Tuesday, November 17, 2015

, , , , ,

VirusTotal += Mac OS X execution

We previously announced sandbox execution of Windows PE files in 2012, and Android in 2013.  We are happy to announce equal treatment for Mac OS X  apps. Files scanned that are Mach-O executables, DMG files, or ZIP files containing a Mac app, will be sent to the sandbox in order to produce behavioral reports.

Users may scan these file types directly on www.virustotal.com, with our OS X Uploader app, or via the API.

As before, users with private API or "allinfo" privileges will see this information in the API responses. For VirusTotal Intelligence customers the information is also indexed and searchable.

Here are a couple of example reports, have a look at the "Behavioural information" tab...

DMG files:
Mach-O files:

ZIP files with an Mac app inside:
If you find issues, or have suggestions to improve the Mac sandbox please send an email to contact [at] virustotal [dot] com.

Friday, October 09, 2015

, , , , ,

VirusTotal += CloudStat URL scanner

Today we are introducing a new URL scanner that will be characterizing URLs submitted by users to VirusTotal: CloudStat. In their own words:
CloudStat is a new platform set to revolutionize the way companies collect and analyze their data. It identifies compliance gaps, detects configuration problems and warns customers of cyber security threats by applying our proprietary analysis engine to millions of data points. It delivers concise actionable reports directly to mobile devices. The team behind CloudStat is dedicated to helping companies mitigate risks, increase productivity and reduce costs.
Let us look at how their verdicts show up:
https://www.virustotal.com/en/url/2ea21e20088c61bbcec94722c5ef9dd17a663f03869c1f85cacab5c705288064/analysis/
https://www.virustotal.com/en/url/a6ae8a164711f280e4df6d88ba9cd8a7b5acc491824b29e09fdd4e0ff951944c/analysis/
https://www.virustotal.com/en/url/de364f9419c0ed25ed9731e7afb412a0a5d647774c2c54fab2bbee72215519ad/analysis/

Judging by the reports, it seems that this new engine nicely complements other datasets, such that aggregate threat coverage has been improved, this is good news. Hopefully this addition results in more secure users world-wide.

Welcome CloudStat!

Tuesday, June 09, 2015

, ,

VirusTotal += Arcabit

We welcome Arcabit scanner to VirusTotal. This is a multi-engine product from Poland. In the words of the company:

"Arcabit is a Polish vendor of the antivirus and protection software. Arcabit antivirus engine is the hybrid of two solutions - Bitdefender and its own, constantly developed 
engine with rapid response to the new threats. Arcabit uses advanced cloud solutions to identify trends in malware development and to ensure an early response to new threats.
The heuristic mechanisms implemented by Arcabit (identified as HEUR.*) offer the efficacy at the level of 99.9% in detecting threats spreading through popular Web channels - www, email etc."

Friday, June 05, 2015

, , , ,

VirusTotal -= Norman

Blue Coat has decided to retire Norman Scanner Engine as an active OEMable AV scanner engine so it will not be shown in VirusTotal reports.

Tuesday, April 28, 2015

, , , , , ,

KnockKnock += VirusTotal

In October 2013 we announced that Windows Sysinternals Sigcheck was adding integration with VirusTotal in order to help its users with malware triage. Thereafter, Mark Russinovich has continued to plug VirusTotal into other tools commonly used by malware and forensics analysts, namely Sysinternals Autoruns and Sysinternals Process Explorer.

Today we are excited to announce that Patrick Wardle has included VirusTotal information in the Mac OS X equivalent of Autoruns: KnockKnock. In his own words:
"KnockKnock... Who's There?" See what's persistently installed on your Mac!
Malware installs itself persistently, to ensure it is automatically executed each time a computer is restarted. KnockKnock (UI) uncovers persistently installed software in order to generically reveal such malware.

This tool is extremely useful when performing a quick malware hunt down in Mac OS X systems, and the integration with VirusTotal gives further momentum to all the efforts we have been conducting in helping secure Mac OS X users: tools to further characterize Mac OS X executables, VirusTotal Uploader for OS X, etc.

If you want to learn more about KnockKnock and download it, do not hesitate to visit the project's site: https://objective-see.com/products/knockknock.html.

Tuesday, February 10, 2015

, , , ,

A first shot at false positives

Every so often an antivirus detecting a legitimate file hits the headlines, this usually happens when a given vendor mistakenly marks as malicious a file belonging to a widespread software package, for example, a key operating system file.

