No problem... yeah, I know what you mean, we are always looking for the silver bullet . I think with ransomware things are different now... I think we are finally going to get serious and do something about it. BTW, do you remember any of the now defunct companies from the last 10 years that promised to be the silver bullet? I am just curious... it would be a good walk down memory lane .
Here is a later Symantec blog post that references MRG and A-V Comparatives tests on Cylance: http://www.symantec.com/connect/blo...tests-symantec-endpoint-protection-vs-cylance . Will also note that both tests were criticized in the original Symantec blog post: http://www.symantec.com/connect/blogs/cylanceprotect-symantec-labs-analysis comments for not using the latest version of Cylance. Did see an interesting comment again from the original Symantec blog post comments that states properly configured, Cylance is pretty effective: Do the same with Cylance ===== take its Policy and set it up File Actions - check all Memory Action - Check Block All or Terminate - for exploitation, permission escalation, injection Protection settings --- check Background (run recurring) and Watch for New Files set up your Application and script policies Logs ----- match your Logs and Syslog it to your SEIM. Once that is done isolate the devices with NO INTERNET access and -------- begin an assault with all types of bad files - use KALI and Metaspoilt as your launch platform-- and watch the fireworks -------- My comment is I can also do the same with most existing Endpoint solutions. What I am waiting for is the upcoming NSS Labs test of it noted below taken again from the original Symantec blog post comments. Hopefully, the overall results will be published publically since NSS Labs charges a hefty fee for Endpoint reports: I love the dialog and cannot agree more on the need for an independent 3rd party perspective and evaluation of the different end point products in question. I am happy to announce that NSS Labs, the world’s leading security testing and analyst firm, are planning a public group test for this space, the Advanced Endpoint market. We have not formally announced the vendors who we have determined will be in the test, but considering we are planning for ~20 vendors including leading heritage AND top emerging endpoint vendors, you can expect this test will help settle the specific debate on this thread in addition to bringing clarity and guidance to many enterprises and end-users evaluating this market. Considering much of the commentary in this thread, it is important to highlight that our public test are free of cost for the vendors and completely objective. If you would like to be informed on details such as the testing methodology, when the reports will be published and NSS Labs' perspective on the results, you can reach us at AdvancedEndpoint@nsslabs.com - Garrett Jones, NSS Labs
I am assuming that all behavior blockers analyze the file post execution. If Cylance works the way that I think it does, all of the analysis takes place pre-execution, which is why I am such a huge proponent of machine learning / Ai. I know there are mitigations for dealing with malware post execution, but to me, if you can analyze the file pre-execution, before a single line of malicious code is ever allowed to run, well, you are way better off.
"...Cylance uses machine learning and artificial intelligence to predict if a file is malicious BEFORE it executes" https://blog.cylance.com/cylancepro...neration-antivirus-to-be-certified-by-av-test
SC Magazine did a review of Cylance last fall: http://www.scmagazine.com/cylanceprotect/review/4419/ . Goes with saying the were definitely impressed by it: QUICK READ Strengths: Impressive catch rate, ease of use and broad functionality within the anti-malware space. Truly next generation. Weaknesses: None that we found. Verdict: So far we have seen no better anti-malware performance than this. It is well-conceived and effective. If you are not happy with your anti-malware product, you really should take a close look. For its truly advanced approach and impressive catch rate we make this our Best Buy. Looks like a good replacement solution for the anti-exec aficionados: The product is policy-driven and building policies and models is very easy. Another feature we were taken with is that the administrator can build whitelists of applications that are allowed to run on the endpoint. If your app is not on the list it won't run.
Very cool... thank you for letting us know! How do we access the whitelist? Please let me know, I have been looking for it, but I have not been able to find it. Thank you!
I thought it was, but itman said "Looks like a good replacement solution for the anti-exec aficionados: The product is policy-driven and building policies and models is very easy. Another feature we were taken with is that the administrator can build whitelists of applications that are allowed to run on the endpoint. If your app is not on the list it won't run.", so now I am confused. itman will clear it up, he always does .
