Researchers Easily Trick Cylance's AI-Based Antivirus Into Thinking Malware Is 'Goodware'

guest · Jul 18, 2019

Researchers Easily Trick Cylance's AI-Based Antivirus Into Thinking Malware Is 'Goodware'
July 18, 2019
https://www.vice.com/en_us/article/...d-antivirus-into-thinking-malware-is-goodware

Artificial intelligence has been touted by some in the security community as the silver bullet in malware detection.
One of its biggest proponents is the security firm BlackBerry Cylance, which has staked its business model on the artificial intelligence engine in its endpoint PROTECT detection system [...]

Instead, the researchers developed a “global bypass” method that works with almost any malware to fool the Cylance engine. It involves simply taking strings from a non-malicious file and appending them to a malicious one, tricking the system into thinking the malicious file is benign.

“As far as I know, this is a world-first, proven global attack on the ML [machine learning] mechanism of a security company,” says Adi Ashkenazy, CEO of the Sydney-based company Skylight Cyber, who conducted the research with CTO Shahar Zini.

Martijn Grooten, editor of Virus Bulletin, [...] wasn’t surprised by the findings.
“This is how AI works. If you make it look like benign files, then you can do this,” Grooten told Motherboard.
Click to expand...

Cylance, I Kill You!

Read about our Journey of dissecting the brain of a leading AI based Endpoint Protection Product, culminating in the creation of a universal bypass
Click to expand...

Krusty · Jul 18, 2019

@VoodooShield ?

guest · Jul 19, 2019

BlackBerry Cylance to rush out a fix for anti-virus bypass exploit
July 19, 2019
https://www.computing.co.uk/ctg/news/3079287/blackberry-cylance-security-patch

BlackBerry Cylance has acknowledged the threat posed by an exploit to its anti-virus software, which supposedly uses artificial intelligence (AI) to identify potential threats, and has pledged to rush-out a fix.
However, users will have to wait until next week before the hot-fix is available.

In a statement, the company said: "BlackBerry Cylance is aware that a bypass has been publicly disclosed by security researchers. We have verified there is an issue with CylancePROTECT, which can be leveraged to bypass the anti-malware component of the product.
"Our research and development teams have identified a solution and will release a hotfix automatically to all customers running current versions in the next few days."
Click to expand...

itman · Jul 19, 2019

mood said: ↑

Researchers Easily Trick Cylance's AI-Based Antivirus Into Thinking Malware Is 'Goodware'
Click to expand...

Nothing really new. There are plenty of Cylance by-passes like this one: https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/ . You just have to look for them.

guest · Jul 19, 2019

As I always said here Ai is just marketing trick to appeal noobs. Ai alone can't do much compared to other and even older solutions.

Rasheed187 · Jul 20, 2019

guest said: ↑

As I always said here Ai is just marketing trick to appeal noobs. Ai alone can't do much compared to other and even older solutions.
Click to expand...

I believe this is a quite painful exploit, I had high hopes for AI. But this might seriously damage the way people see AI and machine learning. Or perhaps Cylance simply didn't design it properly.

itman said: ↑

Nothing really new. There are plenty of Cylance by-passes like this one: https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/ . You just have to look for them.
Click to expand...

I believe this article is not about exploiting AI, but they bypassed Cylance behavior monitoring part.

guest · Aug 2, 2019

Cylance Antivirus Products Susceptible to Concatenation Bypass
Vulnerability Note VU#489481
August 1, 2019
https://kb.cert.org/vuls/id/489481/

Overview
The Cylance AI-based antivirus product, prior to July 21, 2019, contains flaws that allow an adversary to craft malicious files that the AV product will likely mistake for benign files.
Impact
An attacker can easily and significantly improve their malware's defense evasion against affected antivirus products. Unsophisticated attackers can leverage this flaw to change any executable to which they have access; the defense evasion does not require rewriting the malware, just appending strings to it.
Solution
Cylance has issued and automatically deployed a patch. Affected products that have connected to Cylance's services since July 21, 2019, should have silently applied the patch.
Consider applying workarounds as well as the patch, because it is unclear whether or not this patch protects against all similar easy methods for forced misclassifications of malicious files.
Click to expand...

Log in or Sign up

Researchers Easily Trick Cylance's AI-Based Antivirus Into Thinking Malware Is 'Goodware'

guest Guest

Krusty Registered Member

guest Guest

itman Registered Member

guest Guest

Rasheed187 Registered Member

guest Guest

Log in or Sign up

Researchers Easily Trick Cylance's AI-Based Antivirus Into Thinking Malware Is 'Goodware'

guest Guest

Krusty Registered Member

guest Guest

itman Registered Member

guest Guest

Rasheed187 Registered Member

guest Guest

Useful Searches