BSidesMCR 2018: Next Gen AV vs My Shitty Code by James Williams

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Interesting tests on Norton, Sophos, Eset, McAfee, SentinelOne and Cylance. Demo starts at 16:50 in the video. Thanks for the share @FleischmannTV (y)

SentinelOne – is rather upset with the talk, funnily enough titled "Next-gen AV vs my shitty code." To stop people seeing it, the Silicon Valley biz filed a copyright-infringement complaint to make YouTube remove a recording of the presentation from the BSides Manchester channel. Williams told El Reg he has yet to hear the reasoning on why the video has been taken down, while BSides Manchester organizers said they are still reviewing the video and claim to work out what got SentinelOne so upset. For one thing, his presentation did not include any source code nor any other sensitive intellectual property owned by SentinelOne, from what we can tell. The Register pinged SentinelOne for comment, which in turn revealed it was a tad unhappy with the presentation, something something something, copyright and trademark claim. A spokesperson told us:

We strongly support the work of BSides and participated in the conference earlier this year by sending our own researchers. We're always open to feedback, but we expect that feedback to come through the use of a supported version of our product and this video showed our 1.8.4 version which reached its end of life earlier this year (our notification from March can be found here). In addition, as we are protecting critical global enterprises, if a party believes there's a bug in our product, we expect them to follow the common disclosure practices in place that protect the entire community. From a legal perspective, the video breached our terms of service, copyright laws, and trademark laws. It was removed lawfully after being reviewed by YouTube. With that said, we've invited the author to collaborate with us on a supported version and look forward to that opportunity.

El Reg has asked for clarification on what exactly the infringing content was – because a breach of the antivirus maker's terms-of-service is not a valid reason to take down a video – and has yet to hear back at the time of publication. The video was restored to YouTube by 10am PT on Saturday.

SentinelOne makes YouTube delete Bsides vid 'cuz it didn't like the way bugs were reported
 
Last edited:
5

509322

OK, watched it. Mostly sounded like Martian to me except I took Latin so understood the gist of his presentation. And notice who was the fairest amongst maidens here? :)

In a nutshell, he explicitly stated if he used 32-bit Meterpreter he could disable Cylance and pwn the system. A solution that applies protection against 64 bit, but not 32 bit, is no solution at all as opposed to a partial solution. Such utilities can be easily thwarted by disabling stuff on Windows. It is simple enough and causes little to no inconvenience for the vast majority of home users. And for enterprise users that know what they're doing, there are multiple ways to disable stuff and get it to work without major inconvenience.

Technically, did Cylance do better than the others ? Yes, it did. One cannot dispute that fact. However, those that want Cylance to be better, will pick that up, and twist it and re-purpose it to fit "Cylance is better."

The issue with Meterpreter, Metasploit, PowerSploit - and the ad infinitum other utilities - is that they are used primarily in targeted attacks. Basically, "user session" attacks. And most people here already know the basic economic issues of targeting home users.
 
Last edited by a moderator:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
In a nutshell, he explicitly stated if he used 32-bit Meterpreter he could disable Cylance and pwn the system. A solution that applies protection against 64 bit, but not 32 bit, is no solution at all as opposed to a partial solution. Such utilities can be easily thwarted by disabling stuff on Windows. It is simple enough and causes little to no inconvenience for the vast majority of home users. And for enterprise users that know what they're doing, there are multiple ways to disable stuff and get it to work without major inconvenience.

Technically, did Cylance do better than the others ? Yes, it did. One dispute that fact. However, those that want Cylance to be better, will pick that up, and twist it and re-purpose it to fit "Cylance is better."

The issue with Meterpreter, Metasploit, PowerSploit - and the ad infinitum other utilities - is that they are used primarily in targeted attacks. Basically, "user session" attacks. And most people here already know the basic economic issues of targeting home users.

Yes, I got the 32-bit idea. Like I say, it was my highschool Latin that did it. :) I take all of it with a good helping of salt. (y):notworthy:
 
  • Like
Reactions: AtlBo and vtqhtr413
5

509322

Yes, I got the 32-bit idea. Like I say, it was my highschool Latin that did it. :) I take all of it with a good helping of salt. (y):notworthy:

Pen-testers famously make "bypass" videos using Meterpreter and similar utilities. Invariably, they fail to show what happens when stuff is disabled using the security softs that they are testing. I remember the various ciphers attempting the same. All bogus tests. Not even mentioning that some of the security softs that they tested were years old versions (obsolete).
 
F

ForgottenSeer 58943

Pen-testers famously make "bypass" videos using Meterpreter and similar utilities. Invariably, they fail to show what happens when stuff is disabled using the security softs that they are testing. I remember the various ciphers attempting the same. All bogus tests. Not even mentioning that some of the security softs that they tested were years old versions (obsolete).

These tests are completely bogus. Also, if he wanted to do this to ANY software, he could. His 'constructs' could make any security solution look bad. But as Lockdown says, they're completely bogus tests for a variety of reasons. The least of which, delivery of his payload wouldn't likely be possible (to a remote client), and he's assuming there aren't any other protections of lockdowns in place.

