Cylance Articles & thoughts

Brie

Level 10
Verified
Well-known
Jan 1, 2018
488
if cylance is so good, why does it do so poorly in the hub? syshardener and smartscreen alone, did far better.

cylance was infected in 3 out of 3 tests.

the 1st test ended as infected.
---------------------------------------------------------------------------------------------------------------------------------
RoboMan
Level 25Content CreatorVerified
Aug 13, 2018
Add bookmark
#8
Containment: VirtualBox-5.2.16
Guest/OS: Windows 10 x64 build 1803
Product: Cylance Smart Antivirus (default settings)
Static (On-demand scan): n/a (it automatically scanned the folder, no option to manually scan)
Dynamic (On execution): 0/1
Total: 0/1
SUD: Yes
VPN: Windscribe Free
System Status: Infected
Files encrypted: No
Second Opinion Scanners: Infected
-----------------------------------------------------------------------------------------------------------------------------------
RoboMan
Level 25Content CreatorVerified
Aug 10, 2018
Add bookmark
#5
Containment: VirtualBox-5.2.16
Guest/OS: Windows 10 x64 build 1803
Product: Cylance Smart Antivirus (default settings)
Static (On-demand scan): 8/17 (it automatically scanned the folder, no option to manually scan)
Dynamic (On execution): 7/9
Total: 15/17
SUD: Yes
VPN: Windscribe Free
System Status: Infected
Files encrypted: No
Second Opinion Scanners: Infected
-------------------------------------------------------------------------------------------------------------------------------
 
F

ForgottenSeer 58943

Based on my employer, Cylance comped me 10-licenses. So I've offered invitations.

I do see in the portal that 4 people I sent licenses are still running Cylance, and two have abandoned it.

Now that I fully understand the limitations of it.... I'll stop offering them.

Same in that I have 20 comped licenses. But unfortunately they are all tied to my dashboard. I still give them to friends and family and I just managed them. I check them every week for FP's, or they text me if there is one. It doesn't happen much so it hasn't been a big deal. Cylance is reserved for very close family/friends.

They get Cylance+VS+Syshardener (and Emsisoft browser extension w/uBlock).. While everyone else (extended family) gets Panda Advanced w/SG Settings and Syshardener. The ones that get Cylance also all have Gryphon's on their network purchased through the refurbished or family/friends discount program at Gryphon. The reality is - Gryphon+Cylance+VS+Syshardener is going to be protection from even the most aggressive threats and intrusion attempts.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,012
Same in that I have 20 comped licenses. But unfortunately they are all tied to my dashboard. I still give them to friends and family and I just managed them. I check them every week for FP's, or they text me if there is one. It doesn't happen much so it hasn't been a big deal. Cylance is reserved for very close family/friends.

They get Cylance+VS+Syshardener (and Emsisoft browser extension w/uBlock).. While everyone else (extended family) gets Panda Advanced w/SG Settings and Syshardener. The ones that get Cylance also all have Gryphon's on their network purchased through the refurbished or family/friends discount program at Gryphon. The reality is - Gryphon+Cylance+VS+Syshardener is going to be protection from even the most aggressive threats and intrusion attempts.

Ft. Knox!
 

artek

Level 5
Verified
May 23, 2014
236
if cylance is so good, why does it do so poorly in the hub? syshardener and smartscreen alone, did far better.

cylance was infected in 3 out of 3 tests.

