App Review Cylance (old and new) vs. Signature-based AV (in an offline test) with fresh malware and ransomware

[Mahesh Sudula]

Content source

https://www.youtube.com/watch?v=LPhWKW5ZHSs

They should provide a free trial so that product can be effectively tested..Money back is a scam seen many vendors in this era
But product did a fine job
Imp points:
NO Security product would never ever ever achieve 100% clean sheet at any instance..SOS results doesn't mean the system is infection free.There may be a bunch of non active remnants.

My personal Opinion on any security products: -_/\_ _/\_ _/\_

 

[SHvFl]

How is money back a scam? Pay by credit card and if they don't give you the money back when you are not satisfied, chargeback with your cc. Ps they will give them back. Your $25 is not worth bad publicity on a million dollar business.
This method of no trial reduces the load on people that are just testing a new software each week and making support tickets. Don't agree but i see the reason behind it.

 

[Mahesh Sudula]

How is money back a scam? Pay by credit card and if they don't give you the money back when you are not satisfied, chargeback with your cc. Ps they will give them back. Your $25 is not worth bad publicity on a million dollar business.
This method of no trial reduces the load on people that are just testing a new software each week and making support tickets. Don't agree but i see the reason behind it.

How is money back a scam? Pay by credit card and if they don't give you the money back when you are not satisfied, chargeback with your cc. Ps they will give them back. Your $25 is not worth bad publicity on a million dollar business.
This method of no trial reduces the load on people that are just testing a new software each week and making support tickets. Don't agree but i see the reason behind it.

Why shouldn't they provide a free trial? Wht does that mean?Every software vendor provides atleast 15 day trial
The user should like it right..he may test it>The amount of burden it raises on the sys
A user may test in several ways..its finally them who pay them.so thats the minimum criteria
Cylance >>> Back to the drawing board
I hate such vendors who does not provide any trial or want to pay before hand..MC AFEE is one such bizarred software who auto renew
Already had enough with it:emoji_pray:

 

[ForgottenSeer 58943]

30 Day refund policy is your trial. It's just a pay-wall from abusers that create fake accounts and reuse a trial every 30 days. Yes - sleezeballs do this. I've seen people use a tool to refresh the trial every 30 days on Kaspersky and other products. So you put a paywall up and eliminate the nonsense, then provide a 100% refund guarantee.

 

[Mahesh Sudula]

But vendors like NORTON Gdata and many others...leave a deep trace that is un deletable to prevent frequent 30 day trial installations
>How could CYLANCE miss this simple logic<..owing to their AI /ML and 2nd generation technologies
Its so simple..)

 

[509322]

But vendors like NORTON Gdata and many others...leave a deep trace that is un deletable to prevent frequent 30 day trial installations
>How could CYLANCE miss this simple logic<..owing to their AI /ML and 2nd generation technologies
Its so simple..)

Because Cylance's Ai\ML has nothing to do with what you're talking about. One would assume that the mathematics that it uses is advanced, but it uses the same technology and functionality as that of other security softs. You're assuming, based upon marketing, that Cylance is better than other security softs in every way simply because it is so-called "Next Gen." It just ain't true. It's marketing. And that marketing worked because you wondered why Cylance "misses the [activation issue] ?"

 

[cruelsister]

With things like packers, it's not a big thing to detect files that are so packed, but instead to differentiate between UPX packed malware and UPX packed legitimate files.

For instance, here is a VT result for a legitimate calc.exe file: Antivirus scan for 7f8aa55beae4aee0da0f32b8d67b3d600103fedd99c6e114625f82de8d14d5c7 at 2018-08-14 23:04:07 UTC - VirusTotal

And here is the VT result for the legitimate calc.exe with UPX packing: Antivirus scan for f35843d8b34d5c3bbf96571a62291484edc18a2829234370f580c3ecbc33cb66 at 2018-08-14 23:01:24 UTC - VirusTotal

So exactly how meaningful is Zoltan's statement?

 

[oldschool]

I just LOVE British accents!

 

[Nightwalker]

With things like packers, it's not a big thing to detect files that are so packed, but instead to differentiate between UPX packed malware and UPX packed legitimate files.

For instance, here is a VT result for a legitimate calc.exe file: Antivirus scan for 7f8aa55beae4aee0da0f32b8d67b3d600103fedd99c6e114625f82de8d14d5c7 at 2018-08-14 23:04:07 UTC - VirusTotal

And here is the VT result for the legitimate calc.exe with UPX packing: Antivirus scan for f35843d8b34d5c3bbf96571a62291484edc18a2829234370f580c3ecbc33cb66 at 2018-08-14 23:01:24 UTC - VirusTotal

So exactly how meaningful is Zoltan's statement?

