VirusTotal activates the TRUSTED SOURCE project and fights with false alarms

False alarms generated by antivirus software is a big problem in the IT industry - not only for the user himself, but in particular for the security software producers themselves as well as the developers of applications and systems. False alarms can cause all sorts of unwanted effects: programmers have problems selling their applications and lose customer trust, and the antivirus vendors themselves are losing reputation if their products too often block uninfected sites and files.

A good anti-virus is one that is characterized by low use of computer resources, good protection against malware and a very low (or negligible) level of false positives. On the other hand, perfect protection can not be paid for by a large number of false alarms - according to the principle - let's block everything, and the detectability will jump to one hundred percent.

The number of false alarms is taken into account by various laboratories testing antivirus software. However, nowadays, when the heuristic shield is the dominant shield, errors in defining a clean file as a threat have and will take place in the future. However, you can remedy this and reduce the potential risk of "catching" false positive.

To prevent this in 2013, a project called " Clean file Metadata eXchange" (CMX) was created, which was first presented at the Virus Bulletin conference by Igor Muttik from McAfee and Mark Kennedy from Symantec. The authors of the project raised issues and problems causing false alarms, which are sometimes a nightmare for security manufacturers. CMX predicted that if the FP problem was to be resolved once and for all, a checksum database of known and clean files should be created. Unfortunately, as it used to be before, theft of certificates or impersonation of legal companies has been used by cybercriminals against ordinary users and companies more than once.

So, just recently, the VirusTotal service team has started to work (since 2012 belonging to Google). Taking matters into their own hands, they created a project called TRUSTED SOURCE . It is a base-data application in the ALFA version, which is already available to security providers and large system and application developers. Thanks to it, software developers will be able to send checksums of all files that make up the software, and the metadata will be automatically checked by VT and made available to the developers of the anti-virus software.

Creating such a base in cooperation with large companies will undoubtedly bring many benefits for anti-virus vendors and their clients - that is, all of us. Such an approach to the problem will reduce the number of false positives, and if the antivirus product qualifies a clean file as a virus, the application developer will be automatically notified of the situation.

The TRUSTED SOURCE project is intended to be targeted at large and very large software vendors. Currently, it is still in the alpha phase, however, Microsoft has already been able to cooperate, which resulted in improved flagging of 6,000 clean files as viruses, reducing the number of false positives.

AV provided an exemplary analysis of a blank file previously treated by AV as a virus.
https://www.virustotal.com/en/file/a70999ee28e6233ffcadb6cc3967417be4de2678b868fa2d45bdd3f826c7ed48/analysis/

Any large software developer interested in cooperation can contact VirusTotal to exchange metadata. The TRUSTED SOURCE initiative is not aimed at developers of adware and PUP applications.

VirusTotal is a site known to users and cybercriminals to scan files for malicious code detection. It should not be used for anti-virus tests for at least several reasons we have given [ here - VT from the kitchen ]. In addition, we encourage you to read this short reading written by Zoltan Balazs - researcher of the English lab MRG EFFITAS, in which he presents the weaknesses of anti-viruses and VirusTotal itself.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.