the 1st test ended as infected.
---------------------------------------------------------------------------------------------------------------------------------
RoboMan
Level 25Content CreatorVerified
Aug 13, 2018
Add bookmark
#8
Containment: VirtualBox-5.2.16
Guest/OS: Windows 10 x64 build 1803
Product: Cylance Smart Antivirus (default settings)
Static (On-demand scan): n/a (it automatically scanned the folder, no option to manually scan)
Dynamic (On execution): 0/1
Total: 0/1
SUD: Yes
VPN: Windscribe Free
System Status: Infected
Files encrypted: No
Second Opinion Scanners: Infected
-----------------------------------------------------------------------------------------------------------------------------------
RoboMan
Level 25Content CreatorVerified
Aug 10, 2018
Add bookmark
#5
Containment: VirtualBox-5.2.16
Guest/OS: Windows 10 x64 build 1803
Product: Cylance Smart Antivirus (default settings)
Static (On-demand scan): 8/17 (it automatically scanned the folder, no option to manually scan)
Dynamic (On execution): 7/9
Total: 15/17
SUD: Yes
VPN: Windscribe Free
System Status: Infected
Files encrypted: No
Second Opinion Scanners: Infected
-------------------------------------------------------------------------------------------------------------------------------

That's a fun way to cherry pick results. Smartscreen/systhardener did well on those particular tests. But you forget the one where (Cylance tested) Defender and smartscreen missed 17 samples which is a tad worse than missing 3 silly little samples:

Containment: VMware Workstation 14.1.1 build-7528167
Guest/OS: Windows 10 Pro N 1803 x86
Product: Windows Defender (Default settings + PUP protection) + Smartscreen
VPN: Windscribe
Static: 2/19
Dynamic: 0 -> the system was dead after the 1 sample (0.14.0.js), couldn't test anymore
Total: 2/19
SUD: 17
Files encrypted: Yes
Second opinion scanner: No need -> heavily infected
System Final Status: Infected (everything was encrypted, ransomware disabled WD completely) -> useless without tweaks


Lets talk about syshardener for a minute. I'm looking at the feature set and it seems to indicate that it can disassociate files like JS, JSE, VBS, VBE, WSH, WSF, PIF, SCR, BAT, JAR, PS1. I'm assuming that this means that the files won't be able to run which is a peculiar way to test the effectiveness of an anti-malware solution's script blocking capabilities unless of course you were trying to bolster one vendors scores at the expense of the others. If you want an accurate test, I would think that you need to run all vendors under the same conditions. Cylance should also get the benefit of syshardener just like avast, and other vendors did during some of those tests.
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,012
That's a fun way to cherry pick results. Smartscreen/systhardener did well on those particular tests. But you forget the one where (Cylance tested) Defender and smartscreen missed 15 samples which is a tad worse than missing 3 silly little samples:

Containment: VMware Workstation 14.1.1 build-7528167
Guest/OS: Windows 10 Pro N 1803 x86
Product: Windows Defender (Default settings + PUP protection) + Smartscreen
VPN: Windscribe
Static: 2/19
Dynamic: 0 -> the system was dead after the 1 sample (0.14.0.js), couldn't test anymore
Total: 2/19
SUD: 17
Files encrypted: Yes
Second opinion scanner: No need -> heavily infected
System Final Status: Infected (everything was encrypted, ransomware disabled WD completely) -> useless without tweaks


Lets talk about syshardener for a minute. I'm looking at the feature set and it seems to indicate that it can disassociate files like JS, JSE, VBS, VBE, WSH, WSF, PIF, SCR, BAT, JAR, PS1. I'm assuming that this means that the files won't be able to run which is a peculiar way to test the effectiveness of an anti-malware solution's script blocking capabilities unless of course you were trying to bolster one vendors scores at the expense of the others. If you want an accurate test, I would think that you need to run all vendors under the same conditions. Cylance should also get the benefit of syshardener just like avast, and other vendors did during some of those tests.

Dare I say, valid point? Touche! Was Cylance tested with SysHardener? I doubt it.
 

Brie

Level 10
Verified
Well-known
Jan 1, 2018
488
i did not cherry pick results. it is about Cylance. the 1st 3 tests of cylance that i found were all infected.

only avast and smartscreen were tested with syshardener sometimes and some members complained about it.
 

artek

Level 5
Verified
May 23, 2014
236
i did not cherry pick results. it is about Cylance. the 1st 3 tests of cylance that i found were all infected.

only avast and smartscreen were tested with syshardener sometimes and some members complained about it.

