As a cinephile (and former TV script executive), I can’t help myself. When CEO Steve Subar told me that his company, Comodo Cybersecurity is based in Clifton, New Jersey, my reflexive reaction was to think, oh, right, just like Rupert Pupkin, the hapless protagonist of Martin Scorcese’s classic 1982 film, “The King of Comedy.” Played by Robert DeNiro, Pupkin declares, “I was born in Clifton, New Jersey… which was not at that time a federal offense.”
Pupkin took a big chance to get famous. (And hilarity ensued. No spoilers here.) Subar, for his part, while not deluded like Pupkin, is also displaying a lot of Clifton, New Jersey moxie in making a bold statement about one of the cyber security industry’s not so pretty realities. Comodo published an article at Black Hat 2018 criticizing anti-virus software makers who take unfair advantage of the cooperative spirit of Google’s VirusTotal program.
Taking Unfair Advantage of Crowdsourcing
The crowdsourced VirusTotal virus scanning project lets anyone upload suspected virus files and URLs. As part of the crowdsourced model, VirusTotal shares the results with participants, including 70 commercial partners. This enables participants to improve the depth and accuracy of their respective virus signature libraries.
To attract commercial partners, VirusTotal’s terms of service mandate that commercial partisans not “use the Service in any way which could infringe the rights or interests of VirusTotal, the Community or any third party, including for example, to prove or disprove a concept or discredit, or bait any actor in the anti-malware space.”
According to Comodo, some of the project’s commercial participants are abusing the privilege. In effect, as Subar puts it, they are integrating their competitors’ virus research into their own products for free. This is not the intent of VirusTotal, nor is it in the spirit of the project. And, while VirusTotal officially banned this sort of free-riding in 2016, Subar claims it is still going on.
Subar commented, “While Google’s VirusTotal performs a valuable service to its vendor-members, those members use VirusTotal to perpetrate a great disservice upon IT end-users: using the reputation of VirusTotal, AV vendors co-opt Google’s service and promote the myth that detection constitutes protection. When users and third-parties discover that Carbon Black, Crowdstrike, Cylance, McAfee, Symantec et al. do not disclose their failure to identify known malware, it becomes obvious that those vendors are hiding behind the Terms of Service.”
The Deficiency of “Detect-Remediate”
His broader point revolves around the assertion that virus detection is not the same virus protection. “The Detect-Remediate paradigm is inherently flawed,” he explained. In reality, it is impossible for anti-virus vendors to keep their virus registries 100% current. Furthermore, AI-powered anti-virus algorithms cannot reliably distinguish between malicious and benign code all the time.
Comodo suggests a change of paradigm. In its case, Advanced Endpoint Protection (AEP) combines a default deny mode of functioning with auto-containment and instant usability. Comodo Cybersecurity AEP automatically isolates and contains incoming unknown files while letting users remain productive. The toolset uses a sandbox approach to deny “write access” to malware.
A Bigger Tension Revealed
There’s an even bigger picture takeaway from Comodo’s crying foul on abuse of VirusTotal. The cyber security industry comprises an uneasy mix of private enterprise and open communitarianism. Usually, it’s possible to keep a fair balance. Private companies engage with open, crowdsourced community projects and offer much in return. As this episode reveals, however, participants sometimes elect not play nicely. When this happens, whether its anti-virus titans or Jerry Lewis, someone from Clifton, New Jersey will be on the case.