Why the VirusTotal Policy Change is a Non-Event for SentinelOne

By now many of you have heard the surprise policy decision made by VirusTotal that effectively shuts out next-generation endpoint protection companies like SentinelOne from accessing its service. The news was first leaked by a director on Malwarebytes’ board, and later amplified by Trend Micro’s CTO, Raimund Genes. (Are we surprised?) This aggressive promotion naturally led many to believe this change was the result of an orchestrated coup on the part of the traditional AV vendors who feel threatened by the rise of companies like SentinelOne, Crowdstrike and Palo Alto Networks. Whether this was an orchestrated attempt or not, we may never know. Once the dust settles, people will understand that this is a non-event for companies like SentinelOne for the following reasons.

VirusTotal Touches a Very Small Part of our Next Generation Platform

For example, SentinelOne uses a unique Dynamic Behavioral Tracking (DBT) engine that runs on the endpoint and uses advanced machine learning to detect malicious patterns in real-time as applications and code execute on a device. We do this across Linux, OS X and Windows-based systems using our own proprietary, patent-pending technology to monitor execution, from both the kernel and user space. This serves as the backbone of our detection engine for all threats – known and unknown – and works autonomously even when the system is offline from the network. Meaning no connection to the cloud is needed, no hashes, no static signatures. Just good hard behavioral-based detection followed by a series of automated mitigation and remediation actions. No VirusTotal here.

Where the VirusTotal policy does come into play is with a feature we call “Cloud Intelligence” that provides a way to crowdsource legacy “known” threats and share this information with SentinelOne customers so they can block threats pre-execution. This intelligence is collected from our client base (as they opt-in), as well as from third party reputation feeds like VirusTotal (they’re actually one of seven vendors we use). Cloud Intelligence is not part of our primary DBT detection engine. Its purpose is to validate hashes out-of-band, independent of our behavioral-based engine.

Where There’s a Will There’s a Way

When VirusTotal reached out to us with the new policy change – we thought it wasn’t even applicable to us. The policy specifically called out “scan engines”. SentinelOne never was, and never will be a “scan engine”. We don’t scan files and we don’t use signatures. We inspect code execution, regardless of its source (exploits and memory based attacks anyone?), and this is also what makes our efficacy that much greater and better when dealing with advanced threats.
VirusTotal later insisted that their policy was in fact applicable to us, we said – “no problem” – let’s figure out a way to link our interfaces so you can take advantage of what we’re detecting. This requires some creative thinking as we’re not a command line, static signature scanner.

We need a live system, and we need the malware sample to run. Silence was deafening.

So here we are. It seems the drama caused by Malwarebytes and Trend Micro has compelled VirusTotal to reevaluate their position. They’ve now indicated “we’re willing to work with you so you can be included in our engine list, and you can come with your infrastructure…”. We’ll keep you posted on how this develops. From our standpoint we remain ready and willing to work together. (Always have). But at the same time we have to look out for the best interests of our customers. For that reason, we didn’t waste any time replacing the VirusTotal feed with another reputable provider.

If you’d like further details – or would like to see a demo of how Cloud Intelligence and our Dynamic Behavior Tracking engine work, feel free to contact us. We’d be happy to walk you through it.