And Sophos. And I seem to remember windows defender on one of the tests but I'm too lazy to go dig that up. There's also some with windows defender and configure defender. I think a lot of those tests Cylance did pretty well versus other vendors even though they were using stuff like configure defender and syshardner but you somehow picked two of the results where it didn't do as well. Weird huh.
 
Last edited:

Brie

Level 10
Verified
Well-known
Jan 1, 2018
488
it is not about syshardener. i was trying to say that non-AV scored better than cylance on the same test.

top tier AV are infected only 1 out of 4 times.

i looked at the 1st 3 tests that came up on a search for cylance. cylance failed them all. i saw no point to look further.

just asking why so much love for cylance.
 

Deckard

Level 1
Verified
Feb 20, 2019
41
There is no question of love concerning Cylance. Personally, I don't put any affect on softwares.
Cylance consumes nothing or almost nothing on the CPU.
About the latency added on softs, It takes near nothing on my system.
Cylance takes some MB, right.
False positives are quite rare since I test this AV, since 19 days.

So
What are the disadvantages apart from a the RAM used ? I don't see.
What are the benefits? The ability to detect what might escape my main AV, eventually. A kind of finer mesh.


PDF-XChange Editor Plus X64, version 7.0
test done with PassMark AppTimer

-- Cylance Smart A. only, without WindowsDefender
C:\Program Files\Tracker Software\PDF Editor\PDFXEdit.exe - 4 executions
1.0460 (cold start - scan)
0.4992
0.4836
0.4990

-- SpyShelter Firewall 11.4 only, without WD
C:\Program Files\Tracker Software\PDF Editor\PDFXEdit.exe - 4 executions
0.5002
0.5044
0.5002
0.5000

-- Sophos Home Premium without WD
C:\Program Files\Tracker Software\PDF Editor\PDFXEdit.exe - 4 executions
0.5937
0.5804
0.5773
0.5773

-- DrWeb full (real time + A-exploit + folders security + firewall) with Cylance
C:\Program Files\Tracker Software\PDF Editor\PDFXEdit.exe - 4 executions
0.5320
0.5338
0.5316
0.5536


As you see on my test, for my config
  • Cylance is lighter than a HIPS soft like SpyShelter F.
  • With my current config (two AV together, DrWeb+Cylance), I still have a very responsive OS, faster than with a Sophos AV.
The responsiveness of the OS is a priority for me. Not loosing my time to tweak Windows also :)
 

Burrito

Level 24
Thread author
Verified
Top Poster
Well-known
May 16, 2018
1,363
it is not about syshardener. i was trying to say that non-AV scored better than cylance on the same test.

top tier AV are infected only 1 out of 4 times.

i looked at the 1st 3 tests that came up on a search for cylance. cylance failed them all. i saw no point to look further.

just asking why so much love for cylance.


Brie,

From a different angle. I think you need to take the Malware Hub with a grain of salt. Certainly what is tested and the results of those tests are interesting, and could be considered when evaluating a product. But those tests are very limited.

It is possibly better to rely on AMTSO approved testing. Look at the AMTSO website for additional information.

As Fabian from Emsisoft once remarked… you can’t run a test with malware “just appearing.” There is an attack chain with malware. This is also a point that MBAM always raises with testing. You have to introduce the malware as it would be introduced in the real-world. Most products have multiple layers of defense that can catch and flag malware, from the point of malware introduction, to the employment of the payload.

With Cylance in particular, the introduction of malware to a system and its actions is how the malware is identified. If you go and read a little about Cylance, or read the articles I linked in the original post, you’ll see what I mean. Cylance is built partly on recognizing patterns of malware. So malware might enter a machine, attempts to turn off a Windows protect element, self-replicate, launch a payload…. And the Cylance model is good at recognizing malware behavior signatures. Most products now have multiple layers… but many still fall back on the signature model. Cylance abandoned the malware signature model. Cylance has built a better algorithm to recognize malware by what the malware is doing. Lots of companies are now building machine learning (ML) capability, but none has matched what Cylance has accomplished (yet). Tests bear this out. Yes, eventually other companies will catch up… and then some other product will be ‘the thing.’

