Alphabet’s Chronicle security division announced the launch of VirusTotal Enterprise on Sept. 27, providing security professionals with new tools and capabilities to hunt malware.
VirusTotal Enterprise is a new version of the popular VirusTotal online service, combining capabilities that had previously been known as premium features on the platform with new capabilities. Among the new capabilities is a private graph feature that enables enterprises to load their own data to run analysis against the VirusTotal corpus of malware samples. Malware search overall has been accelerated for enterprise users with new capabilities to search using different variables.
“I like to describe VirusTotal as the CDC [Centers for Disease Control and Prevention] lab for malware, where we have all of the world’s scary files locked up safely for legitimate parties to be able to go over and research against,” Mike Wiacek, co-founder and chief security officer of Chronicle, told eWEEK. “As part of that, what we’re building with VirusTotal Enterprise is new functionality and capabilities to … make it easier for security researchers and threat intelligence people, to make it more convenient for them to use the service.”
VirusTotal was acquired by Google in 2012 and became part of Google’s parent company Alphabet’s Chronicle division on Jan. 25.
The regular, freely available public VirusTotal service enables any user to upload a file and have it scanned by more than 70 different security products. The user then gets back a report that identifies if any of the security products identified the uploaded file as being malware. The premium features of VirusTotal that have been expanded with the VirusTotal Enterprise offering builds on the collection of malware that has been collected and makes it available to security researchers.
As part of Chronicle, VirusTotal had already announced on June 20 a new Monitor capability that enables software developers to privately check their own application code in an effort to help reduce positives.
“VirusTotal is continuing to benefit from being part of Alphabet because some of the stuff we’re talking about just comes from scale that would be hard to replicate anywhere else and then it also comes from Chronicle being an enterprise focused company,” Wiacek said. “We’re trying to bring some of that enterprise know how to an area where it hasn’t been before.”
Private Graph
Wiacek said that VirusTotal launched a graph capability earlier this year that enabled researchers to study files, URLs and then the relationships that they have with other files and other URLs, IP addresses and domains. The new Private Graph capability in VirusTotal Enterprise is a way for organizations to generate the same types virus graphs in a private way.
Researchers using VirusTotal Enterprise can upload malware to private graphs to see what the malware is related to and how it connects with other internet resources, Wiacek said. He added that an enterprise user can also use the Private Graph capability to add things to the graph that doesn’t come from the VirusTotal data set. As such, Wiacek said Private Graph enables researchers to blend what they have from their own internal environments with what they can get from the public corpus of malicious software from VirusTotal.
VirusTotal has for several years offered a premium service call VirusTotal Intelligence that enables users to write YARA (Yet Another Recursive Acronym) signatures to search for certain patterns and code strings in malware.
With VirusTotal Enterprise, Chronicle is using a search method known as n-gram, which Wiacek said will speed up the YARA search process by 100x, as well as increase the time range over which YARA searches can be conducted. He said that with n-gram, a user can search over a big chunk of the VirusTotal corpus in seconds. Chronicle has been building a new indexing system to help facilitate the n-gram based search. He said that with n-gram, the search is looking for certain bytes within files, which is different from a traditional metadata search.
“This really changes how users will be able to leverage VirusTotal in terms of understanding threats that are out there, hunting for related samples and trying to see how malware is evolving over time,” Wiacek said. “It’s really a game changer that fundamentally we’re really only able to do because we’re actually part of Alphabet and we have the scale and compute infrastructure.”
Enterprise Management
VirusTotal Enterprise also provides enterprise management capabilities for organizations and their users.
“The practical hygiene part of security that I think is ultimately the most important part of any security practice is simply proper enterprise management,” Wiacek said. “So we’re providing APIs for commercial customers to manage their account with us.”
To that end, VirusTotal Enterprise enables organizations to programmatically add or delete users and also provides integration with enterprise directory systems, including Microsoft’s Active Directory. Chronicle has also added two-factor authentication (2FA) to protect VirusTotal Enterprise user accounts.
In addition, Chronicle has developed a new user interface for VirusTotal Enterprise. Rick Caccia, chief marketing officer at Chronicle, told eWEEK that the new user interface includes enhanced dashboards with a cleaner look that shows more capabilities than ever before. Looking forward, Caccia said there will be additional functionality added to VirusTotal Enterprise and Chronicle will have more products and services coming soon.
“We have more coming around Chronicle. We’ve talked about building these very large-scale data analytics platforms to help companies analyze their data, and you’ll see that coming from us,” Caccia said. “There’s definitely more to Chronicle than VirusTotal. That just happens to be stuff that’s already in market, and so it’s easy to talk about it.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.