As Dell uses Cylance in their EndpointSuite (since late lat year) and as Cyclance hasn't done a IPO yet, I wonder if before too long Dell just picks it up.
my main issue with it, you rely on the knowledge of someone else , and if this person don't have a clue of what you are installing/opening and this file have a behavior similar to a malware , it may wreck your system ; As example, imagine the Cylance's techies removing the bootloader of Rollback RX (often flagged as a bootkit by most AVs)... Good for beginner users , bad for security-geeks and pen-testers. They should allow the user to set a mode , for example : "fully managed" (Cylance guys take over the security administration), "midly managed" (allow the user to create some personal settings) and "unmanaged" (the user manage everything). in the 2 last mode the cylance's techies can still observe the system and inform the user if a mistake has been made)
I assumed that whitelisting would be available without the console. Looking at the limited info Cylance has on their web site, appears the Managed Protection thing is all that is offered to home users. So the home version is nothing more that a behavior blocker using an improved AI engine. I would love to see a test of Cylance's home version against Emsisoft's behavior blocker using 0-day samples. That would resolve if the AI engine is an improvement over traditional behavior blocking methods.
Yeah, I think they have some kind of an internal global whitelist as well, I am just not sure how it works.
I see... I was not sure whether the user had access to the whitelist or not for the MM version, thank you for clearing that up. The way I see it, since neither Ai or behavior blocking is perfect, and considering the current state of the malware epidemic, it is not about what performs better, it is more about building the best security software for the end user. So essentially, I believe combining Ai, a behavior blocker and application whitelisting would be ideal.
Using the recent AV-Test results for both and noting the ruckus that AV-Test didn't use the latest ver. of Cylance, the results are: Win 10 - Cylance - 97.9% against 0-day malware and 99.9% against 4-week old malware. Win 8 - Emsisoft - 99.5% against 0-day malware and 100% against 4-week old malware. My opinion. Save yourself some money and buy Emsisoft which will also provide BitDefender signature protection.
But Emsisoft detection is signature included or behavior blocker only? Coz Cylance is Ai based only i.e no signs, right? So I think its excellent detection by Cylance for its Ai. If Emsisoft detection is also behavior blocker only then the comparison is fair enough & Emsisoft is better in the mentioned test.
Emsisoft uses both behavior analysis and signature based analysis in addition to IP blacklist processing. If an unknown/untrusted process is detected, the behavior blocker kicks immediately. Additionally, select vulnerable system and application processes are continuously monitored by the behavior blocker. It also has script, exploit, and ransomware protection.
itman, I meant Cylance Ai does seems good. The percentage of protection with the Ai is really very good.
Or if you are rich and have a lot of money to waste you can buy both. http://www.bleepingcomputer.com/forums/t/609210/two-solution-strategy-trend-cylance/?p=3969171 Hey Brian Richard here from Cylance. Glad to see you are POCing CylancePROTECT. In the case of running two AVs, Cylance is more than capable of running in a layered environment. Because our methodology is quite a bit different than those of traditional AV, they services won't be interfering with each other. Your deployment method is actually one we recommend to many of the new customers coming on board as well. As for Trend, as nobody has answered that, I reached out to my buddy Gavin, Trend's social media manager, to check on their capability, but in my research on Spiceworks and other groups, I think you should be fine and it won't be interfered by Cylance (and vice-versa). God luck with the POC, don't hesitate to post up more questions here, or you can reach me at rmelick@cylance.com.
[QUOTE="Azure Phoenix, post: 2589229, member: 144007" http://www.bleepingcomputer.com/forums/t/609210/two-solution-strategy-trend-cylance/?p=3969171 .[/QUOTE] This is a good query mentioned in the bleeping thread. "Detecting "good" and "bad" files is the easy part of malware protection. What everyone needs to focus more on is really "unknown" files, because every new piece of malware starts as an unknown file. You should ask Cylance how they treat unknown files, and what the behavior of their products is if they can't give them a "good" or "bad" verdict".
Since they don't offer any means to test it other then spending $60, I think it's mainly a mute point. I will trial a lot of stuff, to see how it works on my machines, but I won't pay up front for that.