This is from iT-CUBE, a German test organization.

209250



Your Best Buddy,

-Burrito
 

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
A quick question: Is it possible to remove quarantined threats, I don't mind them being on my PC but a list remains on my task-bar, they could be embarrassing (they aren't). I deleted Sophos for a similar reason a while back. There are a few pages on the Cylance dashboard but seemingly no way to delete these items. :)
 

Attachments

  • Cylance.jpg
    Cylance.jpg
    110.8 KB · Views: 427
Last edited:

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
Brie,

From a different angle. I think you need to take the Malware Hub with a grain of salt. Certainly what is tested and the results of those tests are interesting, and could be considered when evaluating a product. But those tests are very limited.

It is possibly better to rely on AMTSO approved testing. Look at the AMTSO website for additional information.

As Fabian from Emsisoft once remarked… you can’t run a test with malware “just appearing.” There is an attack chain with malware. This is also a point that MBAM always raises with testing. You have to introduce the malware as it would be introduced in the real-world. Most products have multiple layers of defense that can catch and flag malware, from the point of malware introduction, to the employment of the payload.

With Cylance in particular, the introduction of malware to a system and its actions is how the malware is identified. If you go and read a little about Cylance, or read the articles I linked in the original post, you’ll see what I mean. Cylance is built partly on recognizing patterns of malware. So malware might enter a machine, attempts to turn off a Windows protect element, self-replicate, launch a payload…. And the Cylance model is good at recognizing malware behavior signatures. Most products now have multiple layers… but many still fall back on the signature model. Cylance abandoned the malware signature model. Cylance has built a better algorithm to recognize malware by what the malware is doing. Lots of companies are now building machine learning (ML) capability, but none has matched what Cylance has accomplished (yet). Tests bear this out. Yes, eventually other companies will catch up… and then some other product will be ‘the thing.’

This is from iT-CUBE, a German test organization.

View attachment 209250


Your Best Buddy,

-Burrito
Cylance Protect is different from cylance smart. Greetings.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Cylance Protect is different from cylance smart. Greetings.

It is different, but the engine is the same, so for PE files the detection/protection should be equal.

The home version (Smart Antivirus) doesnt have the Script Management and Memory Exploitation Detection/Prevention modules, thats why people recommend SysHarderner and OSArmor to complement Cylance.
 

Burrito

Level 24
Thread author
Verified
Top Poster
Well-known
May 16, 2018
1,363
A quick question: Is it possible to remove quarantined threats, I don't mind them being on my PC but a list remains on my task-bar, they could be embarrassing (they aren't). I deleted Sophos for a similar reason a while back. There are a few pages on the Cylance dashboard but seemingly no way to delete these items. :)

Hmmm.... good question.

There must be a way to delete those... the ones I had, they just seem to have gone away... maybe. I don't remember actively deleting them.

I'll ask the Cylance rep I've dealt with... although, he's a sales rep rather than a tech rep... but he'll probably know.
 
  • Like
Reactions: oldschool

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
Hmmm.... good question.

There must be a way to delete those... the ones I had, they just seem to have gone away... maybe. I don't remember actively deleting them.

I'll ask the Cylance rep I've dealt with... although, he's a sales rep rather than a tech rep... but he'll probably know.
Thanks for that whatever the outcome, I can remove them from the tray but they remain in the program & in a file in C:\ protected, the files it's found are mainly old apps I have & a few FP's which are OK :)
 

outlawxtorn

Level 6
Verified
Content Creator
May 29, 2017
264
A quick question: Is it possible to remove quarantined threats, I don't mind them being on my PC but a list remains on my task-bar, they could be embarrassing (they aren't). I deleted Sophos for a similar reason a while back. There are a few pages on the Cylance dashboard but seemingly no way to delete these items. :)
Yes, you can by running Cylance in advanced mode.
Cylance Agent - Advanced UI Mode
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top