Ever Heard of Cylance?

Discussion in 'other anti-virus software' started by kerykeion, Dec 31, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    Generally, I would agree with you on the percentage figures. However, the recent MRG test of Cylance showed issues with ransomware, backdoor, and keylogging protection. All these are important to corporate environments; especially ransomware which Cylance's protection is sub-standard.
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    "I wouldn't consider cylance a good end point protection since it has only 1 protection layer and you can not manage it, I doubt that they are really stealing customers with that approach in big companies."

    you are talking about their consumer version? not end point? I thought they were different.
     
  3. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    Any of those that attended one of Cylance's "Unbelievable Tour" shows can attest to the giftcards that were given out to those who coded a true zero-day sample. Like a knife through soft butter.
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    cruel

    how many gift cards did you snatch up?:D
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    No names given:

    The truth here is that a rogue employee of a partner provided access to our product and then purposely disabled key features that would make it seem like CylancePROTECT was not as effective as we have claimed.

    Ref.: https://blog.cylance.com/cylanceprotect-vs-smoke-and-mirrors
    Note all refs to Sophos removed from the Cylance blog post.

     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    As far as the rumors about Cylance using VT directly or indirectly, they are still just rumors as best as I can determine:

    On Cylance

    There was a possible confusion that got propagated that Cylance was using VirusTotal directly in their product. I now have information that this may be incorrect.

    Cylance was using VirusTotal, as they said in the Reuters article. It’s possible they were using the service to download samples to train their engine, not directly from inside their product. It’s also possible that they used VirusTotal to help detect malware.

    I don’t know for sure, and that’s why I expect to be talking to them in the next several days.


    Ref.: http://blog.eckelberry.com/2016/05/
    I am sure there are a number of "entities" hard at work on this one. As shown in "that video", something was amiss in this area.

     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    nice collection of beer:D
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    Came across an interesting discussion over at reddit.com on what Cylance was using the VT database for:

    I could have been more specific I suppose. I work for a competitor designing an adjacent product and am well versed in the use of machine learning for next gen antivirus. Both in terms of feature extraction required for machine learning datasets for products like Cylance, or deep learning AI for newer entrants in the market. I know the types of features they extract to make a determination as I have the product running in our lab. In order for those domain expert chosen features to be validated you have to throw a large set of positive and negative data at it. VT was part of their training set.

    There are no better sources for large volumes of fresh malware than VT. Cylance don't have the consulting intrusion response team, the breadth of customer base, nor the intel gathering team to build that set without relying on 3rd parties. To say that their product had no reliance on VT is a bit misleading, since it was used to gather samples and validate (in training) their model.


    Ref.: https://www.reddit.com/r/Malware/comments/4i4gla/virustotal_no_longer_allows_security_products_to/
    Here's a link to a Cylance whitepaper on the tech aspects of how they condition their AI engine: http://techspective.net/wp-content/uploads/2015/04/Math-Vs-Malware-White-Paper.pdf

    Again, I refer to the my previous posting: https://www.wilderssecurity.com/threads/ever-heard-of-cylance.382682/page-3#post-2589392 on current research in the use and effectiveness of AI methods for detecting computer malware. Given this M.I.T study was for the detection of malware at the network level, I believe it is applicable to the endpoint level. Using the most sophisticated not publically released algorithms developed, the highest detection rate achieved was 85%. Also this effective rate was only achievable with notable human interaction.

    -EDIT- I will go one step further with this extrapolation. The finite set of malware attack vectors at the network level is considerably less than that which exists at the endpoint level. Therefore, it is logical to assume that AI detection methods at the endpoint level would be less than that achievable at the network level due to the larger set of attack vectors that could be employed.
     
    Last edited: Jun 27, 2016
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
  11. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Last edited: Jun 27, 2016
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    this report is 90 pages long on clylance operation cleaver. look at the first paragraph and tell me if ceo stuwart was one of the passengers on that flight please? it is a pdf. but first a short wiki page. https://en.wikipedia.org/wiki/Operation_Cleaver


    https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwi3_ozivcjNAhXJGR4KHUNYCpsQFggcMAA&url=https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf&usg=AFQjCNHTB9JOL-CDf4z0RisdTAAykht3tg&bvm=bv.125596728,d.dmo
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    Yes, appears to be the same person.

    As far as the other "black ops" like Cylance discoveries, I already posted they are CIA affiliated.
     
    Last edited: Jun 27, 2016
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    I also question the effectives of AI based anti-malware scanners against polymorphic and metamorphic viruses:

    https://www.techopedia.com/definition/4055/polymorphic-virus
    http://searchsecurity.techtarget.com/definition/metamorphic-and-polymorphic-malware

    These types of viruses can evade traditional signature based detection due to their code "mutation" capability. Of note was what was shown in the now hidden video Sophos test of Cylance. Sophos slightly modified the code of a Cylance previously detected malware and it was not subsequently detected by Cylance on retest. Everyone jumped on the bandwagon about perhaps Cylance was indeed using some type of internal hash based detection. However in reality, it appears Cylance's AI algorithms are not sophisticated enough to detect "on-the-fly" code modification - exactly what polymorphic malware is capable of performing.
     
