Cylance Smart Antivirus for Home users

It also intrigues me because it means that AV's should not need the cloud anymore which solves the security and privacy risk that is involved with using AV's nowadays. You should only update the ML rules once or month or so.

This is a bummer and deal breaker for me, why can't these guys get it right? They should make a local based GUI for people who don't need to manage multiple devices.

Exactly, we can always use the browser itself to take care of malicious URL's, and it's all about blocking malware from running. I do wonder though if Cylance AV can detect existing infections, that's not really clear.

 

My guess is that the remediation isn't as good as something like webroot, malwarebytes, etc. It seems to scan the running processes when you install, and it should quarantine anything it identifies as malicious at that point. But there's no way to launch a full system scan. The settings you can choose are fairly limited. There's three in the console: Auto protect against abnormal files. Auto protect against suspicious files and send files to cloud. The program is basically pre-configured and you don't have to tinker with it at all.

The web console is also where you add exclusions, but like that review above mentioned, there seems to be a bug with the blocking of certain files where it's not listing files that it is blocking. It was blocking an anti-cheat file for me a couple of days ago, and I couldn't white list the file it was blocking as I had no idea what it was doing. Support fixed it in a few days, and now it seems to be notifying correctly. You add an exclusion with a files MD5 or SHA hash in something they call a global safe list for your clients, but I didn't see any option to white-list a whole folder.

As I mentioned above, it does manually correct false-positives from files that are white-listed by Cylance. Like the battleye anti-cheat I mentioned above, Cylance will still periodically alert on that file, but it spits it back onto my system when it queries their database with the MD5/SHA hash. I'm speculating here, but it seems to handle false-positives in a strange way. Files white-listed by Cylance are processed online when your client queries their DB with the files hash, but there's also the global safe-list, which I believe is stored somewhere locally. I did have a situation where there was a big delay between the quarantine of the BE file and when it released it, which I guess was a latency issue between my client and their DB, but when I added the hash to my global safe-list the file is allowed instantly. It sort of makes sense as the product seems to operate absent malicious file signatures, and battleye is basically a piece of malware designed to catch cheaters.

 

battleye is the biggest malware man kind ever created, no surprises cylance blocked it
can you granually configure settings / policies like you could with CylancePROTECT? what to do with detected exploits, scriptors, malware, etc, or is it just a few options that have predefined settings?
did they get rid of granular configuration for the sake of calling it a home product?

 

There's no granularity except for those three options. There's no tab for exploits, scripts and such in the client itself like I've seen in screenshots of the CylancePROTECT client. I'm hoping it handles scripts/exploits in a similar way to the enterprise client, but I'm honestly not sure.

 

im talking about the web panel, enterprise doesn't have options on the client either, it's all on the web panel.

 

I only see those three options I listed above on my web panel.

 

I think web dashboard based for settings is the future; we have so many devices today, desktops, notebooks, tablets, smartphones, smart TV's etc..., and various apps syncing across these devices that trying to control privacy and security on a device by device basis is becoming to consuming, expensive and cumbersome.

Apps like Cylance, SentinelOne, CrowdStrike and DeepArmor web dashboard based enterprise apps can already control across multi platforms and we already have non-enterprives AVs that sell multi device licenses. The next logical step is for these AV companies is to springboard off the enterprise apps and offer a web based singular control point for all your devices.

Imagine a version of Cylance for example where you buy say 5 device licenses, and you can install a version of the software on your desktop, your ipad, your iphone, your kids android phone, their playstation or box, your TV have them all being monitored in real time and displayed on a web based dashboard where you can control the type and level of protection and resolution per device and see how and where any infection attempts occurred.

 

I reread the PC Mag article. I then looked at the pricing for Cylance Home. It then occurred to me its pricing is on par on what Emsisoft's old Manutu behavior blocker used to sell for adjusted for inflation.

Appears to me they are attempting to fill a void in that there are no stand-alone behavior blockers or HIPS's for that matter currently actively supported. I also believe they don't intend this product as a replacement for a full feature AV solution. Since it relies solely on AI machine learning algorithms for detection, there should not be any conflict with any other existing security solution except for possible timing conflicts. Note that AV's also perform local heuristic analysis at program execution so the question is when would Cylance's scanning occur? I assume after the AV has released the process from its local sandbox but things like this need to be checked out.

Also as been pointed out in prior postings, Cylance Home appears to be only scanning at process startup time. As such, it won't protect against any process tampering with activities post execution. Also the question is can it detect "sleeper" malware that could trigger in the future? Doubtful.

 

This is how they say it works in comparison to traditional AV:

https://www.youtube.com/watch?time_continue=95&v=vBS88EURKTI


I have read where they say it is ok to run a traditional signature based AV along with Cylance, not all AV's work well with it however.

The two I found compatible were ESET NOD32 and Kaspersky I ran it with Kaspersky since I already had the license. So you could run either of those with Cylance for added insurance.

