Advice Request Cylance and NDIS.SYS

  • Thread starter ForgottenSeer 69673
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
F

ForgottenSeer 69673

Thread author
Today when I returned home, I noticed Cylance had quarantined NDIS.SYS. Right away I went to see if I had any updates to Windows and sure enough I did and was just waiting for a restart. Last time I had an OS update Cylance did the same thing. Cylance marked it as suspicious. Anyway, I allowed the file and added it to the safe list.
This is the newest insider build. Just a heads up.
 
  • Like
Reactions: DeepWeb, Nightwalker, oldschool and 1 other person
F

ForgottenSeer 58943

Thread author
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
 
  • Like
Reactions: simmerskool, AtlBo and oldschool
F

ForgottenSeer 69673

Thread author
ForgottenSeer 58943 said:
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
Click to expand...
I hear what you are saying Sly but this happens each time a new insider update comes along. The file change. I still allowed the file. Besides, if the file was bad either Appguard or Voodooshield would have said something.
 
  • Like
Reactions: upnorth and oldschool
D

Deleted Member 3a5v73x

Thread author
Now let's imagine it being detected as suspicious/abnormal on stable builds. Would you still Safe List it? Well, I must say I would be a bit worried and probably run some some on-demand scanners and compare new Windows driver with the legit one. I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour, I know that some would disagree and go like "omg dumbass AV's flagging Windows system files' lololo" I first would read for any Microsoft news online, if that was a global compromise through the Windows Update channels, that would snowball into tremendous problems for Microsoft, I don't even wanna think what would happen.. *hides in bunker*
 
Last edited by a moderator:
  • Like
Reactions: AtlBo, oldschool, Nightwalker and 1 other person
Burrito

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
ForgottenSeer 58943 said:
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
Click to expand...

Yeah, Sly has a good point on this. I like it too.
 
  • Like
Reactions: ForgottenSeer 58943 and oldschool
Burrito

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
davisd said:
I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour..... hides in bunker*
Click to expand...

I think so too. It's actually telling to me -- in a good way -- that Cylance detects this. To me... this is just another reason why Cylance may actually provide value to a security setup.
 
  • Like
Reactions: oldschool and Nightwalker
5

509322

Thread author
ticklemefeet said:
Today when I returned home, I noticed Cylance had quarantined NDIS.SYS. Right away I went to see if I had any updates to Windows and sure enough I did and was just waiting for a restart. Last time I had an OS update Cylance did the same thing. Cylance marked it as suspicious. Anyway, I allowed the file and added it to the safe list.
This is the newest insider build. Just a heads up.
Click to expand...

ForgottenSeer 58943 said:
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
Click to expand...

davisd said:
Now let's imagine it being detected as suspicious/abnormal on stable builds. Would you still Safe List it? Well, I must say I would be a bit worried and probably run some some on-demand scanners and compare new Windows driver with the legit one. I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour, I know that some would disagree and go like "omg dumbass AV's flagging Windows system files' lololo" I first would read for any Microsoft news online, if that was a global compromise through the Windows Update channels, that would snowball into tremendous problems for Microsoft, I don't even wanna think what would happen.. *hides in bunker*
Click to expand...

Burrito said:
I think so too. It's actually telling to me -- in a good way -- that Cylance detects this. To me... this is just another reason why Cylance may actually provide value to a security setup.
Click to expand...

Without a detailed explanation from Cylance itself, no one knows what triggered Cylance to "detect" NDIS.SYS. All that might have been necessary for Cylance to "detect" it is any change that modifies the file - in other words the hash. And, furthermore, from Cylance's own technical perspective, it might actually consider the detection a false positive - even in WIP builds.

It's a completely valid point. And the way Cylance works it can happen. Here's an examply at the drive level.

Duplicate Device On Windows 10 After Update
 
Last edited by a moderator:
  • Like
Reactions: Nightwalker, In2an3_PpG and oldschool
F

ForgottenSeer 69673

Thread author
I don't have Cylance set to advanced UI but my portal shows it listed as a windows update file with a hash of
SHA256: dcb4a4a4ff4691695e9d7992cd05969c211704b22f976b83b82a27c762c1e19c

I did a web search and VT search for that hash and came up with nothing. I submitted this to the Cylance forum but from what I see there, hardly any posts get answered.
 
  • Like
Reactions: Azure and oldschool
oldschool

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,612
ticklemefeet said:
I don't have Cylance set to advanced UI but my portal shows it listed as a windows update file with a hash of
SHA256: dcb4a4a4ff4691695e9d7992cd05969c211704b22f976b83b82a27c762c1e19c

I did a web search and VT search for that hash and came up with nothing. I submitted this to the Cylance forum but from what I see there, hardly any posts get answered.
Click to expand...

You submit it right through the portal via a pop-up when you allow a file. Isn't that what you experienced?

Edit: I had a couple of blocks yesterday and I'm now coming to wonder about quarantined files. There is allow and you can mark allowed file as safe - but does allowing as safe mean it gets sent to Cylance? Of the two blocks I had yesterday (neither of which was allowed as Safe), one was abnormal and was analyzed as safe and one was not, so I emailed support to find out how to submit, etc.
 
Last edited:
  • Like
Reactions: Burrito and ForgottenSeer 58943
F

ForgottenSeer 69673

Thread author
Ok today I got another insider update. This time Cylance flagged a file as suspicious but did not quarinten it. My portal not says at risk. The file is
dnsapi.dll
 
  • Like
Reactions: oldschool and upnorth
Status
Not open for further replies.

Similar threads

Cleo
    • Wow
    • Sad
Advice Request Norton Password Manager vault missing after iPhone upgrade
Replies
35
Views
3,051
Norton
Jonny Quest
Jonny Quest
Ikunga
    • Wow
    • Like
Advice Request I Installed SpyShelter Premium and Now None of My Browsers are working.
Replies
4
Views
1,490
Other security for Windows, Mac, Linux
NormanF
N
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review ESET Smart Security Premium 2024
Replies
20
Views
3,864
Video Reviews - Security and Privacy
Shadowra
Shadowra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top