VirusTotal, a popular online file scanning service that analyzes files and URLs for the identification of malware, is now executing suspicious Mac apps inside a sandbox to improve its analysis and detection of Mac malware. VirusTotal now extracts behavioral information from scanned Mac executable files, an important step forward for the Google-owned file scanning service.
Until now, VirusTotal only performed a static scan of user-submitted files without executing them. "This left out an important component of modern malware testing – behavioral analysis," said Lucian Constantin at PCWorld.
Behavioral analysis is how Mac anti-virus software, including Intego VirusBarrier, keeps an eye on suspicious activities performed by applications. When being analyzed, if any Mac application does anything suspicious that could be considered abnormal — such as deleting a large number of files, for example — trusted anti-virus products like VirusBarrier would alert its users.
Lucian Constantin further described the importance of behavioral analysis and how it can help security researchers and Mac users make better decisions about suspicious files. He said:
Since VirusTotal only used static scanning, its reports never were an accurate reflection of a malicious file's detection rate across antivirus products, even though many people interpreted them as such. […] In an attempt to complement their static analysis reports with more information that could help users, security teams and researchers make better decisions about suspicious files, VirusTotal added behavioral information for Windows executables in 2012. […] The same capability was added in 2013 for Android apps and, as of Tuesday, is also available for Mach-O executables, DMG files, or ZIP files containing Mac apps.
VirusTotal now extracts information with the use of sandboxing — by running executable files inside a controlled environment — in order to produce behavioral reports. VirusTotal team member Karl Hiramoto said in a blog post that users have three options to scan suspicious files:
Security researcher David Harley, who has been one of the most outspoken critics of using VirusTotal scans to make claims about the performance of anti-virus products, believes the new behavioral analysis offers real value added to the service. On his blog, Harley wrote:
While I still don’t in the least regard submission to VT as a substitute for competent product testing, it has, for instance, adopted a form of sandbox testing analogous to the way in which some anti-malware scanners and other sandbox products and services implement behavioural detection. […] This perhaps blurs the distinction slightly between VirusTotal’s service and other security services in a way that might cause further confusion among pseudo-testers. But that’s not VT’s fault, and I think the value added to its services more than compensates.
Considering the increase of potentially unwanted Mac OS X applications, such as adware or other spyware, VirusTotal’s addition of sandbox testing is certainly an improvement.