App Review Crowdstrike Falcon Review | Tested vs Malware

[[correlate]]

Content source

https://www.youtube.com/watch?v=xg9pQfVjhW4&feature=youtu.be

Crowdstrike Falcon is a next gen AV product that claims to use AI to detect zero-day malware. In this review, we put that claim to the test against 1500 malware samples.

 

[Divine_Barakah]

I don't think this is the appropriate way to test an enterprise-level next-gen AV.

 

[[correlate]]

I don't think this is the appropriate way to test an enterprise-level next-gen AV.

The good thing is that we got the chance to see Crowdstrike under test.

 

[Wraith]

IMO these next gen AV's should not be run alone, they should be run alongside a traditional AV. A better test would be to test this alongwith Windows Defender. The results will be very much different.

 

[Burrito]

IMO these next gen AV's should not be run alone, they should be run alongside a traditional AV. A better test would be to test this alongwith Windows Defender. The results will be very much different.

That's it.

The "Next-Gen's" are great at what they do. But what they do is an adjunct to other capabilities.

I run CrowdStrike Falcon on one computer. I like it -- quite a bit.

.

 

[ForgottenSeer 58943]

Realistically, they should be combined as Burrito says and they are valuable for that purpose and catch a lot of things other suites miss.

Cylance, realistically, probably is still good to run for some people, when combined with something else. I would assume Cylance with VoodooShield set to AlwaysOn-Aggressive, is going to provide vastly superior protection than most AV suites with no system impact, right? I haven't tested that but I would like to see 1500 pieces of malware executed with a Cylance+VS combo and VS on Always/Aggressive. I highly doubt anything would execute/evade.

 

[Burrito]

I would assume Cylance with VoodooShield set to AlwaysOn-Aggressive, is going to provide vastly superior protection than most AV suites with no system impact, right?

Concur.

 

[ForgottenSeer 58943]

Toss a Gryphon on for good measure with that combo and profit? I suppose so! (Eset->Cylance->VoodooShield)

 

[Nightwalker]

Realistically, they should be combined as Burrito says and they are valuable for that purpose and catch a lot of things other suites miss.

Cylance, realistically, probably is still good to run for some people, when combined with something else. I would assume Cylance with VoodooShield set to AlwaysOn-Aggressive, is going to provide vastly superior protection than most AV suites with no system impact, right? I haven't tested that but I would like to see 1500 pieces of malware executed with a Cylance+VS combo and VS on Always/Aggressive. I highly doubt anything would execute/evade.

True, but this at the cost of usability.

Cylance sucks if you are a gamer or need to have more "exotic" tools in your machine, I really tried to like it (@Burrito is a witness), but I cant stand its massive false positives problems.

Leo has made a very good point about Application Whitelisting, I almost agree with everything that he said:

 

[DeepWeb]

Can we stop saying "next-gen"? That's marketing BS. The main vendors (Eset, Kaspersky, BitDefender, Microsoft) use just as advanced technology if not even more advanced. They all use a combination of signatures, behavior blocker, machine learning, AI and HIPS and none of these things are mutually exclusive like these enterprise "next-gen" AVs want you to believe.

To think that they don't is ridiculous when they have an even bigger budget and hundreds of millions of personal computers to manage and protect around the world. The same rules apply. If you need supplemental security solutions, then don't sell it as being superior to "traditional" AVs which give you the complete package.

 

[Nightwalker]

Can we stop saying "next-gen"? That's marketing BS. The main vendors (Eset, Kaspersky, BitDefender, Microsoft) use just as advanced technology if not even more advanced. They all use a combination of signatures, behavior blocker, machine learning, AI and HIPS and none of these things are mutually exclusive like these enterprise "next-gen" AVs want you to believe.

To think that they don't is ridiculous when they have an even bigger budget and hundreds of millions of personal computers to manage and protect around the world. The same rules apply. If you need supplemental security solutions, then don't sell it as being superior to "traditional" AVs which give you the complete package.

One of the best posts that I have ever read about "next-gen" AVs :emoji_clap:

Just to add my two cents, "traditional" vendors that you mentioned spend a huge amount of resources in making products that are balanced considering system performance impact, false positives and protection, but they could save much more investing in technology similar to products like VoodooShield/SecureAplus and Cylance, but they dont do that because alone they are simply inferior and dont offer the same usability level that an antivirus provides.