Again, this reminds me of the people picking unpickable locks, then posting videos, then inciting endless arguments over those videos, then referencing other fake videos to keep people quiet. It's endless entertainment that is absolutely bogus. To do this they remove the shroud, dismantle the lock, study it for weeks, re-assemble it, craft special tools to pick it, then spend days, and dozens upon dozens of attempts to pick it, then declare the unpickable/new/high claim lock to be 'garbage'. Then the peanut gallery chimes in and starts saying the lock sucks, the company needs to change their website, and that free locks are just as good.. Sound familiar?


"Awesome job +bosnianbill! Bi-Lock is going to have to change the claim on their website. "

""Picki proof" they say on their website. Obviously not entirely.. "

"So the new locks suck just get free ones at garage sales"

PS: Yes Cylance did the best on that targeted attack. Good enough to where he couldn't demonstrate a bypass for it. But I still think these tests are bogus regardless.
 
Last edited by a moderator:
  • Like
Reactions: AtlBo and oldschool

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Anyone know how OSArmor would do against this single type of bypass?

On 32 v 64 bit attacks. Does this mean that a 64 bit OS running Cylance is not vulnerable at all or are 32 bit Windows processes within a 64 bit OS still vulnerable? I thought his test was showing that a 32 bit application in Windows 64 can be compromised, so that Cylance can then be disabled...or at least that it was explained this way if not demoed.

Oh yeah, no money in this kind of compromise of a home PC? I disagree with that. Friend of my mother recently had 4 accounts emptied via a very personal attack (her entire life savings/inheritance and everything else). This kind of compromise could easily have been part of the reason the attackers were able to steal her identity. Looks like she will get most of her money back, but using direct deposit and other less than secure methods for sharing online accounting information are probably the reason she ended up in the situation. She is an accountant with her own practice/business. Also, her phone may have been part of the problem.

I can understand how a locked down system would not be vulnerable in this situation. That makes sense, but security software is only present at all as a failsafe. As a result, there isn't imo a reason that Cylance should ignore doing something about the 32 bit issue for instance. Anyway, I am sure they will at some point.
 
5

509322

Anyone know how OSArmor would do against this single type of bypass?

On 32 v 64 bit attacks. Does this mean that a 64 bit OS running Cylance is not vulnerable at all or are 32 bit Windows processes within a 64 bit OS still vulnerable? I thought his test was showing that a 32 bit application in Windows 64 can be compromised, so that Cylance can then be disabled...or at least that it was explained this way if not demoed.

Oh yeah, no money in this kind of compromise of a home PC? I disagree with that. Friend of my mother recently had 4 accounts emptied via a very personal attack (her entire life savings/inheritance and everything else). This kind of compromise could easily have been part of the reason the attackers were able to steal her identity. Looks like she will get most of her money back, but using direct deposit and other less than secure methods for sharing online accounting information are probably the reason she ended up in the situation. She is an accountant with her own practice/business. Also, her phone may have been part of the problem.

I can understand how a locked down system would not be vulnerable in this situation. That makes sense, but security software is only present at all as a failsafe. As a result, there isn't imo a reason that Cylance should ignore doing something about the 32 bit issue for instance. Anyway, I am sure they will at some point.

What he demonstrated is that Cylance does not stop 32 bit malicious processes. So a 64 bit OS is vulnerable to a 32 bit attack.

As to your friend's mom's accounts getting wiped-out. Without a detailed forensic audit, it is speculation as to how that happened. She could have simply been careless with passwords and someone got ahold of them. Alternatively, there could have been a banking trojan on her system. Or the attack could have come from the bank side and her digital devices were never directly involved. It could have been a whole range of things that could have resulted in her losses.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
What he demonstrated is that Cylance does not stop 32 bit malicious processes. So a 64 bit OS is vulnerable to a 32 bit attack.

OK, this was the distinct impression I had from the video and from comments. Is there a limitation for Cylance that cannot be avoided with the 32 bit issue? I recall reading Kaspersky's explanation of the limitations there were regarding protection on a 64 bit system.

Kaspersky Lab product restrictions on 64-bit operating systems

Seems this is an inverted challenge compared to the Cylance issue...
 
5

509322

OK, this was the distinct impression I had from the video and from comments. Is there a limitation for Cylance that cannot be avoided with the 32 bit issue? I recall reading Kaspersky's explanation of the limitations there were regarding protection on a 64 bit system.

Kaspersky Lab product restrictions on 64-bit operating systems

Seems this is an inverted challenge compared to the Cylance issue...

That Kaspersky document has to do with hooking on 64-bit systems and the new mandates enforced by Microsoft.

That document has nothing to do with Cylance. Cylance just isn't protecting against 32-bit malicious processes for whatever reason(s). The other products reviewed in the video protected against 32-bit malware on a 64-bit system - as the video author notes.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top