Auto-allow if VirusTotal says it is okay


#1

I am still thinking though this, so I am not 100% sure I have thought of all ramifications.

I am trying to reduce how “noisy” GlassWire can be while still retaining as much protection as possible.

How about an option (I don’t think it should default to on) to auto-allow any app that, when submitted to VirusTotal, comes back with a clean bill of health (zero engines think it is malicious)

There is always a chance that the executable could be a brand new malicious program, but not terribly likely. In almost all cases, if VirusTotal thinks it is fine, I am going to allow it anyway.

Perhaps a final refinement - if GlassWire auto-allows an app, it gets checked 24 hours later at VirusTotal (completely invisible to me as a user). If it still comes back clean, it is left on the “allow” list unless/until its hash changes.


#2

Sounds like something that should’ve been a thing since VirusTotal checks are a thing.

Vice versa I’d like an auto-block for apps that come back from VirusTotal with 1+ (preferrably customizable number) engines thinking it is malicious, and an alert asking to manually allow it and an info button to check the VirusTotal page.


#3

VirusTotal is not an antivirus, it’s a file analysis tool. It’s not meant to be used that way.

But, I guess we could implement a separate antivirus engine and block stuff, but then we’d just be an antivirus I think. I don’t think we want to get into that market.


#4

Thanks Ken

I am curious as to why you say VirusTotal isn’t an antivirus tool. Certainly it can’t be your only antivirus. But does it not check any submitted file with over 60 antivirus programs and report if any of them think it is malware? So, if a program on my computer is trying to access the network and - before it is permitted to do so - GlassWire submits it to VirusTotal, and the results come back negative (none of the engines think it is malware), then isn’t that pretty decent evidence that the file is not malicious?

If I don’t recognize something that GlassWire says is trying to access the network (or for that matter, even if I do recognize it) - my immediate reaction is to see if VirusTotal thinks it is okay. If so, I click the “Allow” in VirusTotal.

But that brings up a question. How do people currently react when GlassWire asks if something should be allowed to access the network? What do you use to make the decision as to whether some program should be allowed or not?

I think this is the fundamental problem with 2-way firewalls - you are sometimes faced with the question to allow or block and you have no idea what the right answer is!

With GlassWire’s use of VirusTotal, I thought I had a really good answer to that question - if VirusTotal thinks it is okay, let it go!

I have anti-virus. But I know it won’t catch everything that is malicious. Although I know VirusTotal is not perfect either, I think if over 60 anti-virus engines give it a clean bill-of-health, that is a better assessment than I think I could come up with on my own (along with my single antivirus program on my computer.

I really am curious.


#5

I am just repeating what VirusTotal has to say.


#6

Thanks again Ken

I get that they don’t want it to appear to be a “comparative analysis” where they are saying one AV engine is better than another. Or that the form of analysis performed is the be-all and end-all of malware detection.

The first engine to pick up a piece of malware one time might be the last the next time.

And a desktop solution may detect something heuristically that VirusTotal will not pick up on.

But VirusTotal certainly is checking to see if something uploaded to it is known as malware to one or more of the AV engines there.

And again, I wonder how people are dealing with it when GlassWire pops up and says something wants to access the network and they do not recognize the program? Personally, I think the VirusTotal analysis is way better of an assessment tool than anything else I am capable of doing.


#7

I like your idea of the reverse being possible - auto-blocking if a user-configurable number of AV engines at VirusTotal think it is malware.

Very cool idea.

Again - I think these options should be non-default options.