W
Wave
Thread author
The other concern I have is regarding False Positive detection's; there are so many pieces of GENUINE software which rely on device drivers to function properly... One would be other Anti-Malware products, another would be simple development tools like DebugView (for kernel-mode output), ... How would CylancePROTECT react to CreateServiceA and StartServiceA to load a device driver? You can't just flag every program which uses those APIs, you should alert the user to decide if it should be allowed/not or perform a scan of the device driver being loaded.
In that scenario, if they don't flag and block that, then the device driver will be loaded... Guess what? Call PsLookupProcessByProcessId and then ObOpenObjectByPointer and then call NtTerminateProcess -> bye bye CylancePROTECT. If they hook them on x86, then unhook them.
Unless they bypass PatchGuard (which would be unethical and highly unstable because MS will patch it through an update, they don't like kernel-mode patching) on x64 or block all device drivers from being loaded, then there's nothing they can do IMO.
Plus attacks to patch Windows device drivers, if they aren't prevented then that can be used to bypass the product too!
.... Or let's say they have a great white-listing system, ok great! Sounds amazing right? Now find a trusted piece of software which uses device drivers -> hack the network to replace the device driver files and publish your own malicious update from the companies own server -> now the software on the target machine which is white-listed by CylancePROTECT is updated and now your own malicious code is being executed from a trusted program, on god knows how many systems.
There are limitless things which can be done to try and bypass the product and eventually one of them will work.
---------------------------------------------------------------
The other concern I have is their shitty advertising, check this from the official website (front-page):
Urm ok kiddo... Less than 1% CPU? Haha. I am sure it uses more than 1% CPU and it will also use additional memory... Why? Because the CPU will be performing more CPU instructions for the logging (e.g. if it injects into processes then when the hooked APIs are called, more CPU is used to execute their own instructions before the action is completed for the actual program calling the API originally, plus more RAM into the other running programs to store the logging code). Or, if they work with device drivers for real virtualization like the hyper-visor, then that's still more RAM/CPU.
There's more to system resource usage than a damn GUI.
In that scenario, if they don't flag and block that, then the device driver will be loaded... Guess what? Call PsLookupProcessByProcessId and then ObOpenObjectByPointer and then call NtTerminateProcess -> bye bye CylancePROTECT. If they hook them on x86, then unhook them.
Unless they bypass PatchGuard (which would be unethical and highly unstable because MS will patch it through an update, they don't like kernel-mode patching) on x64 or block all device drivers from being loaded, then there's nothing they can do IMO.
Plus attacks to patch Windows device drivers, if they aren't prevented then that can be used to bypass the product too!
.... Or let's say they have a great white-listing system, ok great! Sounds amazing right? Now find a trusted piece of software which uses device drivers -> hack the network to replace the device driver files and publish your own malicious update from the companies own server -> now the software on the target machine which is white-listed by CylancePROTECT is updated and now your own malicious code is being executed from a trusted program, on god knows how many systems.
There are limitless things which can be done to try and bypass the product and eventually one of them will work.
---------------------------------------------------------------
The other concern I have is their shitty advertising, check this from the official website (front-page):
Boost the efficiency of IT resources and reduce user impact throughout your organization with endpoint security products that use very little memory, less than 1% of CPU and require no Internet connection or signature updates.
Urm ok kiddo... Less than 1% CPU? Haha. I am sure it uses more than 1% CPU and it will also use additional memory... Why? Because the CPU will be performing more CPU instructions for the logging (e.g. if it injects into processes then when the hooked APIs are called, more CPU is used to execute their own instructions before the action is completed for the actual program calling the API originally, plus more RAM into the other running programs to store the logging code). Or, if they work with device drivers for real virtualization like the hyper-visor, then that's still more RAM/CPU.
There's more to system resource usage than a damn GUI.