- Jun 12, 2014
- 314
BSidesMCR 2018: Next Gen AV vs My Shitty Code by James Williams
- Thread starter FleischmannTV
- Start date
- Jul 27, 2015
- 5,458
Interesting tests on Norton, Sophos, Eset, McAfee, SentinelOne and Cylance. Demo starts at 16:50 in the video. Thanks for the share @FleischmannTV 
SentinelOne makes YouTube delete Bsides vid 'cuz it didn't like the way bugs were reported
SentinelOne makes YouTube delete Bsides vid 'cuz it didn't like the way bugs were reported
Last edited:
- Mar 29, 2018
- 7,613
OK, watched it. Mostly sounded like Martian to me except I took Latin so understood the gist of his presentation. And notice who was the fairest amongst maidens here?
OK, watched it. Mostly sounded like Martian to me except I took Latin so understood the gist of his presentation. And notice who was the fairest amongst maidens here?
In a nutshell, he explicitly stated if he used 32-bit Meterpreter he could disable Cylance and pwn the system. A solution that applies protection against 64 bit, but not 32 bit, is no solution at all as opposed to a partial solution. Such utilities can be easily thwarted by disabling stuff on Windows. It is simple enough and causes little to no inconvenience for the vast majority of home users. And for enterprise users that know what they're doing, there are multiple ways to disable stuff and get it to work without major inconvenience.
Technically, did Cylance do better than the others ? Yes, it did. One cannot dispute that fact. However, those that want Cylance to be better, will pick that up, and twist it and re-purpose it to fit "Cylance is better."
The issue with Meterpreter, Metasploit, PowerSploit - and the ad infinitum other utilities - is that they are used primarily in targeted attacks. Basically, "user session" attacks. And most people here already know the basic economic issues of targeting home users.
Last edited by a moderator:
- Mar 29, 2018
- 7,613
Yes, I got the 32-bit idea. Like I say, it was my highschool Latin that did it.
I take all of it with a good helping of salt. :notworthy:Yes, I got the 32-bit idea. Like I say, it was my highschool Latin that did it.
Pen-testers famously make "bypass" videos using Meterpreter and similar utilities. Invariably, they fail to show what happens when stuff is disabled using the security softs that they are testing. I remember the various ciphers attempting the same. All bogus tests. Not even mentioning that some of the security softs that they tested were years old versions (obsolete).
These tests are completely bogus. Also, if he wanted to do this to ANY software, he could. His 'constructs' could make any security solution look bad. But as Lockdown says, they're completely bogus tests for a variety of reasons. The least of which, delivery of his payload wouldn't likely be possible (to a remote client), and he's assuming there aren't any other protections of lockdowns in place.
Again, this reminds me of the people picking unpickable locks, then posting videos, then inciting endless arguments over those videos, then referencing other fake videos to keep people quiet. It's endless entertainment that is absolutely bogus. To do this they remove the shroud, dismantle the lock, study it for weeks, re-assemble it, craft special tools to pick it, then spend days, and dozens upon dozens of attempts to pick it, then declare the unpickable/new/high claim lock to be 'garbage'. Then the peanut gallery chimes in and starts saying the lock sucks, the company needs to change their website, and that free locks are just as good.. Sound familiar?
"Awesome job +bosnianbill! Bi-Lock is going to have to change the claim on their website. "
""Picki proof" they say on their website. Obviously not entirely.. "
"So the new locks suck just get free ones at garage sales"
PS: Yes Cylance did the best on that targeted attack. Good enough to where he couldn't demonstrate a bypass for it. But I still think these tests are bogus regardless.
Last edited by a moderator:
- Dec 29, 2014
- 1,716
Anyone know how OSArmor would do against this single type of bypass?
On 32 v 64 bit attacks. Does this mean that a 64 bit OS running Cylance is not vulnerable at all or are 32 bit Windows processes within a 64 bit OS still vulnerable? I thought his test was showing that a 32 bit application in Windows 64 can be compromised, so that Cylance can then be disabled...or at least that it was explained this way if not demoed.
Oh yeah, no money in this kind of compromise of a home PC? I disagree with that. Friend of my mother recently had 4 accounts emptied via a very personal attack (her entire life savings/inheritance and everything else). This kind of compromise could easily have been part of the reason the attackers were able to steal her identity. Looks like she will get most of her money back, but using direct deposit and other less than secure methods for sharing online accounting information are probably the reason she ended up in the situation. She is an accountant with her own practice/business. Also, her phone may have been part of the problem.
I can understand how a locked down system would not be vulnerable in this situation. That makes sense, but security software is only present at all as a failsafe. As a result, there isn't imo a reason that Cylance should ignore doing something about the 32 bit issue for instance. Anyway, I am sure they will at some point.
On 32 v 64 bit attacks. Does this mean that a 64 bit OS running Cylance is not vulnerable at all or are 32 bit Windows processes within a 64 bit OS still vulnerable? I thought his test was showing that a 32 bit application in Windows 64 can be compromised, so that Cylance can then be disabled...or at least that it was explained this way if not demoed.
Oh yeah, no money in this kind of compromise of a home PC? I disagree with that. Friend of my mother recently had 4 accounts emptied via a very personal attack (her entire life savings/inheritance and everything else). This kind of compromise could easily have been part of the reason the attackers were able to steal her identity. Looks like she will get most of her money back, but using direct deposit and other less than secure methods for sharing online accounting information are probably the reason she ended up in the situation. She is an accountant with her own practice/business. Also, her phone may have been part of the problem.
I can understand how a locked down system would not be vulnerable in this situation. That makes sense, but security software is only present at all as a failsafe. As a result, there isn't imo a reason that Cylance should ignore doing something about the 32 bit issue for instance. Anyway, I am sure they will at some point.
What he demonstrated is that Cylance does not stop 32 bit malicious processes. So a 64 bit OS is vulnerable to a 32 bit attack.
As to your friend's mom's accounts getting wiped-out. Without a detailed forensic audit, it is speculation as to how that happened. She could have simply been careless with passwords and someone got ahold of them. Alternatively, there could have been a banking trojan on her system. Or the attack could have come from the bank side and her digital devices were never directly involved. It could have been a whole range of things that could have resulted in her losses.
- Dec 29, 2014
- 1,716
OK, this was the distinct impression I had from the video and from comments. Is there a limitation for Cylance that cannot be avoided with the 32 bit issue? I recall reading Kaspersky's explanation of the limitations there were regarding protection on a 64 bit system.
Kaspersky Lab product restrictions on 64-bit operating systems
Seems this is an inverted challenge compared to the Cylance issue...
That Kaspersky document has to do with hooking on 64-bit systems and the new mandates enforced by Microsoft.
That document has nothing to do with Cylance. Cylance just isn't protecting against 32-bit malicious processes for whatever reason(s). The other products reviewed in the video protected against 32-bit malware on a 64-bit system - as the video author notes.
Similar threads
-
- Poll
