Google launches VirusTotal Monitor

Google announced the new paid VirusTotal service VirusTotal Monitor today designed to provide customers with daily reports for files uploaded to the service.

One of the core goals of VirusTotal Monitor is the mitigation of false positives. The detection of false positives, the incorrect detection of malicious code in files, is a huge problem for software and security companies, and end users.

Software may not reach distribution levels that it should have reached without the detection of false positives, and it may in extreme cases even be removed from user systems. Software companies lose business and reputation because of that.

Similarly, the detection of false positives may have reputation damaging effects on antivirus companies. End users on the other hand may not be able to run software that they should be able to.

In short, false positives are bad for anyone involved. Google tried to limit false positives in 2015 with the introduction of the Trusted Source project.

VirusTotal Monitor

VirusTotal Monitor is an attempt to address the issue. Basically, what it unlocks is the ability to upload files to VirusTotal for monitoring. Software companies can upload their library of programs to VirusTotal to have them checked automatically on a regular basis.

VirusTotal creates reports and notifies companies if any of the supported antivirus engines detect malware, sypware, potentially unwanted software or other issues in the uploaded files.

Companies and developers can react more quickly to the issue to resolve it before it hits the entire userbase.

VirusTotal Monitor is a new service that allows software developers to upload their creations to a private cloud store in VirusTotal. Files in this private bucket are scanned with all 70+ antivirus vendors in VirusTotal on a daily basis, using the latest detection signature sets.

VirusTotal Monitor shares files with antivirus vendors that flagged a file and notifies them about the issue so that it can be addressed if it is indeed a false positive.

Files also remain absolutely private, not shared with third-parties. It is only in the event of a detection that the file will be shared with the antivirus vendor producing the alert. As soon as the file is detected, both the software developer and the antivirus vendor are notified, the antivirus vendor then has access to the file and its metadata (company behind the file, software developer contact information, etc.) so that it can act on the detection and remediate it if it is indeed considered a false positive. The entire process is automatic.

The key word that describes the main advantage of VirusTotal Monitor is automation. Files are scanned automatically, and both vendors and antivirus companies are notified automatically when hits are detected.

Developers can use the online dashboard to check the status of files and scans there as well but they may also use the provided REST API and email notifications.

Closing Words

VirusTotal Monitor is a paid service but it is unclear at this point in time how much it will cost. It appears that Google wants to start building the service with large companies and invite smaller developers later to the party.

While it is certainly possible to test any file in real-time on VirusTotal, the main advantage that VirusTotal Monitor offers is that it will run constant checks on uploaded files. While you can do the same on a day-by-day basis (and you should), automation makes this a lot easier. The more a library grows the more comfortable it gets.

Anything that drops the number of false positives is a good thing in my opinion. Lets hope that Google will set reasonable prices for smaller developers and developers of freeware.

Now You: How do you handle false positives? (via Bleeping Computer)