Do You Trust Your Antivirus?

Shortly after publishing my review of Tiranium Premium Security 2014, I got a message from a researcher using the handle Malware1. He claimed that Tiranium abused various online malware-checking websites to bolster its detection rate. His note included links to videos showing an older version of the software connecting to VirusTotal, in particular (though he admitted there is no longer a direct connection). He also supplied what he said were a number of emails from VirusTotal to Tiranium demanding they stop abusing the service.
I checked with VirusTotal, but my contact declined to comment for publication. I had to determine for myself whether this was true, and whether it constituted a problem if so.
What Is VirusTotal
For those who aren't familiar with it, VirusTotal's public face is a website where you can upload a file to see if it's malicious. The site first generates a hash for the file—a unique mathematical fingerprint. If the hash is already in its database (and most are) it returns the stored results. If not, it checks the file with about 50 major antivirus engines, reporting which flagged the file as malicious. Google acquired VirusTotal about two years ago.
The service goes beyond simply checking files. According to its website, "VirusTotal's mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services." That same page states that "None of the services or applications publicly offered on this site should be used in commercial products, commercial services or for any business purpose. In the same way, none of the services should be used as a substitute for security products."
In other words, a product that simply used VirusTotal's results without independently verifying that the file is malicious would be violating the terms of service. And indeed, a controversial test by Kaspersky Lab several years ago showed that blindly using detection from the website is a bad idea.
Digging With WireShark
According to Malware1, Tiranium first checks a suspect file using its locally installed client. If there's no match, it checks the file's hash on VirusTotal. Only if it gets no results from VirusTotal does it invoke its own behavioral cloud scanner.
To start my investigation, I created brand-new modified versions of my current malware collection, changing the filenames, altering the file size, and tweaking some non-executable bytes. I checked the hash of each file against VirusTotal, to be sure all were absent from the database.
With the WireShark network traffic tracing utility running, I launched a Tiranium scan of the folder containing these files. Strangely, the scan ran for hours but never finished, and the count of files scanned never changed from its initial zero. I learned later that this was because the behavioral cloud server was down for several hours.
Indeed, perusing the WireShark log I could see that Tiranium tried again and again to upload files to the behavioral cloud, each attempt ending in an error. What I did not find was any evidence of a direct connection to VirusTotal, or to any of the other services that had allegedly been used in the past.
Circumstantial Evidence
I moved some of my test files to another folder and submitted them to VirusTotal for checking. In every case a majority of the antivirus engines detected them as malicious; some got near-unanimous recognition as malware.
As soon as all the files were processed by VirusTotal, I immediately scanned the folder with Tiranium. This time it recognized those files as malware right away. When I scanned the remaining files, the ones I hadn't uploaded, the scan stuck, as before. While there was still no direct connection from my computer to VirusTotal, it seems I had established a clear chain of causality.
Maybe It's OK?
I reached out to my connections in the antivirus industry to see what they thought. One researcher pointed out that antivirus companies can contract with VirusTotal to automatically receive any sample that others detected but their product missed. However, that didn't seem to describe the situation I observed.
More importantly, my Tiranium contact confirmed the use of VirusTotal. "VirusTotal has specific terms of use," he said. "They're sending samples to companies. Tiranium is one of the companies analyzing that, like all others." He went on to note that the time to analyze new samples can vary. "Sometimes this will take hours, sometime minutes, sometime days," he said.
Or Maybe Not
The VirusTotal credits page lists all vendors who have "integrated a product, tool or resource in VirusTotal, or have contributed somehow." These vendors have signed an agreement that includes a set of best practices. Tiranium is not among the companies listed. It's not receiving samples from VirusTotal, so its use is not "like all the others."
I've determined to my own satisfaction that the emails supplied by Malware1 telling Tiranium to stop misusing VirusTotal are real. I've seen evidence that at one time the application itself connected directly to VirusTotal for information, which is definitely abuse. But is its current incarnation stealing the work of other vendors, as Malware1 contends? I can't say definitively, but my trust is definitely shaken.
Potentially Unwanted?
Apparently I'm not alone. In a discussion on the well-regarded Wilders Security forum, several members express concern about the product. In fact, at the time of this discussion about eight months ago, a number of well-known antivirus products detected Tiranium as a "potentially unwanted application" that should be removed.
Even now, Kaspersky detects one of Tiranium's two main files as malware, and ESET detects them both. Fortinet identifies Tiranium's website as malicious, as does Webroot's BrightCloud service.
Shady Behaviors
I pointed out this detection to my Kaspersky contact and asked if he could explain why Tiranium was flagged as malware. He dug into the question with significantly more skill than I could muster, and came up with a lot. "They're using more than five different obfuscators to obfuscate their code and there's no digital signature," he said "It's a little crazy and looks far from legit." There's no smoking gun here, but these and other malware-like behaviors were sufficient to get the product flagged. He also found traffic from the server referencing VT (VirusTotal), Anubis, and VirScan, suggesting some kind of reliance on third-party sources.
The BrightCloud folks couldn't pinpoint the reason that Tiranium's website got flagged as risky. However, they pointed out that Tiranium's IP address is shared with quite a few phishing websites. Google's safe browsing page for the olympe.in domain used by Tiranium had some alarming news: "Of the 1341 pages we tested on the site over the past 90 days, 13 page(s) resulted in malicious software being downloaded and installed without user consent."
I said in my review that Tiranium is a good first effort, but not ready to challenge our several Editors' Choice antivirus products. I now feel that the company needs to both improve the product and regain my trust with professionalism and transparency. Fix the spelling and grammar errors, ditch the obfuscation, digitally sign the executable files, and make sure it integrates with Windows's Action Center. Refrain from any use of third-party products that isn't fully transparent. Separate Web hosting from servers that host malware. For now, I recommend that you stick with our Editors' Choice antivirus products.