Cylance Articles & thoughts

[Brie]

if cylance is so good, why does it do so poorly in the hub? syshardener and smartscreen alone, did far better.

cylance was infected in 3 out of 3 tests.

the 1st test ended as infected.
---------------------------------------------------------------------------------------------------------------------------------
RoboMan
Level 25Content CreatorVerified
Aug 13, 2018
Add bookmark
#8
Containment: VirtualBox-5.2.16
Guest/OS: Windows 10 x64 build 1803
Product: Cylance Smart Antivirus (default settings)
Static (On-demand scan): n/a (it automatically scanned the folder, no option to manually scan)
Dynamic (On execution): 0/1
Total: 0/1
SUD: Yes
VPN: Windscribe Free
System Status: Infected
Files encrypted: No
Second Opinion Scanners: Infected
-----------------------------------------------------------------------------------------------------------------------------------
RoboMan
Level 25Content CreatorVerified
Aug 10, 2018
Add bookmark
#5
Containment: VirtualBox-5.2.16
Guest/OS: Windows 10 x64 build 1803
Product: Cylance Smart Antivirus (default settings)
Static (On-demand scan): 8/17 (it automatically scanned the folder, no option to manually scan)
Dynamic (On execution): 7/9
Total: 15/17
SUD: Yes
VPN: Windscribe Free
System Status: Infected
Files encrypted: No
Second Opinion Scanners: Infected
-------------------------------------------------------------------------------------------------------------------------------

 

[ForgottenSeer 58943]

Based on my employer, Cylance comped me 10-licenses. So I've offered invitations.

I do see in the portal that 4 people I sent licenses are still running Cylance, and two have abandoned it.

Now that I fully understand the limitations of it.... I'll stop offering them.

Same in that I have 20 comped licenses. But unfortunately they are all tied to my dashboard. I still give them to friends and family and I just managed them. I check them every week for FP's, or they text me if there is one. It doesn't happen much so it hasn't been a big deal. Cylance is reserved for very close family/friends.

They get Cylance+VS+Syshardener (and Emsisoft browser extension w/uBlock).. While everyone else (extended family) gets Panda Advanced w/SG Settings and Syshardener. The ones that get Cylance also all have Gryphon's on their network purchased through the refurbished or family/friends discount program at Gryphon. The reality is - Gryphon+Cylance+VS+Syshardener is going to be protection from even the most aggressive threats and intrusion attempts.

 

[oldschool]

Same in that I have 20 comped licenses. But unfortunately they are all tied to my dashboard. I still give them to friends and family and I just managed them. I check them every week for FP's, or they text me if there is one. It doesn't happen much so it hasn't been a big deal. Cylance is reserved for very close family/friends.

They get Cylance+VS+Syshardener (and Emsisoft browser extension w/uBlock).. While everyone else (extended family) gets Panda Advanced w/SG Settings and Syshardener. The ones that get Cylance also all have Gryphon's on their network purchased through the refurbished or family/friends discount program at Gryphon. The reality is - Gryphon+Cylance+VS+Syshardener is going to be protection from even the most aggressive threats and intrusion attempts.

Ft. Knox!

 

[artek]

if cylance is so good, why does it do so poorly in the hub? syshardener and smartscreen alone, did far better.

cylance was infected in 3 out of 3 tests.

the 1st test ended as infected.
---------------------------------------------------------------------------------------------------------------------------------
RoboMan
Level 25Content CreatorVerified
Aug 13, 2018
Add bookmark
#8
Containment: VirtualBox-5.2.16
Guest/OS: Windows 10 x64 build 1803
Product: Cylance Smart Antivirus (default settings)
Static (On-demand scan): n/a (it automatically scanned the folder, no option to manually scan)
Dynamic (On execution): 0/1
Total: 0/1
SUD: Yes
VPN: Windscribe Free
System Status: Infected
Files encrypted: No
Second Opinion Scanners: Infected
-----------------------------------------------------------------------------------------------------------------------------------
RoboMan
Level 25Content CreatorVerified
Aug 10, 2018
Add bookmark
#5
Containment: VirtualBox-5.2.16
Guest/OS: Windows 10 x64 build 1803
Product: Cylance Smart Antivirus (default settings)
Static (On-demand scan): 8/17 (it automatically scanned the folder, no option to manually scan)
Dynamic (On execution): 7/9
Total: 15/17
SUD: Yes
VPN: Windscribe Free
System Status: Infected
Files encrypted: No
Second Opinion Scanners: Infected
-------------------------------------------------------------------------------------------------------------------------------

