Advice Request Cylance and NDIS.SYS

  • Thread starter ForgottenSeer 69673
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
F

ForgottenSeer 69673

Thread author
Today when I returned home, I noticed Cylance had quarantined NDIS.SYS. Right away I went to see if I had any updates to Windows and sure enough I did and was just waiting for a restart. Last time I had an OS update Cylance did the same thing. Cylance marked it as suspicious. Anyway, I allowed the file and added it to the safe list.
This is the newest insider build. Just a heads up.
 
F

ForgottenSeer 58943

Thread author
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
 
F

ForgottenSeer 69673

Thread author
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.
I hear what you are saying Sly but this happens each time a new insider update comes along. The file change. I still allowed the file. Besides, if the file was bad either Appguard or Voodooshield would have said something.
 
D

Deleted Member 3a5v73x

Thread author
Now let's imagine it being detected as suspicious/abnormal on stable builds. Would you still Safe List it? Well, I must say I would be a bit worried and probably run some some on-demand scanners and compare new Windows driver with the legit one. I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour, I know that some would disagree and go like "omg dumbass AV's flagging Windows system files' lololo" I first would read for any Microsoft news online, if that was a global compromise through the Windows Update channels, that would snowball into tremendous problems for Microsoft, I don't even wanna think what would happen.. *hides in bunker*
 
Last edited by a moderator:

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.

Yeah, Sly has a good point on this. I like it too.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour..... hides in bunker*

I think so too. It's actually telling to me -- in a good way -- that Cylance detects this. To me... this is just another reason why Cylance may actually provide value to a security setup.
 
5

509322

Thread author
Today when I returned home, I noticed Cylance had quarantined NDIS.SYS. Right away I went to see if I had any updates to Windows and sure enough I did and was just waiting for a restart. Last time I had an OS update Cylance did the same thing. Cylance marked it as suspicious. Anyway, I allowed the file and added it to the safe list.
This is the newest insider build. Just a heads up.

This is one of the things I like about Cylance, it will alert you to suspicious changes it hasn't seen before on millions of endpoints. I like that. It's protective since we already know of things like TCP Quantum redirects for updates/downloads, TAO, RE'd products and update channel compromises.

Now let's imagine it being detected as suspicious/abnormal on stable builds. Would you still Safe List it? Well, I must say I would be a bit worried and probably run some some on-demand scanners and compare new Windows driver with the legit one. I have never seen up to this date C detecting system files' but on Insider's I consider that as normal behaviour, I know that some would disagree and go like "omg dumbass AV's flagging Windows system files' lololo" I first would read for any Microsoft news online, if that was a global compromise through the Windows Update channels, that would snowball into tremendous problems for Microsoft, I don't even wanna think what would happen.. *hides in bunker*

I think so too. It's actually telling to me -- in a good way -- that Cylance detects this. To me... this is just another reason why Cylance may actually provide value to a security setup.

Without a detailed explanation from Cylance itself, no one knows what triggered Cylance to "detect" NDIS.SYS. All that might have been necessary for Cylance to "detect" it is any change that modifies the file - in other words the hash. And, furthermore, from Cylance's own technical perspective, it might actually consider the detection a false positive - even in WIP builds.

It's a completely valid point. And the way Cylance works it can happen. Here's an examply at the drive level.

Duplicate Device On Windows 10 After Update
 
Last edited by a moderator:
F

ForgottenSeer 69673

Thread author
I don't have Cylance set to advanced UI but my portal shows it listed as a windows update file with a hash of
SHA256: dcb4a4a4ff4691695e9d7992cd05969c211704b22f976b83b82a27c762c1e19c

I did a web search and VT search for that hash and came up with nothing. I submitted this to the Cylance forum but from what I see there, hardly any posts get answered.
 
  • Like
Reactions: Azure and oldschool

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,012
I don't have Cylance set to advanced UI but my portal shows it listed as a windows update file with a hash of
SHA256: dcb4a4a4ff4691695e9d7992cd05969c211704b22f976b83b82a27c762c1e19c

I did a web search and VT search for that hash and came up with nothing. I submitted this to the Cylance forum but from what I see there, hardly any posts get answered.

You submit it right through the portal via a pop-up when you allow a file. Isn't that what you experienced?

Edit: I had a couple of blocks yesterday and I'm now coming to wonder about quarantined files. There is allow and you can mark allowed file as safe - but does allowing as safe mean it gets sent to Cylance? Of the two blocks I had yesterday (neither of which was allowed as Safe), one was abnormal and was analyzed as safe and one was not, so I emailed support to find out how to submit, etc.
 
Last edited:
F

ForgottenSeer 69673

Thread author
Ok today I got another insider update. This time Cylance flagged a file as suspicious but did not quarinten it. My portal not says at risk. The file is
dnsapi.dll
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top