How effective is Signatureless AVs like Panda Dome?

Discussion in 'other anti-virus software' started by rpk2006, Mar 3, 2019.

  1. guest

    guest Guest

    no it is not reasonable, ESET has an HIPS and plenty of efficient modules, no need adding anti-exe or else which are by design less efficient...
    This is the kind of kindergarten security BS spread by paranoids and noobs (and i stay polite...).

    Average Joe won't even think to add a 3rd party AV on win10, so an anti-exe or similar, not a chance, they don't even know what it is...

    there is a difference between multiple engines AVs (which are optimized to work in unison) and stockpiling several standalone AVs.
    Anyway, there is no more "companion" AVs in the traditional sense, even MBAM is taking the road of being a full-fledged AV like Emsisoft did.
     
  2. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Well said :thumb:
     
  3. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    hype? what about ai and machine learning? i believe all conventional av sw are subject to die in a not very distant future.
     
  4. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    It is hype because there is no more conventional av sw, they already died some time ago.

    ESET is using machine learning, AI and all the fancy stuff for years, like many other vendors.

    https://www.welivesecurity.com/2017/06/20/machine-learning-eset-road-augur/

    https://securelist.com/five-myths-about-machine-learning-in-cybersecurity/76351/

    https://media.kaspersky.com/en/enterprise-security/Kaspersky-Lab-Whitepaper-Machine-Learning.pdf


    "Traditional/conventional" vendors have some advantagens against the new players (the hype stuffy); they have many years of expertise, malware research, robust emulators and unpackers.
    Thats why they can offer the optimal balance of malware protection and false positive rate, while covering all infection vectors.
     
    Last edited: Mar 5, 2019
  5. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208

    so, is eset a conventional av or a next gen av? :confused: or something between? :rolleyes:

    when it comes to technology and ai, many years of expertise don't mean that much to me. because when that many years of expertise is based upon a dated, dying field of tech know-how, it means nothing. all it takes is an innovator, a revolutionary visionary like late steve jobs to dethrone those old players, you know.
     
  6. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Neither, it is a contemporary antivirus/antimalware solution.

    Conventional and next gen antivirus are both marketing terms usually made to hype some new player solution.

    Expertise based upon a "dated, dying field of tech know-how" still matters because with that date they can train more efficient machine learning models, IOCs and all the stuff that those "next gen" antivirus solutions depends almost exclusively on.

    https://www.microsoft.com/security/blog/2017/05/08/antivirus-evolved/


    I guess we can agree to disagree and move on.
     
    Last edited: Mar 5, 2019
  7. guest

    guest Guest

    About ML (because Ai isnt real Ai, just a fancy marketing term) , vendors like Symantec and ESET use it since a decade; only new players who needs some hype to sell their crap, spam the word "Ai" in their marketing rhetoric.

    Cylance was the smartest , they hyped it so much, they get funded hundreds of millions (reason of the Ai hype), to finally sold it 1.6 billions.
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    A program such as OSArmor is perfect for the original poster. It is a natural complement to most AVs and at default settings works quite smoothly. Much easier than configuring ESET.
     
  9. guest

    guest Guest

    OP doesn't need additional softs, he just have to spend little time to learn how to configure ESET a bit tighter than default, HIPS monitors way more items/areas than any Anti-exe like OSA will ever be able.
    It doesn't takes months and he will gain better knowledge of his system as bonus...
    "learn to fish, you will survive, waiting people to fish for you, then you will die starving"
     
  10. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    NVT OSArmor and SysHarderner are great tools, they can be used in almost all kind of setups, but it doesnt mean that they are necessary.
    I think ESET is a complete security solution that has everything to protect against the malware landscape, so it is a matter of choice.

    There are some folks that say the ESET isnt good at default settings, I really disagree with that, I think it has one the best default settings, almost a perfect balance between performance x false positive rates and usability.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    @guest is right. If the OP can, it is better to invest a little time and energy in these things, and learn how they work. It pays off.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I am going to try to simplify things. The debate between the Next Gens and the conventional AV vendors is not about machine learning. All the major AV vendors have numerous blog postings that state they have been doing ML for years: https://www.welivesecurity.com/2017/04/25/machine-learning-math-cant-trump-smart-attackers/ .

    The debate is how ML is applied and the effectiveness of the application. Also, the real motivation behind the Next Gens is not about security but about maximizing their profits.

    The major AVs apply ML via what can be best described as "smart" signatures in combination with detection of known malware bad behavior methods via HIPS or equivalent rules. These methods have been shown over time to be the most effective at positively identifying malware with the lowest amount of false positive detections. There are two main issues with this approach:

    1. It is a costly process to maintain therefore decreasing profitability.
    2. True 0-day malware - not polymorphic versions of existing malware - can evade detection. Therefore, "mean response time to detection and remediation" becomes a very important factor in evaluating a conventional AV vendor protection capability.

    The Next Gen's on the other hand seized upon recent new advances in probabilistic mathematics and increased low cost and readily available PC computational capability, to perform machine learning by developing behavior algorithms to detect existing and new malware. Once the algorithms are developed and tested, no further software maintenance is required except for extended period "retuning" of the algorithms to reflect OS and hardware upgrade enhancements. This obviously greatly reduces software maintenance costs for the Next Gen's increasing their profitability. Disadvantages to this approach area:

    1. Higher false positive rates over that produced by the conventional AV vendors.
    2. Detection "gaps" in software "grayware" areas such as PUPs and PUAs and in areas where malicious versus legit behavior is difficult to differentiate such as script code run from the various legit script engines. Also "living off the land" misuse of legit Win system binaries could be problematic as they also are for conventional AV solutions.