That's a fun way to cherry pick results. Smartscreen/systhardener did well on those particular tests. But you forget the one where (Cylance tested) Defender and smartscreen missed 17 samples which is a tad worse than missing 3 silly little samples:

Containment: VMware Workstation 14.1.1 build-7528167
Guest/OS: Windows 10 Pro N 1803 x86
Product: Windows Defender (Default settings + PUP protection) + Smartscreen
VPN: Windscribe
Static: 2/19
Dynamic: 0 -> the system was dead after the 1 sample (0.14.0.js), couldn't test anymore
Total: 2/19
SUD: 17
Files encrypted: Yes
Second opinion scanner: No need -> heavily infected
System Final Status: Infected (everything was encrypted, ransomware disabled WD completely) -> useless without tweaks

Lets talk about syshardener for a minute. I'm looking at the feature set and it seems to indicate that it can disassociate files like JS, JSE, VBS, VBE, WSH, WSF, PIF, SCR, BAT, JAR, PS1. I'm assuming that this means that the files won't be able to run which is a peculiar way to test the effectiveness of an anti-malware solution's script blocking capabilities unless of course you were trying to bolster one vendors scores at the expense of the others. If you want an accurate test, I would think that you need to run all vendors under the same conditions. Cylance should also get the benefit of syshardener just like avast, and other vendors did during some of those tests.

 

[oldschool]

That's a fun way to cherry pick results. Smartscreen/systhardener did well on those particular tests. But you forget the one where (Cylance tested) Defender and smartscreen missed 15 samples which is a tad worse than missing 3 silly little samples:

Containment: VMware Workstation 14.1.1 build-7528167
Guest/OS: Windows 10 Pro N 1803 x86
Product: Windows Defender (Default settings + PUP protection) + Smartscreen
VPN: Windscribe
Static: 2/19
Dynamic: 0 -> the system was dead after the 1 sample (0.14.0.js), couldn't test anymore
Total: 2/19
SUD: 17
Files encrypted: Yes
Second opinion scanner: No need -> heavily infected
System Final Status: Infected (everything was encrypted, ransomware disabled WD completely) -> useless without tweaks

Lets talk about syshardener for a minute. I'm looking at the feature set and it seems to indicate that it can disassociate files like JS, JSE, VBS, VBE, WSH, WSF, PIF, SCR, BAT, JAR, PS1. I'm assuming that this means that the files won't be able to run which is a peculiar way to test the effectiveness of an anti-malware solution's script blocking capabilities unless of course you were trying to bolster one vendors scores at the expense of the others. If you want an accurate test, I would think that you need to run all vendors under the same conditions. Cylance should also get the benefit of syshardener just like avast, and other vendors did during some of those tests.

Dare I say, valid point? Touche! Was Cylance tested with SysHardener? I doubt it.

 

[artek]

Dare I say, valid point? Touche! Was Cylance tested with SysHardener? I doubt it.

Well you know, the best way to show that Cylance has a gap in script blocking capabilities is to run a test with a bunch of scripts in it. And then give some of the other vendors a script blocker just to drive the point home.

 

[Brie]

i did not cherry pick results. it is about Cylance. the 1st 3 tests of cylance that i found were all infected.

only avast and smartscreen were tested with syshardener sometimes and some members complained about it.

 

[artek]

i did not cherry pick results. it is about Cylance. the 1st 3 tests of cylance that i found were all infected.

only avast and smartscreen were tested with syshardener sometimes and some members complained about it.

