Ever Heard of Cylance?

No it was just me. Thank you.

And I said your posts of endless frustration about MBAE's currently experimental build with your Cylance issue in the MBAE thread is a waste of bandwidth.

For all I care, which is not at all, this thread can go on for 10's of thousands of posts as in some others. My mention of this thread in the MBAE thread meant basically from what I've read over here... who the heck would ever want to deal with this wasted effort known as Cylance? Even if it was free.

BTW, has anyone Ever Heard of Cylance?

 

"And I said your posts of endless frustration about MBAE's currently experimental build with your Cylance issue in the MBAE thread is a waste of bandwidth."
and what makes you think the problem is with cylance and antiexploit ? this has not been proven as of yet .

 

To me Cylance has done nothing for me to believe their claims.

 

Funny, Cylance denies others vendors to access their solutions but unscrupulously buy others vendors solutions for their test...

"Cylance ! when hypocrisy becomes a lifestyle"

i feel sorry for the poor souls who has bought their product.

 

Excellent point. You can't cry "foul" when you perform the same tactics.

 

Haakon

fist of all it was not me that mentioned cylance might be the issue it was pbust. all I did was mention I was having trouble opening IE11 after installing the new beta in the correct thread. then I reinstall the older version, then pbust asked for the frst file so I reinstalled the latest beta, cylance flagged it and that is why I posted that. I personally don't think it has anything to do with cylance since other users are seeing similar issues but will wait back to see what pbust says ok?
as you suggested going to Malwarebytes forum, I will most likely do that. All I know is I see other members posting about issues with the new beta here at wilders as well.

thank you

 

Not crying "foul" while performing the same tactics is so legacy. This is next-gen we are talking about.

 

I was referring to this quote:

 

I understood that the first time already

 

I didn't know that was their mission. I thought their mission (or dream) was to develop and later provide something *better* on the market than what the "outdated and stale industry" currently has to offer, not just show and talk about how bad their competitors solutions are, day in and day out.

They may now have the "stale industry"'s full attention because of their behaviour, but they surely hasn't accomplished to "disrupt" anything worth of notice from a positive point of view, this far. Except turning me off to the extent that I will never even think of using or recommend their products. If that was part of their "mission" then, well done.

 

CylanceProtect claims to be revloutionary new and next generation anti-malware security technology. That kind of language means to me something that is new technogy that has never been used before. So lets examine these claims a bit more in detail.

Over a decade ago, there was a security product that was indeed revloutionary new and next generation anti-malware security technology. It was called Dynamic Security Agent. You can read the details about it here: http://www.privacyware.com/DSA_UserGuide.pdf . For reference, the current licensing rights for DSA are owned by Pivacyware which currently offers the product free of charge under the name of PrivateFirewall.

In summary, DSA was an intergated firewall and behavior analysis solution. The behavior analysis engine used machine learning to record existing process behavior and develop profiles for each. It then used probabilty based algoritms to detect deviation from normal process behavior. Deviation sensivity could be adusted from low to high settings by a user controlled single threshold setting. Additionally and unduplicated to date as far as I am aware of, DSA also applied machine learning and probabilty based algoritms for spam protection to outgoing e-mail.

Unlike CylanceProtect, DSA made no attempt to detect and identify malware through machine learning or probabilty based algoritms. Rather it employed a HIPS policy based, whitelist, anti-exec whatever you want to call it approach that would prevent any undetected and unlearned process from running. Since clould lookup technogy was not in use in those days, DSA did not perform any reputation analysis other than a trusted publisher lookup.

In summary, what makes CylanceProtect unique is its attempt to predetermine malware behavior through havesting and analyzing existing malware then developing predictitve algothims that will be applied against both known and unknown malware executables. At this point, I do not beleive there is enough independent supporting data to conclude this approach is a viable and effective solution.

 

Let's step back and look at why Dell chose Cylance in the first place. Here are the facts.

1. How many products did they look at? More then 60.

2. Who was it at Dell that looked at Cylance? Secure Works, the company’s crack security division.

3. How many samples did they test? 200 samples of the most effective malware and exploits.

http://www.pcworld.com/article/3005...-doubt-on-traditional-antivirus-programs.html

 

I will leave that quote as is without comment.

 

itman are you saying you think their security team is bogus and incompetent? After all they did not give any further info on the malware. maybe now when we buy a new dell it will have cylance installed?

 

Some recent research references in AI behavior analysis below.

Appears Hidden Markov Model algorithm is the most effective. Somewhat disturbing was most research was done on a "static vs dynamic" detection basis with the static detection being signatures exclusively. Not by any means a overall product effectiveness determination since most desktop security solutions employ multiple detection methods besides signatures:

The proposed approach detected these malware with 91% accuracy. This work shows good result in malware detection but need to improve the detection speed.
Ref.: http://file.scirp.org/pdf/JIS_2016042209291406.pdf

The average AUC we obtained for all the families using dynamic analysis was 0.976 and the average AUC we obtained for all the families using static analysis was 0.785.
Ref.: http://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1403&context=etd_projects​

 

I said I wasn't going to comment.

 

voodoshield said:

Cylance, Sophos and Symantec are all great products, but I suppose if someone was interested in seeking the absolute truth, they would simply test the products themselves.

notice the word GREAT?

