Ever Heard of Cylance?

Discussion in 'other anti-virus software' started by kerykeion, Dec 31, 2015.

  1. @boredog

    Thanks for sharing. AV's used to watch writes to block file infectors (which is in a different way actual again with recent ransomware). They probably have a driver guarding disk writes. When the hash matches a cloud lookup, they set an ACL, which prevents you to execute or change it. To be honest, this is a brilliant idea of Cylance.

    The write filter just monitors PE writes, when the write is finished it starts a process which checks the PE hash in the cloud check, depending on the result it changes the Access Control List. It is an asynchronous process, so it won't bog down your system or clash with other processes. Maybe it checks for trusted installers to whitelist system critical processes without ever doing a hash cloud look up or AI-analyses to make it safer and faster. It acts as an early warning assistance to the execution monitor of Cylance.

    The execution controller of cyclance, has to do the same thing, but due to to preprocessing at disk write, 90% of the new executables will aready be analyzed and nutralized. That is why they talk about low system impact.

    Again thanks for the info, I can now understand why Cylance brags about performance.

    Regards Kees
     
    Last edited by a moderator: Jun 23, 2016
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    kees thank you very much. it is had these days to get any respect here at wilders. " Rodney Dangerfield"
    and here is clylance's videos to be fair. look at bottom of page. they are using VM.

    https://www.cylance.com/products-protect
    btw: I did re watch the video and they are not using the business solution for comparison, they were using the basic clylance protect. at least it looked that way to me.
     
  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    as a side note for DELL.

    this video is about dells sonic wall from last year. I think the two dudes are smoking something way better then I have . enjoy.
    cryptolocker.

    https://www.youtube.com/watch?v=aOcHSPp1BU4
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Is there someone here that does not respect you ?
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    bo I think those that do no know who I really am do not respect my posts . even though I am on my last gray matter cell :D
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    A bit more info on the Sophos video:

    Next-gen, signatureless, and Cylance

    Last week I watched a presentation from our SVP and GM of the Enduser Security Group, Dan Schiappa. Now, those of you who know Dan know he is truly passionate about security – and as the former head of Windows security for Microsoft and a Division GM at RSA, he knows a thing or two about the topic.

    In his presentation, Dan addressed the “next-gen” endpoint protection claims that are being made by many new security vendors, and in particular a small company called Cylance that has been making some “unbelievable” claims.

    With Sophos aggressively introducing signatureless and next-gen protection into Sophos Endpoint Protection over the last 24 months, Dan wanted to separate myth from reality. He shared a deep analysis of Cylance and unveiled how the product *actually* performs against both today’s threats and against their own claims.


    Ref.: https://blogs.sophos.com/

     
  7. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    itman

    all I ask is that a test by Sophos even, be done against dells new end point and not cylance alone. this would be fair since Sophos is using as someone stated other vendors software for past 24 months. dell did not buy cylance they are just using their product in their endpoint solution.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I think you are referring to this: https://www.dell.com/learn/us/en/vn...vanced-threat-prevention-for-small-businesses

    Just came on the market in mid-June. At $129 per license, it is more than twice as expensive as stand alone Cylance is. As such, I suspect what you have here is a traditional endpoint AV solution with signatures and the like using the Cylance engine as its behavior blocker.

    I will leave it up to the AV lab tests to verify Dell's claims it is 99% effective against all malware. However with its current pricing, it will have a very tough time competing against the rest of the endpoint solution pack.

    -EDIT- Dell claims it doesn't use signatures. Time and further analysis will show if that is indeed true:

    Threat Defense reflects the multi-platform reality of the modern workplace with compatibility on a range of Dell and non-Dell devices. Additional features include:

    • Lightweight Footprint: Threat Defense consumes only one to three percent of CPU resources, a much lower footprint than traditional anti-virus solutions, which means better performance for end users. In addition, as the solution does not rely on signature updates, it does not require a continual network connection to the internet to detect threats.
    • Safe-List Flexibility: To allow for direct control over known secure files and apps, Threat Defense enables administrators to safe-list files at the policy level or via a signed certificate where no threat action will be taken against the file or application.
    • Advanced Script Control and Malware Analysis: Threat Defense offers additional script control that prevents malicious ActiveScripts and PowerShell from running. IT administrators can also upload a suspicious file to the cloud for analysis, enabling them to analyze threat vectors they are facing and take better preventative measures.
     
