- Jun 12, 2014
SentinelOne – is rather upset with the talk, funnily enough titled "Next-gen AV vs my shitty code." To stop people seeing it, the Silicon Valley biz filed a copyright-infringement complaint to make YouTube remove a recording of the presentation from the BSides Manchester channel. Williams told El Reg he has yet to hear the reasoning on why the video has been taken down, while BSides Manchester organizers said they are still reviewing the video and claim to work out what got SentinelOne so upset. For one thing, his presentation did not include any source code nor any other sensitive intellectual property owned by SentinelOne, from what we can tell. The Register pinged SentinelOne for comment, which in turn revealed it was a tad unhappy with the presentation, something something something, copyright and trademark claim. A spokesperson told us:
We strongly support the work of BSides and participated in the conference earlier this year by sending our own researchers. We're always open to feedback, but we expect that feedback to come through the use of a supported version of our product and this video showed our 1.8.4 version which reached its end of life earlier this year (our notification from March can be found here). In addition, as we are protecting critical global enterprises, if a party believes there's a bug in our product, we expect them to follow the common disclosure practices in place that protect the entire community. From a legal perspective, the video breached our terms of service, copyright laws, and trademark laws. It was removed lawfully after being reviewed by YouTube. With that said, we've invited the author to collaborate with us on a supported version and look forward to that opportunity.
El Reg has asked for clarification on what exactly the infringing content was – because a breach of the antivirus maker's terms-of-service is not a valid reason to take down a video – and has yet to hear back at the time of publication. The video was restored to YouTube by 10am PT on Saturday.
OK, watched it. Mostly sounded like Martian to me except I took Latin so understood the gist of his presentation. And notice who was the fairest amongst maidens here?
In a nutshell, he explicitly stated if he used 32-bit Meterpreter he could disable Cylance and pwn the system. A solution that applies protection against 64 bit, but not 32 bit, is no solution at all as opposed to a partial solution. Such utilities can be easily thwarted by disabling stuff on Windows. It is simple enough and causes little to no inconvenience for the vast majority of home users. And for enterprise users that know what they're doing, there are multiple ways to disable stuff and get it to work without major inconvenience.
Technically, did Cylance do better than the others ? Yes, it did. One dispute that fact. However, those that want Cylance to be better, will pick that up, and twist it and re-purpose it to fit "Cylance is better."
The issue with Meterpreter, Metasploit, PowerSploit - and the ad infinitum other utilities - is that they are used primarily in targeted attacks. Basically, "user session" attacks. And most people here already know the basic economic issues of targeting home users.
Yes, I got the 32-bit idea. Like I say, it was my highschool Latin that did it. I take all of it with a good helping of salt. :notworthy:
Pen-testers famously make "bypass" videos using Meterpreter and similar utilities. Invariably, they fail to show what happens when stuff is disabled using the security softs that they are testing. I remember the various ciphers attempting the same. All bogus tests. Not even mentioning that some of the security softs that they tested were years old versions (obsolete).
Anyone know how OSArmor would do against this single type of bypass?
On 32 v 64 bit attacks. Does this mean that a 64 bit OS running Cylance is not vulnerable at all or are 32 bit Windows processes within a 64 bit OS still vulnerable? I thought his test was showing that a 32 bit application in Windows 64 can be compromised, so that Cylance can then be disabled...or at least that it was explained this way if not demoed.
Oh yeah, no money in this kind of compromise of a home PC? I disagree with that. Friend of my mother recently had 4 accounts emptied via a very personal attack (her entire life savings/inheritance and everything else). This kind of compromise could easily have been part of the reason the attackers were able to steal her identity. Looks like she will get most of her money back, but using direct deposit and other less than secure methods for sharing online accounting information are probably the reason she ended up in the situation. She is an accountant with her own practice/business. Also, her phone may have been part of the problem.
I can understand how a locked down system would not be vulnerable in this situation. That makes sense, but security software is only present at all as a failsafe. As a result, there isn't imo a reason that Cylance should ignore doing something about the 32 bit issue for instance. Anyway, I am sure they will at some point.
What he demonstrated is that Cylance does not stop 32 bit malicious processes. So a 64 bit OS is vulnerable to a 32 bit attack.
OK, this was the distinct impression I had from the video and from comments. Is there a limitation for Cylance that cannot be avoided with the 32 bit issue? I recall reading Kaspersky's explanation of the limitations there were regarding protection on a 64 bit system.
Kaspersky Lab product restrictions on 64-bit operating systems
Seems this is an inverted challenge compared to the Cylance issue...