    The most important point in evaluating Next Gen's malware detection capability using these algorithms was to validate how they would perform against future malware and the future time horizon the algorithms were effective for. SE Labs performed such a test last year against Cylance here: https://www.cylance.com/content/dam/cylance/pdfs/reports/SELabsPredictiveMalwareResponseTestMarch2018Report.pdf. The main points to note in reviewing the test results are:

    1. This was a Cylance "commissioned" test and they did dictate certain conditions and settings although SE Labs was unconstrained in malware sample selection.
    2. The sample size was small and for me, targeted toward the major prevalent malware at the time: ransomware, etc..

    Cylance scored 43/45 which is on par with the major AV vendor detection percentages thereby validating the effectiveness of the predictive algorithms used in their detection engine.
     
  13. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    That's a very reasonable assessment. With the false positives thing, and this is only anecdotal, I don't find that the rate of false positives is greater than other vendors, but rather I find certain kinds of files are consistently detected as false positives. Battleye anti-cheat, and for some reason only ubisofts implementation of it, is consistently flagged whenever a newer version is pushed to players. I would also get PUP detection on small indie games, but that hasn't happened in a very long time, and I suspect they may have turned off the PUP.Game classification for non-enterprise customers. There's also a certain file associated with the ubisoft game client that Cylance dosen't like for whatever reason, so every time a new version is released it'll quarantine it, then query the cloud service and put it back once it's determined it is safe. It'll do this periodically until you add the file to the global safe list in your Cylance console.
     
    Last edited: Mar 5, 2019
  14. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Nice summary, the problem is that those next gen "AI" malware detections arent that smart (Cylance for example).

    https://www.mrg-effitas.com/research/testmyav-an-independent-next-gen-testing-vendor/


    Cylance will detect almost everything that isnt very well know (like Microsoft Office, most used browsers/media players/PDF tools) as malware or as a suspicious file, I tried it for some months and it is simply ridiculous.

    If you are a gamer for example, expect Cylance to quarantine your files often, saying its malware or its an abnormally file.
     
  15. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    Microsoft office isn't well known? Like there are false positive issues but you don't need to straight up make stuff up.

    I've never had it detect office, any browser I've ever used, and I have never seen it detect media players at all. I guess if you're pirating office it might throw up a flag, but if you're doing that IMO Cylance is in the right. Those keygens are shady.
     
  16. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    It wont because they are the very well know files, the rest will be detected.

    Maybe I wasnt clear, english isnt my native langue, but everything that isnt Office/most used browsers/media players/PDF tools/popular utility tools will be detected as malware.

    Edit: I saw that you edited your post, I am not using any pirated software, I had detections from legit Steam games (like Tree of Savior) and system tools like Jump DNS Changer.

    Take a look at this article and you will understand why there are so many false positives.

    https://www.mrg-effitas.com/research/testmyav-an-independent-next-gen-testing-vendor/
     
    Last edited: Mar 5, 2019
  17. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    Oh my bad. I thought you were saying it would detect those. I think it's gotten a lot better about that over the few months I've been using it. I've been in the Alpha tests for certain games and it hasn't thrown up any warnings on those and they're brand spanking new.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Also, Cylance's own installer recommends it be the only AV product installed on the device. Therefore it is not suitable to use as supplementary security protection:

    mceclip7.png
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I wasn't aware of the MRG blog postings noted above. It appears to me that at the time MRG was testing; i.e. 12/2016, Cylance had not completed its Win10 AMSI interface. Without that interface, they would not been able to interface with script execution and wait for the them to "decloak" in sandboxed memory to examine them. Hence, their blocking of packed/encrypted scripts regardless of if they contained malicious content.

    However by April, 2018, it appears they had implemented their AMSI interface as evidenced by this posting on how to actual code your own like interface: https://threatvector.cylance.com/en...anti-malware-scanning-interface-provider.html. In other words, the commercial CylanceProtect version is able to monitor scripts for malicious activity rather than blocking the script outright if it is packed or encrypted. One question in this regard is how does it perform against obfuscated PowerShell scripts?
     
  20. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Cylance only scans Portable Executable Files (PE), so the AMSI interface implementation doesnt work like other solutions and has no impact in the generic, “non-signature” based detection for packers.

    CylanceProtect has the Script Control module that can block all supported scripts (PowerShell/Active Scripts/Office Macros), it doesnt analyse the script (obfuscated or not), it simply blocks it, so it should be good in protection departament, but there is no advanced or alien technology here.

    More info:
    https://www.cylance.com/content/dam/cylance/pdfs/feature-focus/Feature_Focus_CylancePROTECT_Script_Control.pdf

    Thats not how Cylance works, it is pre execution only, your "scenario" isnt applicable at all.

    About the Pre Execution engine that Cylance uses:
    https://www.cylance.com/content/dam/cylance/pdfs/white_papers/PreventionvsDetectandRespond.pdf

    https://threatvector.cylance.com/en_us/home/cylance-vs-universal-unhooking.html
     
    Last edited by a moderator: Mar 5, 2019
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Reading the .pdf, appears they are using AMSI and just built a GUI interface to it to allow you specify if you want to be alerted or to auto block the script execution. If the alert option does not have allow rule creation capability, this would be a show stopper in many Enterprise environments which create their own PowerShell scripts for maintenance and monitoring purposes.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Also of note is if Cylance in any version employs a Win 10 ELAM driver as the major AVs like Eset and Kaspersky do? The purpose of this is to load the security solution kernel mode driver prior to any non-device kernel mode drivers to monitor for rootkit and other malicious driver activities at boot time.
     
  23. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Good question, I will check it later.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  25. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    @itman

    I checked here and there is no ELAM driver for Cylance.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.