 

I'm not sure specifically how hollow process works, but I'm assuming the file's hash would change, which would trigger a re-scan of the file.

I've also been noticing that it seems to follow a processes execution chain in a unique way. So if I run the game Fortnite, and it spawns the files I've mentioned above associated with the battleye anti-cheat. It scans them, clears them, then if I launch any of the other games I have which also use battleye, and run from the same location, it scans those files again, and goes through the same process. Where it gets weird is sometimes when launching Fortnite say, it won't block the BE file that it's flagged as suspicious, but when launching something like Rainbow Six Siege, it'll get hung up on it for a bit longer. They're the same files, with the exact same hashes,but the system hasn't seen Rainbow Six Siege launching this file before, so it's not expecting that behavior and it blocks it. And when I run the games at the same time, the BE files are still in memory, it will will still re-scan them and go through the whole process again.

 

To clarify my previous posting, it appears Cylance is also not a full featured behavior blocker. Best way to explain this is to use Emsisoft as an example.

When EAM detects suspicious activity in a process at startup time, it first flags the process for monitoring. This enables EAM to monitor it each time it executes. EAM also sets a hook into the process to do the monitoring. If later process activity triggers malicious characteristics EAM is monitoring for, it will throw a user alert (prior vers . of EAM) or block it (current vers. of EAM).

The best classification for Cylance Home is that its an AV solution employing behavioral analysis(AI algothims) instead of sigs. and heuristics at process startup time only. Also assumed and like AV solutions, once the process is scanned and deemed safe it is whitelisted. As such, it will not be rescanned on any subsequent process startups. Therefore, sleeper malware tactics can defeat it.

 

Maybe I am very wrong here, but those claimed next gen antivirus arent doing anything special, their methods dont seem to be so different from heuristics and emulation that traditional AV solutions have been using for years.

The method (AI algorithms) is a little different from heuristics and generic signatures for sure, but I doubt the result is better than the latter.

"Traditional" AV solutions are using machine learning and AI algorithms too, while having years and years of malware expertise.

 

every proper AV company has a machine learning system behind it already for years now, AI is just a fancier name for ML.
Kaspersky "heuristics", Norton's ML, Sophos' static ML, etc, all the same thing.
Cylance should not be ran alone without accompaning software cause it's weak alone.

 

Meanwhile in the real world scenario usage (Windows 10 calculator):

~ Removed VirusTotal Results Image as per Policy ~

 

Correct.

Most of the major AVs employ ML techniques and employ Yara like behavior sigs.. Also many of the AVs employ process memory scanners which can detect process modification attempts post execution. I assume Cylance Home is not deploying the Win 10 ELAM driver and therefore cannot inspect script code via AMSI. This also means that with the next release of Win 10, folks will find WD also running in realtime mode along side it. Finally, there is the fact that the only 100% positive id for malware is a signature.

 

True most of the major AVs employ ML techniques and employ Yara like behavior sigs but are they not secondary to their signature based prevention?

If true then would not the best solution be a multi-tier one where you use a traditional AV who primarily specialize signature based and a AI based AV whose who primarily specialize in behavior?

 

hence Cylance advertises its product with compatibility to existing AV products.
it's light, it's simple, it doesn't cause incompatibilities.

 

I've just applied for a refund under the terms of their return policy.
I've had problems with some software, particularly Macrium Reflect refusing to update to a later version as well as various graphics programmes and Nirsoft utilities not running.
I wouldn't mind this if there was a way to view an event log or whitelist a programme or process (a la EAM) and no information why a process has been blocked in the first place. The online 'control panel' just lacks detail and the ability to control running processes.

OTOH, it's very light on resources and completely silent in operation If that's what you want in an AV then you could probably do a lot worse.

 

It depends how far down the rabbit hole you want to get. If Cylance's results are similar across the board to F-Secure, like the PCMag review indicates, what sort of advantage are you getting layering another AV solution onto that? Even if there's a couple percent difference, are you willing to take the system overhead?

You should be able to whitelist a file under global safe list in settings. I do think there's a bug in the software where it's not notifying every single file it blocks from loading. I had that same issue with the battleye file.

 

Possibly but we won't know for sure if or how much differs until we see it get run through a comparison gauntlet by independent AV testers.

 

There are two tests by independent labs linked above. One sponsored by Cylance, the other sponsored by Sophos. They have bias, but they do provide an indication as to detection rate of the product.

 

these tests literally mean nothing, i advise everyone that wants to actually see the power of the product to install win10/7 in a virtualbox/vmware VM, register on any.run, and keep throwing samples at the product while checking the sample's virustotal info to see how recent it is.

 

I don't have anything resembling a global safe list or whitelisting option.

See the two images.

 

You have to go to settings at the top left > Global Lists > add the file via it's MD5/SHA256 hash. Then you have to click it and add it to safe list.

 

Ah, OK. It was too large and obvious for me. Thanks.