file 
(or that they detect with heuristics). This system is not active now, 
and I hope to make a formal proposal (free) and have consensus with
them to see  if they like that system. If we finally activate that system,
VirusTotal  will accept new commands so users could choose if they
want that files to be sent to AV vendors or not.

I don't really see any problem about suspicious binaries, but in in the 
case of documents I understand that users should be able to use the 
service and make it knowing that file is not going to be sent to any lab 
(a matter of privacy). I think the best way is to keep that 
'not-sending' option, so a user can decide anytime when they send a new 
file to make it enter the distribution system or not.

> rumblings that Hispasec/Virus Total does not have suitable licenses for
> at least some of the scanners used in its service (and strongly suspect
> that several of the AV vendors whose products are currently used would
> not allow their products to be licensed for use in a service of the

No AV engine in VirusTotal is being used againsg the will of their 
vendors. We've asked permission to all developers themselves or 
distributors of that products here in Spain (just by geographical 
reasons, as it is our country). We're planning to increase the number of 
engines used (we're working on it) as other AV vendors have asked us to 
be part of the project with their solutions.

> - the different results could be due to differences in the update 
>  schedule at virustotal.com (some vendors offer their fastest updates
>  only for premium licenses, which virustotal may not have). 

VirusTotal is configured to look for new updates of all AVs in the 
system every 5 minutes. The updating system is basically the same that a 
registered used have in their own system. Obviouslly, AV vendors have 
stressed the importance of keep that procedure as pure as possible for 
not being 'harmed' against others.

> - maybe some products are used with optimized settings (for example 
>  maximum heuristic detection) and others with default settings.

The parameters used in each engine are discussed with the developers, as 
we look for a behaviour as close as possible to the one a user could 
experience in their system.

> Unless for (a purely theretical) example the website would use your 
> submission to infect others (perhaps with your address as sender) :-) 

Definitively, that statement is close to paranoia, or there's simply 
interest in you to libel the service. Well, next week VirusTotal will 
accept files though a form that won't need any email to be given, so you 
can obtain the results directly on the web.

> I believe the intension maybe good but I have some lingering
> suspicion of *free* service that have you send in binary maybe
> the elaborate works of vx traders.  (cue the conspiracy theories)  

Obviously not.


Do you have any other suspicion or vague rumour? I think this kind of 
things can make people of the list get bored, so you can use the email 
we offer (info () virustotal com) for answering all kind of requests (it's 
only a suggestion). With time, and using the most usual questions and 
answers received through that email, we're going to publish a FAQ in the 
site itself.

Of course, all critics and sugerences are welcome so we can improve the 
service or include new features.

Thanks,

Bernardo Quintero
bernardo () hispasec com
Hispasec Sistemas
http://www.hispasec.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html