VirusTotal can now scan and analyze potentially malicious scripts using AI
Because nothing these days seems to work anymore without ML algorithmsBy Alfonso Maruccia
In context: Launched in 2004 by Spanish security company Hispasec Sistemas, VirusTotal is a renown online scanning system aggregating many third-party antivirus engines (we use it at TechSpot to scan all files listed in our downloads section). Google acquired the service in 2012, and now the company is doing what everyone else in tech is doing these days: adding AI-powered features to its scanning capabilities.
VirusTotal Code Insight is a new feature of the malware scanning service, an AI-based functionality that can generate natural language summaries of code snippets "with ease." VirusTotal founder Bernardo Quintero described the feature as a way to empower security experts with "deeper insights" into the analyzed (and potentially malicious) code, so that mere humans can enhance their ability to detect and mitigate potential threats.
AI and machine learning algorithms have played a crucial role in malware analysis and cybersecurity for quite some time, Quintero remarked, and recent advancements in large language models have pushed the AI role in the anti-malware business even further. Code Insight's ability to analyze high-level code comes from Sec-PaLM, a specialized LLM fine-tuned for security use cases and security intelligence applications.
Sec-PaLM is part of Google Cloud Security AI Workbench, a new extensible platform introduced at the 2023 edition of the RSA Conference. The AI Workbench provides enterprise customers and security professionals with everything they need to tackle what Google calls "three top security challenges" of today's marketplace: threat overload, toilsome tools, and talent gap in malware analysis.
For now, VirusTotal's Code Insight can only analyze "a subset of PowerShell files" submitted to the service. Files which are too large or highly similar to those already scanned are excluded, Quintero explained, so that analysis resources are efficiently used to scan "only the most relevant files" (such as PS1 PowerShell files). Additional format support will be added in the coming days.
Another limitation of Code Insight is that the AI-powered scanner doesn't have access to antivirus results or other VirusTotal metadata, relying solely on the content of the file being processed. For this reason, and because LLM algorithms are as "intelligent" as any other computer program, Code Insight's performance may vary on a "case-by-case basis" and it can include judgment errors with false positives or false negatives.
Therefore, like with any other LLM application, Code Insight needs be overseen by a human security analyst. The script scanning response needs to be interpreted and combined with other contextual information to have some practical use, Quintero suggests, while attackers and cybercriminals will likely develop "new evasive strategies" to fool the new AI scanning capabilities of VirusTotal.