And Sophos. And I seem to remember windows defender on one of the tests but I'm too lazy to go dig that up. There's also some with windows defender and configure defender. I think a lot of those tests Cylance did pretty well versus other vendors even though they were using stuff like configure defender and syshardner but you somehow picked two of the results where it didn't do as well. Weird huh.

 

[Brie]

it is not about syshardener. i was trying to say that non-AV scored better than cylance on the same test.

top tier AV are infected only 1 out of 4 times.

i looked at the 1st 3 tests that came up on a search for cylance. cylance failed them all. i saw no point to look further.

just asking why so much love for cylance.

 

[Deckard]

There is no question of love concerning Cylance. Personally, I don't put any affect on softwares.
Cylance consumes nothing or almost nothing on the CPU.
About the latency added on softs, It takes near nothing on my system.
Cylance takes some MB, right.
False positives are quite rare since I test this AV, since 19 days.

So
What are the disadvantages apart from a the RAM used ? I don't see.
What are the benefits? The ability to detect what might escape my main AV, eventually. A kind of finer mesh.


PDF-XChange Editor Plus X64, version 7.0
test done with PassMark AppTimer

-- Cylance Smart A. only, without WindowsDefender
C:\Program Files\Tracker Software\PDF Editor\PDFXEdit.exe - 4 executions
1.0460 (cold start - scan)
0.4992
0.4836
0.4990

-- SpyShelter Firewall 11.4 only, without WD
C:\Program Files\Tracker Software\PDF Editor\PDFXEdit.exe - 4 executions
0.5002
0.5044
0.5002
0.5000

-- Sophos Home Premium without WD
C:\Program Files\Tracker Software\PDF Editor\PDFXEdit.exe - 4 executions
0.5937
0.5804
0.5773
0.5773

-- DrWeb full (real time + A-exploit + folders security + firewall) with Cylance
C:\Program Files\Tracker Software\PDF Editor\PDFXEdit.exe - 4 executions
0.5320
0.5338
0.5316
0.5536


As you see on my test, for my config

• Cylance is lighter than a HIPS soft like SpyShelter F.
• With my current config (two AV together, DrWeb+Cylance), I still have a very responsive OS, faster than with a Sophos AV.

The responsiveness of the OS is a priority for me. Not loosing my time to tweak Windows also

 

[Burrito]

it is not about syshardener. i was trying to say that non-AV scored better than cylance on the same test.

top tier AV are infected only 1 out of 4 times.

i looked at the 1st 3 tests that came up on a search for cylance. cylance failed them all. i saw no point to look further.

just asking why so much love for cylance.

Brie,

From a different angle. I think you need to take the Malware Hub with a grain of salt. Certainly what is tested and the results of those tests are interesting, and could be considered when evaluating a product. But those tests are very limited.

It is possibly better to rely on AMTSO approved testing. Look at the AMTSO website for additional information.

As Fabian from Emsisoft once remarked… you can’t run a test with malware “just appearing.” There is an attack chain with malware. This is also a point that MBAM always raises with testing. You have to introduce the malware as it would be introduced in the real-world. Most products have multiple layers of defense that can catch and flag malware, from the point of malware introduction, to the employment of the payload.

With Cylance in particular, the introduction of malware to a system and its actions is how the malware is identified. If you go and read a little about Cylance, or read the articles I linked in the original post, you’ll see what I mean. Cylance is built partly on recognizing patterns of malware. So malware might enter a machine, attempts to turn off a Windows protect element, self-replicate, launch a payload…. And the Cylance model is good at recognizing malware behavior signatures. Most products now have multiple layers… but many still fall back on the signature model. Cylance abandoned the malware signature model. Cylance has built a better algorithm to recognize malware by what the malware is doing. Lots of companies are now building machine learning (ML) capability, but none has matched what Cylance has accomplished (yet). Tests bear this out. Yes, eventually other companies will catch up… and then some other product will be ‘the thing.’

This is from iT-CUBE, a German test organization.