 

@boredog - here is a ref. to what a "thin client" is: http://www.devonit.com/thin-client-education . Dell deploying Cylance on such devices is pretty much risk free since anything material software/hardare wise resides on the server. Like I said previously, Dell is using Cylance in a restricted targeted environment.

 

Interesting read, thank you! Yeah, an AUC of 0.785 for static analysis is nowhere close enough to be considered a useful model... you might as well flip a coin. And actually, 0.976 for dynamic is not that great either, especially when you start testing the models with unknown samples.

Here are VoodooAi's static curves, with the AUC listed at the bottom right ( Algorithm 1: 0.997, Algorithm 2: 1.000, Algorithm 3: 0.998 )

http://www.voodooshield.com/artwork/newcurve1.png
http://www.voodooshield.com/artwork/newcurve2.png
http://www.voodooshield.com/artwork/newcurve3.png

I imagine that Cylance has really great curves as well... I wish they were public.

 

They are great! I just wish they would also lock the computer with a user-friendly application whitelisting lock as well .

Blacklist + Ai + Lock = No Malware (in theory )

 

Which their operations or marketing hype claims or both ?

If you had along with those that saw the Sophos video saw how great their offline AI was when the last byte of a previously detected file was altered to change the MD5 checksum and the new file went streight under their offline AI detection.

That sure is not "great" in fact i would say it would be the opposite end of the scale.
This shows there is more dependency on MD5 checking checking then they would be prepared to admit too.

Curious would altering 1 byte at the end of a file break your AI detections ?

Dont get me wrong AI has some promise and is a worth while part of any current security solution but it is just another layer/module and should be part of a suite or if stand alone should be marketed as complimentary software.

IMO It is alas not the second coming or the holy grail of security.

Blacklist...

Relevent to this thread and linked material it is obvious that Cylance utilize hash lookup whether to their own registry in the cloud or a 3rd party file checking/repository service they have access too if they encounter a new file not flagged up by their AI scoring.

What really does not pass the smell test is them marketing themselves as new gen of AV solution with new signaturless technology which surpasses the stale signature based technology of yesterday when in fact what looks to be a critcal part of their arsenal is indeed MD5 hash checking based.

Got signatures somewhere lol ?

 

Below is an example on how Cylance is currently being deployed in enterprise environments.

I previously posted an excerpt from Blue Coat's Content Analysis to show details on Cylane's particulars. Important to note from the below is that Blue Coat is only using Cylance for additional behavior analysis coupled with present signature detection and other proven malware prevention techniques. Of note is Blue Coat's reference to Cylance as "static analysis":

Blue Coat Content Analysis is a next-generation anti-virus, malware, and spyware detection system. Content Analysis 1.3.x includes the following features:

• Malware and Antivirus scanning - Content Analysis supports McAfee, Sophos, and Kaspersky Antivirus engines and virus signature databases, all of which can be used at the same time.
• Static Analysis services from Cylance - Uses an advanced artificial intelligence engine to identify malware.
• File Reputation Service - Content Analysis generates an SHA1 hash for each file it processes. That hash is compared with Blue Coat's cloud-based File Reputation classification service to identify known files. If a file's hash has been classified, the score for that hash is compared with the File Reputation configuration on the appliance. Depending on the trust score, files are then either blocked if the score is high, passed to the user as safe if the score is low, (antivirus, sandboxing is not performed) or processing continues with Antivirus scanning if the score is between the configured thresholds.
• Manual File Blacklist and Whitelist - As your organization identifies files that are known good or bad, you can add them to a list of manually defined file hashes to either allow or deny those files without further processing.
• Sandbox integration with Blue Coat's Malware Analysis, Lastline or FireEye - Sandbox services use different methods to identify the actions an executable file would take on a client workstation, including malicious URL web requests and changes to system files.
• Endpoint integration with CounterTack Sentinel - As malware is detected, Content Analysis can query a CounterTack Sentinel server in your network to determine which users (if any) have retrieved it.
• Cached Responses - When malware is found, Content Analysis updates a local cache to avoid having to scan the same file on subsequent requests.
• Blue Coat WebPulse - Users are protected by the Blue Coat WebFiltering (BCWF) and WebPulse databases on the ProxySG appliance, and when malware is discovered through scanning, those results can be shared with BCWF to classify bad URLs for the benefit of all WebPulse users worldwide.​

Ref.: https://bto.bluecoat.com/webguides/...#Topics/Concepts/About_CAS.htm?TocPath=_____1
​

 

Seems they all get under the gun at one point or another.

https://yro.slashdot.org/story/16/0...was-granted-a-powerful-encryption-certificate

 

When Symantec tested CylanceProtect as noted here: http://www.symantec.com/connect/blogs/cylanceprotect-symantec-labs-analysis , it was their contention that Cylance only scans PE's as noted below. This is also somewhat confirmed by the way Bluecoat is deploying Cylance:

Another interesting factoid was that Cylance only scans PEEXE (program executable) file types. Standard document files such Doc and PDF files are not scanned. In some cases malware detected by Cylance remains running and active in memory. Quarantined malware files remain accessible to the end user. Cylance malware remediation is limited in functionality requiring additional remediation-capable anti-malware software, like SEP. Our tests were run using latest versions of both products along with the standard (default) configurations. ​

 

itman did you read the comments section?

check out experienced pros jan 30th comment..