I am delighted to announce that CrowdStrike is the first company to integrate its signatureless machine learning engine into the industry standard VirusTotal. For many years I have been a fan of VirusTotal and fully support their important community-driven mission to help the security industry and make the internet a safer place through the development of tools and services. As many know, VirusTotal recently provided some updated guidance on how vendors should work with VirusTotal. Specifically, they wanted to ensure that all vendors — new and old — contribute back to the broader security community for the benefit of everyone. At CrowdStrike, we fully support this change and are excited to announce that we have integrated the first machine learning scan engine, Falcon (ML), into VirusTotal. I also want to be very clear, unlike other next-gen companies, we were never cut off from VirusTotal and the policy change had no impact on us. However, we do agree that all users of VirusTotal should contribute in some fashion which is why were are leading the pack of next-gen vendors by stepping up and delivering our engine first.
We believe Falcon (ML) marks a milestone for VirusTotal as it begins the next chapter in contributing signatureless machine learning to the security community. Since the current rate of new samples averages 390,000 per day, it is impossible for signature-based technology alone to keep pace. Many common malware families like the notorious Locky ransomware or even the FANCY BEAR and COZY BEAR malware we uncovered while uncovering the breach of the Democratic National Committee (DNC) are easily morphed to bypass signature-based antivirus. Our goal is to provide a probabilistic determination if a file is malware based upon algorithms versus updates. Thus, many users of VirusTotal can have an immediate mathematical score versus waiting for a signature update. While signatures are a useful method for identifying known bad, we believe making a determination without solely relying on signatures will aid the security community greatly in identifying unknown or zero-day malware.
While our CrowdStrike Falcon technology was originally designed to identify both malware and malware-free intrusions, our machine learning engine is just one element of our overall prevention technology framework. Falcon was designed to not only stop malware but to stop breaches. As such, it is important to point out that we have several other detection/prevention mechanisms including our Indicator-of-Attack-based (IoA) behavioral profiling, which is powered by our massive Threat Graph. Extracting our machine learning engine from Falcon Host and providing it to the VirusTotal community was a deliberate effort intended to benefit the entire security industry with our technology. Some of our competitors have shied away from contributing back to the community and are criticizing the current industry testing methodology driven by the Anti-Malware Testing Standards Organization (AMTSO). Instead, we put our heads down and with considerable effort decoupled our engine and modified it to work with VirusTotal. We also certified our engine, with an AMTSO testing organization, the results can be found here.
Why is our machine learning different or better than others? Simple. The differentiator for our engine is that it is predicated on a cloud-based architecture operating on algorithms infused with the collective knowledge of a crowdsourced community where threat intelligence is aggregated and updated instantly. In our case, the data is generated by our ability to process almost 20 billion events (and growing) on a daily basis. As Dr. Sven Krasser points out in his blog our machine learning looks at millions of features to convict a file. We have spent the past three plus years developing sophisticated models focused on detecting the most virulent malware. Our engine allows us to expose a confidence level indicating the probability that a file is malicious. This range gives users the flexibility to determine their own threshold for when to take action on an attack.
VirusTotal is a community resource that can benefit every Internet user who needs to assess whether a file they may have found on their network is potentially malicious. We encourage all next-generation endpoint security vendors to follow our lead and help the industry and, in fact, the whole Internet community, by contributing their technology to this important mission. And every customer should be asking if their endpoint security vendor is part of the VirusTotal community and, if not, why not?
We are committed to continually improving our engine – please send suggestions or thoughts to VTscanner@crowdstrike.com.
To learn more, please register for our upcoming CrowdCast September 29th where we’ll highlight the first signature-less engine to be integrated into VirusTotal