Your Best Buddy,

-Burrito

 

[Cortex]

A quick question: Is it possible to remove quarantined threats, I don't mind them being on my PC but a list remains on my task-bar, they could be embarrassing (they aren't). I deleted Sophos for a similar reason a while back. There are a few pages on the Cylance dashboard but seemingly no way to delete these items.

 

[eonline]

Brie,

From a different angle. I think you need to take the Malware Hub with a grain of salt. Certainly what is tested and the results of those tests are interesting, and could be considered when evaluating a product. But those tests are very limited.

It is possibly better to rely on AMTSO approved testing. Look at the AMTSO website for additional information.

As Fabian from Emsisoft once remarked… you can’t run a test with malware “just appearing.” There is an attack chain with malware. This is also a point that MBAM always raises with testing. You have to introduce the malware as it would be introduced in the real-world. Most products have multiple layers of defense that can catch and flag malware, from the point of malware introduction, to the employment of the payload.

With Cylance in particular, the introduction of malware to a system and its actions is how the malware is identified. If you go and read a little about Cylance, or read the articles I linked in the original post, you’ll see what I mean. Cylance is built partly on recognizing patterns of malware. So malware might enter a machine, attempts to turn off a Windows protect element, self-replicate, launch a payload…. And the Cylance model is good at recognizing malware behavior signatures. Most products now have multiple layers… but many still fall back on the signature model. Cylance abandoned the malware signature model. Cylance has built a better algorithm to recognize malware by what the malware is doing. Lots of companies are now building machine learning (ML) capability, but none has matched what Cylance has accomplished (yet). Tests bear this out. Yes, eventually other companies will catch up… and then some other product will be ‘the thing.’

This is from iT-CUBE, a German test organization.

View attachment 209250


Your Best Buddy,

-Burrito

Cylance Protect is different from cylance smart. Greetings.

 

[ForgottenSeer 69673]

Cylance Protect is different from cylance smart. Greetings.

I have used both and unless you are using a comped Lic, You will be able to log into your portal and deal with the files.

 

[Nightwalker]

Cylance Protect is different from cylance smart. Greetings.

It is different, but the engine is the same, so for PE files the detection/protection should be equal.

The home version (Smart Antivirus) doesnt have the Script Management and Memory Exploitation Detection/Prevention modules, thats why people recommend SysHarderner and OSArmor to complement Cylance.

 

[Burrito]

A quick question: Is it possible to remove quarantined threats, I don't mind them being on my PC but a list remains on my task-bar, they could be embarrassing (they aren't). I deleted Sophos for a similar reason a while back. There are a few pages on the Cylance dashboard but seemingly no way to delete these items.

Hmmm.... good question.

There must be a way to delete those... the ones I had, they just seem to have gone away... maybe. I don't remember actively deleting them.

I'll ask the Cylance rep I've dealt with... although, he's a sales rep rather than a tech rep... but he'll probably know.

 

[Cortex]

Hmmm.... good question.

There must be a way to delete those... the ones I had, they just seem to have gone away... maybe. I don't remember actively deleting them.

I'll ask the Cylance rep I've dealt with... although, he's a sales rep rather than a tech rep... but he'll probably know.

Thanks for that whatever the outcome, I can remove them from the tray but they remain in the program & in a file in C:\ protected, the files it's found are mainly old apps I have & a few FP's which are OK

 

[oldschool]

@Music4Ever @Burrito - you must enable the advanced UI. There are (or were?) instructions @ Cylance site to do this, or you may find them in a post by @ForgottenSeer 58943 in one of the more recent C threads. I believe this will take care of your issue.

 

[outlawxtorn]

A quick question: Is it possible to remove quarantined threats, I don't mind them being on my PC but a list remains on my task-bar, they could be embarrassing (they aren't). I deleted Sophos for a similar reason a while back. There are a few pages on the Cylance dashboard but seemingly no way to delete these items.

Yes, you can by running Cylance in advanced mode.
Cylance Agent - Advanced UI Mode

 

[oldschool]

Thanks @outlawxtorn - I'm too sleepy to be searching quite yet!