 

[ForgottenSeer 58943]

The advantage of them is they are very lightweight, and in some cases, stop non-traditional attacks (VS), and in other cases block unknown, unclassified malware, including update channel compromises (Cylance/InterceptX/Crowdstrike, etc)

Suites have more tools and technologies, but that also comes at a price of bloat, intrusiveness and heaviness. For general users, family/friends, etc. I much prefer suites. For myself, and more advanced users, I like to mix and match technology for superior protection (Anti-Exe, Lockdowns, Default Deny, SRP, AI/ML, etc).

 

[436880927]

VoodooShield is a simple anti-executable - it does not stop "non-traditional attacks".

@ForgottenSeer 58943 Stop spreading nonsense.

 

[davisd]

Misinformation posted should be treated as same as not obeying forum rules, in-direct attacks and sneaky behaviours, that is, posters should recieve warnnings, wouldn't that be fair? Constructive criticism always should be here, but glorifying something that isn't even truth - it's just damaging to readers who may misinterpret products features.

 

[marcopaone]

Next GenAV are all poops

 

[Burrito]

Next GenAV are all poops

Laughing.... but they are so much more colorful and shiny..

I do use and like both Cylance and CrowdStrike but fully understand their limitations.

 

[TheMalwareMaster]

I was surprised because, as said in the video, he ran his first test in learning mode and was complaining that malware was executing (learning mode is intended to make the product learn about what is good, in case there are some false positives)

 

[artek]

I have several problems with this video and with his testing methodology.

1st) I don't think 98.58% detection rate is a bad result (that's what his script indicates in the video).
During his sophos test which is linked here: . Sophos had a detection rate of 97.56%. And he iterates that it was one of the cleanest he's seen of a system doing this kind of test. But how can this be? 97.56 is clearly lower than 98.58. The difference in the rate of infection and the status of the system is more dependent on the sample set he is choosing in each video. The small percentage of files that snuck through in the sophos test were probably either non-functional or benign. Which would indicated to me that he is not curating his samples carefully enough to ensure that they contain functional and dangerous malware consistently across all of his tests. It could very well be that some of the sample sets that he chose to run during many of his test were either easier or harder than his other tests depending on the randomness with which he selects his samples.

2nd) His operating system is out of date. Does that include security patches that would render some of the samples non-functional on a reboot? Why is the OS fully up to date in some of his videos and not others?

3d) He tested glasswire against ransomeware samples. Said there were no notifications. Found the notifications but concluded that the firewall wouldn't be effective in stopping any real world attacks. Never mind that he left the connection blocking feature off and tested the logging features of glasswire. Let that sink in. He tested network logging features in their ability to stop ransomware samples. Which suggests to me that he is either incompetent or he's designing tests in a way that conforms with his bias. Wouldn't it make way more sense to use a trojan instead of a ransomeware smaple to test this kind of feature? You're going to get way more network chatter with the trojan.

 

[436880927]

@artek Leo from TPSC is just a kid. His tests are not credible and should just be ignored.

As for your point about operating system version, most enterprises are still using older versions of Windows... and those that are using Windows 10 are likely to be found running versions like 1803/9.

CrowdStrike is designed and developed for enterprises.

I've spoken to people from Romania who are either ex-employees or currently employed and I closely follow the work of someone who has a big role in CrowdStrike - and I have for years. They know what they are doing and they are doing good work.

CrowdStrike might be limited in certain areas however enterprises using it who are serious will have the areas covered which CrowdStrike either doesn't cover completely or not very well - like with any other endpoint protection solution.

It goes without saying that you will want dedicated hardware appliances for areas like network protection for an efficient implementation. And... such things you will want isolated from reach from the actual endpoints, because if an endpoint is compromised, software-level technologies will be an easier reach to an attacker.

Anyway, the point is that CrowdStrike are doing a good job and I advise none of you bother to waste your time caring about people on YouTube playing with malware packs and testing solutions they know nothing about from a technical perspective (or any AVs for that matter).

Just ignore the kid. It is irrelevant in the real world. The only people who really watch his content with seriousness and care are kid/adult enthusiasts who are none the wiser.

 

[ForgottenSeer 58943]

VoodooShield is a simple anti-executable - it does not stop "non-traditional attacks".

@ForgottenSeer 58943 Stop spreading nonsense.

Everyone knows about your longstanding vendetta against Dan. So let's get that out there for posterity so people know there is a history and we can move on to more important matters.

Get Cylance or Crowdstrike+VS (Always On, Aggressive) over to the malware hub in appropriately allocated VM's, throw everything at it, including non-traditional attacks and lets see the test results. I think it would be interesting.

Back on topic, I think CS is an interesting offering, but probably needs some ancillary assistance.