Cylance Smart Antivirus for Home users

The question is: who ever runs scripts? Those who do, certainly knows they are safe to be run for some exact purpose or by manually inspecting them first. I prefer CSAV with Hard_Configurator to just completely disable them with SRP and other recommend restrictions applied and Java uninstalled. No chanse given to even run. Good luck malware.

 

Malicious scripts can run by other means. For example, wscript can be run from a WMI event. And WMI uses its own script engine, not wscript.exe, to run the script. So you also need to employ something like OSArmor which I believe protects against this.

Also if the attacker can get remote access to your PC, all he has to do is drop the script on your device and he can run it remotely from his attacker server.

 

Yes, but what happens after the script runs? Doesn't this script still need to download executables or use OS tools like wscript.exe and powershell.exe, to perform malicious behavior? And why is this so hard to spot for a tool like Cylance?

 

If you get CylanceProtect you can set it to block all scripts.

 

David- you seem to be proof for scriptors, but just wanted to make the point that uninstalling java on your system is meaningless as a protection from JScripts. For those that may be unaware, Java is to Jscript as an Apple is to a Maserati.

 

No. My favorite way would be to imbed my malicious code in a Python script running from a .Net executable that contains the code to run the Python engine within it as noted here: https://www.wilderssecurity.com/thr...re-removal-tools-of-2018.401342/#post-2778821

 

Well, I didn't really understand what's so special about this. AFAIK, a script itself can't do jack without running some executable, so I don't see why anti-malware tools will have difficulty blocking this. Perhaps Cruelsister can give some more info about these "scriptor" attacks.

 

I figured you would have an issue with this one.

First, a quick review of Python:

http://net-informations.com/python/iq/interpreted.htm

All Python needs to execute is to have it's "engine" present on the device. In the .Net instance linked ref. I posted, the Python engine code is actually imbedded in the Python script that is run under .Net control. Belaboring, the only .exe present is a C# one that is run by .Net. C# and C++ programs run via .Net are the "Achilles heel" of security software. If the malware can't be detected by sig. when the C# program is dropped, it is game over.

 

But it still needs to run an executable right? So you can still stop it via behavioral monitoring and this is what Cylance lacks.

 

I am not 100% sure how Windows loads .Net executables. I believe it calls .Net which then loads and runs the program in its environment. Most anti-execs I believe are monitoring program startup via the Win program loader.

As far as behavior monitoring of a .Net executable, I know of no security product capable of doing so since .Net itself is an isolated run environment.

 

I do not have a clue what you're talking about. All malware needs to run inside an executable, which should be visible in a tool like Process Explorer. And security tools should be able to pick up any suspicious activity via behavior blocker. Or am I missing something? I did found this stuff which might be interesting to you:

https://www.peew.pw/blog/2017/11/24/an-introduction-to-writing-net-executables-for-pentesters

 

Yikes!

Remember my Wilders posting a while back where I posted .Net source code for a global keylogger that ran within a PowerShell script?

 

It's been a few months since I first installed. Still waiting for my scrip-based malware infection.

 

For that to be an apt comparison I would have to disable Cylance and run bare naked. I was just following itman's advice:

 

Yes, and it needed powershell.exe in order to run, do you now get what I'm saying? All malware needs to run in memory, but when malware are using trusted system executables then it apparently becomes diffuclt for certain tools like Cylance to spot it, so they need to work on this. And there's nothing magical about script based attacks, that's all I'm saying.

 

people learn only from their own mistakes after all.

 

BlackBerry is in talks to acquire cybersecurity company Cylance for $1.5 billion

 

BlackBerry AV, what a world.

 

Wow, this is some major news, I wonder what will happen to the consumer products. BTW, I couldn't read the site without disabling JS with uBlock.

 

https://venturebeat.com/2018/11/16/...ybersecurity-startup-cylance-for-1-4-billion/

 

bye bye Cylance.

 

Hello Berrylance.

 

nah, it will just disappear and its technology will be somewhat used in whatever blackberry is doing, cylance wont exist.

 

I guess so, and presumably disappear into obscurity. Unfortunately.

I kinda like(d) it's clean and light feel despite all the scepticism from some geeks . A good candidate for some layered setups.