These mistaken detections, commonly known as false positives, have all sorts of undesired effects:
  • Software developers may face strong business impact as a large portion of their users see their programs rendered unusable. 
  • Support teams for the affected programs may be suddenly overwhelmed by user emails claiming that the given software is not working correctly.
  • End-users may be unable to interact with important software and see themselves unable to finish critical tasks.
  • Antivirus vendors' reputation may be severely hindered.
It is, thus, obvious that false positives are a head ache both for the antivirus industry and software developers. Solving them can be a very challenging problem. Why? Nowadays antivirus vendors are increasingly required to become more proactive, this includes developing generic signatures and heuristic flags, which very often leads to mistaken detections in an effort to have a more secure user-base. 

Virustotal is strongly committed to helping the antivirus and security industry, this is why we also wanted to collaborate on this front. Our first shot at this is a project that we call trusted source. The goal of this first stage is to have huge software developers share the files in their software catalogue.

These files are then marked accordingly at VirusTotal and whenever an antivirus solution (mistakenly) detects them, we notify the pertinent vendor, allowing them to quickly correct the false positive. Additionally, when files get distributed to antivirus vendors, they are tagged so that potential erroneous flags can be ignored,  preventing a snowball effect with detection ratios.

We have already started marking files and you may have already noticed the new message dialog at the top of file reports, example:
https://www.virustotal.com/en/file/a70999ee28e6233ffcadb6cc3967417be4de2678b868fa2d45bdd3f826c7ed48/analysis/

As you can see, not only a trusted source dialog is displayed, mistaken detections are also dropped from the positives count and degraded to the bottom of the report. This is just a quick measure to make sure the false positives do not mislead users looking at the report, as said, these mistaken detections are also shared with the pertinent vendors in order for them to fix.

We have been working on this for just one week and with just one company, Microsoft, yet results look very promising: over 6000 false positives have been fixed. We would like to extend a big thank you to the Microsoft team for sharing metadata about its software collection and to the antivirus industry as a whole for the false positives remediation. 

So what are the next steps? We are looking to grow our collection of trusted software, if you happen to be a very large software development company you might want to contact us in order to share this data and help us mitigate the issue of false positives. Please note that this initiative is not open to potentially unwanted applications and adware developers. 

Thursday, January 15, 2015

, , ,

VirusTotal += Alibaba

We welcome Alibaba engine to VirusTotal. This Chinese antivirus is focused in Android malware. In the words of the company:

"Alibaba anti-virus engine is an ultrafast and accurate anti-virus engine based on cloud computing, big data technologies and a database with massive confirmed malwares and safe files. This anti-virus engine consists of multiple subsystems such as preprocessing, static analysis, dynamic analysis, and counterfeit software detection. These subsystems collaboratively and automatically analyze an unknown software to determine whether it is a malware or not.

Specifically, our anti-virus engine focuses on detecting malwares that threatening the safety of mobile shopping or payment. We aim to protect the privacy information and assets of the clients of Alibaba, as well as maintain a secure mobile cyberspace."

Thursday, January 08, 2015

, , , ,

Digging deeper into JAR packages and Java bytecode

Before the Christmas break we announced the inclusion of a tool to further characterize Mac OS X executables and iPhone apps, at the same time we also silently deployed one to dig deeper into JAR packages and Java .class files.

Virustotal has always scanned and produced verdicts for these types of files, as it scans any type of binary content, however, now it will also produce static notions such as the Java packages used, the manifest of the JAR bundle, interesting strings, file type distribution, date timestamp metadata for files within the archive, etc. You may take a look at this new information in the file details tab of the following report:
https://www.virustotal.com/en/file/647e5c0a640e7b5b006a14a09b5d3099c1eaf1e9f03ffa748c615be75a94103e/analysis/


Similarly, when it comes to .class files the tool will produce new notions such as the original class name, the target platform, whether it extends some class or implements some interface, its methods, what functions does it provide and require, etc. An example can be viewed in the file details tab of the following report:
https://www.virustotal.com/en/file/d5ff153c7ff2f16906c4cd80a78a3ef2ed9f938c353d678b895a952dccca49df/analysis/


Many of today's threats are distributed through exploit kits, a wide variety of which make use of malicious JARs in order to exploit Java and end up serving the final malicious payload to the victim, hence, we hope this new information helps researchers in better discriminating these threats.