I guess Cylance doesnt like calculators:

Antivirus scan for 5ea9149172c664515bc424c81509fb0f83da7e2d8481c0d596dd52387a2145f3 at 2018-08-14 20:46:46 UTC - VirusTotal (Windows 10 "normal" calculator software)

 

[Sunshine-boy]

it also doesn't like Groove music and Movies&tv:emoji_innocent:
VirusTotal
VirusTotal
Yep Yep Yep F-secure is bad when it has some FP! but Cylance isn't bad when it detects windows files as virus:emoji_innocent:.

 

[509322]

Stick malware into System32\SysWOW64 and some of their sub-folders before Cylance is installed\running. See if Cylance whitelists by directory.

 

[cruelsister]

I was always amazed by the things Cylance detected as "Unsafe".

Rule of thumb in Security- That which detects everything actually detects nothing.

 

[Deleted Member 3a5v73x]

it also doesn't like Groove music and Movies&tv:emoji_innocent:
VirusTotal
VirusTotal
Yep Yep Yep F-secure is bad when it has some FP! but Cylance isn't bad when it detects windows files as virus:emoji_innocent:.

Both work fine here, Cylance doesn't trigger any FP's regarding Windows apps on my side.

 

[cruelsister]

Zoltan from MRG Effitas even claimed they pack their samples with upx

I meant to ask- did they really say this? If so, please ask them what was the point as products with dumb packing detection will get 100% all of the time.

 

[Deleted Member 3a5v73x]

Console Windows Host, according to VT, Cylance determines it as "Unsafe"

Antivirus scan for 04b6a35bc504401989b9e674c57c9e84d0cbdbbd9d8ce0ce83d7ceca0b7175ed at 2018-08-15 08:43:28 UTC - VirusTotal

But no alert/fp triggered on the system where Cylance Smart Antivirus is installed.

If something in VT is detected by Cylance, it doesn't exactly mean it will be detected on your system where Cylance is installed.

 

[ForgottenSeer 58943]

I was always amazed by the things Cylance detected as "Unsafe".

Rule of thumb in Security- That which detects everything actually detects nothing.

But what about CFW with CS settings that basically detects everything? If I recall reading into the Snowden and Vault7 dumps, the CIA and NSA were 'frustrated' by security solutions that would detect tampered signed windows files themselves. I'd have to look up the exact paragraph where they complained about the difficulty of bypassing solutions that did this.

Both work fine here, Cylance doesn't trigger any FP's regarding Windows apps on my side.

If Cylance gets a hit, you should take notice. There is most likely a reason for it, and false positive wouldn't be my first assumption.

 

[Deleted Member 3a5v73x]

I'd like to see real system where calculator, Movies&TV, Groove or any other Win 10 app is triggered by Cylance. Not these VT results. Just for the proof that Cylance AI is dumb black and white, and can't differentiate and find anomalies between legitimate files and altered ones.

 

[cruelsister]

David- calc.exe itself was not detected by Cylance, but calc.exe packed will be.

Fun Fact- I initially wanted to use the Microsoft Solitaire application to pack, but when I ran it I saw this:

Antivirus scan for c38338fba450b9b471146b421a9d8402142bc4c94b676b69d252cc1e7325a7ca at 2018-08-15 17:23:02 UTC - VirusTotal

 

[AtlBo]

Hashing trhough the details of this and a couple of things come to my mind:

1. Does Cylance's "Unsafe" designation reflect only a general concern on the part of Cylance that it may be possible to abuse the application? Is this designation different in more than semantical terms from designating a file or application malicious? In other words, maybe the "Unsafe" designation is intentionally not meant to be any reason to look for a block of the app from the program, rather Cylance's point of order and statement that it may be possible to abuse the app. Maybe it's Cylance's way of giving customers a slight peek into the scope of the monitoring. I could see why they would want their customers to know.
2. I have noticed with Comodo firewall that safe Windows applications are found as contacting the internet, etc., even calc.exe (also other behaviors at times). Yes, I have see this a few times. I chalked it up to MS attempting to collect data or whatever as the IP was always MS. O/C with Comodo, Explorer.exe for example will trigger HIPs and the firewall modules when it is used to open something (under certain settings).

Just wondering if Cylance's designation is some kind of a designation on principle, i.e. this file or application can be abused. In the example of Explorer.exe, of course there are shellcode injections and context menu changes and so on that are possible...

 

[cruelsister]

Seems that Unsafe is the only term to differentiate malware from non-malware. For instance, here is VT for an older GCrab:

Antivirus scan for 39a674866400b50496342550ea0fff5b8c9cdd9718f35b17b4c64e9589a34e22 at 2018-08-15 15:10:00 UTC - VirusTotal