ticklemefeet

Level 22
Verified
Today when I returned home, I noticed Cylance had quarantined NDIS.SYS. Right away I went to see if I had any updates to Windows and sure enough I did and was just waiting for a restart. Last time I had an OS update Cylance did the same thing. Cylance marked it as suspicious. Anyway, I allowed the file and added it to the safe list.
This is the newest insider build. Just a heads up.
 

Slyguy

Level 41
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
 

ticklemefeet

Level 22
Verified
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
I hear what you are saying Sly but this happens each time a new insider update comes along. The file change. I still allowed the file. Besides, if the file was bad either Appguard or Voodooshield would have said something.
 
D

Deleted Member 3a5v73x

Now let's imagine it being detected as suspicious/abnormal on stable builds. Would you still Safe List it? Well, I must say I would be a bit worried and probably run some some on-demand scanners and compare new Windows driver with the legit one. I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour, I know that some would disagree and go like "omg dumbass AV's flagging Windows system files' lololo" I first would read for any Microsoft news online, if that was a global compromise through the Windows Update channels, that would snowball into tremendous problems for Microsoft, I don't even wanna think what would happen.. *hides in bunker*
 
Last edited by a moderator:

Burrito

Level 14
Verified
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
Yeah, Sly has a good point on this. I like it too.
 

Burrito

Level 14
Verified
I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour..... hides in bunker*
I think so too. It's actually telling to me -- in a good way -- that Cylance detects this. To me... this is just another reason why Cylance may actually provide value to a security setup.
 
5

509322

Today when I returned home, I noticed Cylance had quarantined NDIS.SYS. Right away I went to see if I had any updates to Windows and sure enough I did and was just waiting for a restart. Last time I had an OS update Cylance did the same thing. Cylance marked it as suspicious. Anyway, I allowed the file and added it to the safe list.
This is the newest insider build. Just a heads up.
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
Now let's imagine it being detected as suspicious/abnormal on stable builds. Would you still Safe List it? Well, I must say I would be a bit worried and probably run some some on-demand scanners and compare new Windows driver with the legit one. I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour, I know that some would disagree and go like "omg dumbass AV's flagging Windows system files' lololo" I first would read for any Microsoft news online, if that was a global compromise through the Windows Update channels, that would snowball into tremendous problems for Microsoft, I don't even wanna think what would happen.. *hides in bunker*
I think so too. It's actually telling to me -- in a good way -- that Cylance detects this. To me... this is just another reason why Cylance may actually provide value to a security setup.
Without a detailed explanation from Cylance itself, no one knows what triggered Cylance to "detect" NDIS.SYS. All that might have been necessary for Cylance to "detect" it is any change that modifies the file - in other words the hash. And, furthermore, from Cylance's own technical perspective, it might actually consider the detection a false positive - even in WIP builds.

It's a completely valid point. And the way Cylance works it can happen. Here's an examply at the drive level.

Duplicate Device On Windows 10 After Update
 
Last edited by a moderator:

ticklemefeet

Level 22
Verified
I don't have Cylance set to advanced UI but my portal shows it listed as a windows update file with a hash of
SHA256: dcb4a4a4ff4691695e9d7992cd05969c211704b22f976b83b82a27c762c1e19c

I did a web search and VT search for that hash and came up with nothing. I submitted this to the Cylance forum but from what I see there, hardly any posts get answered.
 
  • Like
Reactions: Azure and oldschool

oldschool

Level 30
Verified
I don't have Cylance set to advanced UI but my portal shows it listed as a windows update file with a hash of
SHA256: dcb4a4a4ff4691695e9d7992cd05969c211704b22f976b83b82a27c762c1e19c

I did a web search and VT search for that hash and came up with nothing. I submitted this to the Cylance forum but from what I see there, hardly any posts get answered.
You submit it right through the portal via a pop-up when you allow a file. Isn't that what you experienced?

Edit: I had a couple of blocks yesterday and I'm now coming to wonder about quarantined files. There is allow and you can mark allowed file as safe - but does allowing as safe mean it gets sent to Cylance? Of the two blocks I had yesterday (neither of which was allowed as Safe), one was abnormal and was analyzed as safe and one was not, so I emailed support to find out how to submit, etc.
 
Last edited:
  • Like
Reactions: Burrito and Slyguy

Latest Threads