    Last edited: Jun 24, 2016
  9. guest

    guest Guest

  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ok I give.. no sense in even talking about this anymore.
    guess itman what you are saying is dell should have picked Sophos?
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I already stated previously in this thread my opinions on why Dell made a financial investment in Cylance. Obviously, using any other product as part of their new endpoint product line-up would have been financially counter productive.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's a bit more info on the new Dell endpoint solutions. Appears to me they are going after a targeted market:

    The Dell Data Protection family of products includes:

    •Dell Data Protection/Threat Defense. Offers threat protection for Windows-based thin clients such as the Wyse Windows-embedded thin clients. It's designed to work in heterogeneous environments, protecting Windows-based thin clients from Dell or any compatible manufacturer.
    •Dell Data Protection/Endpoint Security Suite Enterprise. Although the name is quite a mouthful, this product offers threat protection, authentication and file-level encryption to Windows-based virtual desktops.


    Ref.: https://virtualizationreview.com/articles/2016/05/24/dells-zero-day-malware-prevention.aspx
     
  13. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    thanks itman very informative.
    I sure hope they do come through with their consumer interface that give me the chance to take control in july.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I will say this about Cylance. I believe there is a place for it in the retail security market. But, not as a stand alone solution.

    What Cylance should be doing is marketing it as an engine to replace the existing heuristics engine in products such as Eset and the like. Heuristic scan detection has always been lacking in its detection capability. Whether this is a viable solution financially, Cylance would have to analyze.

    Also worth noting is marketing of stand-alone behavior blockers has not been financially successful in the past. Case in point is Emsisoft dropping the stand alone version of its behavior blocker.
     
  15. guest

    guest Guest

    The video has been made private, i guess Cylance didn't liked it and took some legal actions:p
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  17. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
  18. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
  19. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Cylance has made a good point there:

    I dont know who is telling the true but this response is very interesting.
     
  20. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I am so tired of this "next-gen" and "legacy" marketing terminology and how they have to bring it up in E-V-E-R-Y single post.
     
  21. guest

    guest Guest

    I wouldn't consider cylance a good end point protection since it has only 1 protection layer and you can not manage it, I doubt that they are really stealing customers with that approach in big companies.

    Smoke and mirros is that Cylance is.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In this war of words (and video), the only way to find the truth is to test CylancePROTECT in your environment. It costs nothing to test our software in a proof of concept (POC) and it’s the only way to see the truth for yourself.

    Of note is all other endpoint solutions can be trialed w/o any strings attached. No one has the time or desire these days to do a POC for the vendor's benefit.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In regards to Cylances demos of it vs. products x,y, or z and product x,y, or z vendor conducted product test vs. Cylance, they are all non-applicable and irrelevant.

    As noted in Wilders policy, such postings of product a vs. b are not allowed because the methods and procedures can not be verified. The only product tests that are relevant are tests performed by certified third parties such as the AV labs. And of the tests performed to date by such entities show that Cylance was inferior to every product tested against it.

    -EDIT-

    Also noteworthy is that Cylance which participated in the Dec. 2015 AV-Test endpoint comparative, did not do so for the Apr. 2016 one. The lack of participation reason is fairly obvious I would think.
     
    Last edited: Jun 25, 2016
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I found the below posting excerpt on the Cylance blog. I have underlined and highlighted the relevant portions. At least we have an explanation of why in all likelihood, we won't see Cylance participating in future AV lab comparatives. Also striking (falsely) is the "humility" expressed by Cylance that their product is not 100% "bulletproof." This acknowledgement is in stark contrast to their public statements.

    In summary, while the AV-TEST shows Cylance is not perfect based on AV-TEST’s methodology, we’ve never said we were perfect. In fact we’ve gone out of our way to say we are NOT perfect, and never will be. But we will forever pursue the impossible claim of perfection. There is no such thing as a 100% security product. That’s just not how security works. We don’t believe this test is necessarily representative of our effectiveness in our customers’ enterprise environments, nor does it address the problems they face on a daily basis. In the end, don’t believe us; don’t believe our competitors, just test us in your environment and compare. We’ve found countless malware and attacks that our customers’ previous vendors have completely missed, and every day we prevent the nastiest attacks in the world, protecting our customers better than any other company the industry.

    Ref.: https://blog.cylance.com/cylanceprotect-is-the-first-signature-less-next-generation-antivirus-to-be-certified-by-av-test
     
  25. GloversFan71

    GloversFan71 Registered Member

    Joined:
    Jun 25, 2016
    Posts:
    3
    Location:
    England(UK)
    I dont like the way that Cylance advertising says it uses next gen signatureless detections and yet as proven by the final part of the Sophos video they are clearly using MD5 hash lookup to verify a file.

    For those that missed the video a widely known malware sample was detected by Cylance and many others yet when a single byte was added to the end of that file(altering its MD5) then Cylance no longer detected it.

    MD5 hash checking against an in the cloud registry is not signatureless detection so their marketing claims clearly deviate from their actual operations.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.