    Last edited: Jun 27, 2016
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    well i am sure it will all come out in the wash. I am waiting for an answer from them about something now concerning their end point product. will post back if I hear anything.

    "As far as the other "black ops" like Cylance discoveries, I already posted they are CIA affiliated." that's cool I guess. most likely NSA and they already mentioned FBI. oh and you can bet their are Iranians, Russians, Chinese & North Koreans right here on this site my friend. and of course we know dell sells a lot of hardware to the gov too. a match made in heaven?
     
  16. GloversFan71

    GloversFan71 Registered Member

    Joined:
    Jun 25, 2016
    Posts:
    3
    Location:
    England(UK)
    Actually they edited the last single byte of the file hex to alter the MD5 checksum leaving the remainder of the malware file hex in its original structure/format.

    This would clearly indicate either their AI learning is practically a lame duck or most likely they have hash lookup dependency for confirmation to determine what a new file is.

    I suspected they would have to use an in the cloud registry to check against but also in all theories the VirusTotal Intelligence API key could also be used to do the MD5 hash lookup.

    The latter if that were to be the case would mean they are using signatures to detect file(s) just not their own and that is missing from all their marketing hype and technical documentation.
     
  17. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    glovers, they do check the cloud every ten min. I am not sure why but everybody here seems to think the is dells entire endpoint solution but it is not. it is only one piece of it.
    AND the consumer version for 60 bucks that everybody seems to be comparing with the full fledged version of other end points is not clyance's complete end point solution let alone dells with cylance. I could be completely wrong in the fact the comparisons are between cylance home verses a business lic they obtained for testing.
     
    Last edited: Jun 27, 2016
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    The problem is their marketing claims are that Cylance needs no Internet connection to be 100% effective.

    As noted in their .pdf about why the cloud lookup is employed by the Console which btw is missing from the home version, it is supposedly for software updating, malware submissions, etc.: https://cdn2.hubspot.net/hubfs/270968/All_Web_Assets/Data_Sheets/CylancePROTECTCloud.pdf?t=1467051262941 . However, there are persistent rumors I have found in web postings to the effect that some type of blacklisting/hash table update activity is occurring from these connections. My guess is all their downloads are locked/encrypted making any examination of the download impossible to perform.

    So the question is why is some AI software that claims to 100% algorithm based dialing out every 10 mins.? One possible explanation is they are harvesting web activity?
     
    Last edited: Jun 27, 2016
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    BTW - appears Sophos and Cylance have "kissed and made up." Last Friday's blog post by Sophos has been deleted. There are no refs. to Cylance vs. Sophos on Cylance's product web page. All that remains is Cylance's rant on their blog page about "being wronged" by an unknown partner of one of "those legacy" software vendors.

    Appears Symantec hasn't done so.
     
  20. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    it appears you are a mission my friend.

    "As noted in their .pdf about why the cloud lookup is employed by the Console which btw is missing from the home version"

    I would still like you to tell me if the tests were done with the home version or their full blown end point? is that so hard to ask?
    I keep asking but nobody seems to answer my question.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    If you are referring to all the postings I have seen on the web about Cylance, they were all using the Endpoint version. Only ref. I have seen to the home ver. is in this Wilders thread.

    ~ Removed Off Topic Remarks ~
     
    Last edited by a moderator: Jun 27, 2016
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,547
    Location:
    U.S.A.
    Came across a research paper done by two Indian researchers in 2012 on AI malware detection where they claimed the algorithms used achieved a 99.5% malware detection rate: https://arxiv.org/ftp/arxiv/papers/1205/1205.3062.pdf

    For starters, advanced calculus is not my forte, so no comment on the algorithms.

    The first step was to create a hash map of all the executables and functions (Figure 2). After that, the information gain algorithm is used to choose only the top 80% of the functions (Figure 3), which are most likely to be present in harmful files [20]. The Information Gain is further corrected by using this formula:
    What I like about the article is it does shown what is behind AI detection - simply a probabilistic determination of Win API calls used by malware versus those used in legit software. What I find issue with is their sample size of 5000 containing both valid and malware executables is to small for real world environments. In contrast, the recent M.I.T. research I previously referenced used millions of lines of code in their training database.

    Noteworthy is the conclusion reached in this study:

    5. Conclusion

    In this research, we have proposed a malware detection module based on advanced data mining and machine learning. While such a method may not be suitable for home users, being very processor heavy, this can be implemented at enterprise gateway level to act as a central antivirus engine to supplement antiviruses present on end user computers.
    Again, the recommendation that AI detection be performed at the router/network gateway level. Also take note that AI detection is a to be used as a supplement to existing endpoint software.


     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,791
    Location:
    Among the gum trees
    That's a similar detection rate Dan @VoodooShield has found with his Ai, give or take.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    what ever!!! keep digging you are your mission to degrade cylance as everybody here know and so keep going dude.
    who are you working for after all these years? that is what I want to know?
    just like everybody else here I also know people that work for the or have worked for the DOD my friend.
     
  25. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,772
    Location:
    Europe then Asia
    the test in the video? looked to be the endpoint; after all there is no point of comparing an endpoint solution with a home solution. Anyway, the important part of the video is valid for both versions, so it doesn't matter which one is used.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.