App Review Cylance (old and new) vs. Signature-based AV (in an offline test) with fresh malware and ransomware

[DeepWeb]

VT really really needs to boot Cylance off their list. Ever since they got added, perfectly harmless programs are now flagged. Cylance is the new king of false positives and their team does not seem to care to whitelist these programs any time soon because they think they know better than any other AV vendor.

 

[simmerskool]

I was always amazed by the things Cylance detected as "Unsafe".

Rule of thumb in Security- That which detects everything actually detects nothing.

yes, but my experience with CylanceProtect for 8+ months... at first scan after install it found a few questionable files that I was not surprised it considered malware or to be quarantined, and then it ran every day for 8 months with no detections, and then last week it caught a trojan that somehow snuck passed cf@cs (& other gateway defenders) probably due encrypted vpn connection (still have not fully tracked that "intrusion" down -- but gee sometimes I venture into some dark places).

 

[simmerskool]

Both work fine here, Cylance doesn't trigger any FP's regarding Windows apps on my side.

+1

 

[Hector1]

yes, but my experience with CylanceProtect for 8+ months... at first scan after install it found a few questionable files that I was not surprised it considered malware or to be quarantined, and then it ran every day for 8 months with no detections, and then last week it caught a trojan that somehow snuck passed cf@cs (& other gateway defenders) probably due encrypted vpn connection (still have not fully tracked that "intrusion" down -- but gee sometimes I venture into some dark places).

Maybe a good sample for the HUB ;D

 

[simmerskool]

Maybe a good sample for the HUB ;D

nah, because cylance let's user scan it at VT from quarantine and most everyone ID it as trojan. I'd like to track down how it got in here, but since cylance apparently immediately caught it, I've been too busy with other stuff to track it down and not sure I could at this point.

 

[509322]

Yeah... Cylance got it right. Windows = UNSAFE. Might as well quarantine all of C:\Windows, smash the system, and keep people from ever using it. Brilliant idea actually. A better deterrent would be to electrocute anyone that puts their paws on a Windows system.

 

[Deleted Member 3a5v73x]

@Azure Phoenix post in the Update - Cylance Smart Antivirus and Cylance's response in the article Here's why the scanners on VirusTotal flagged Hello World as harmful explains in short why some files are being classified as "Unsafe"

Ryan Permeh, Cylance:

"The Cylance engine is not an antivirus engine. Unlike AV, it doesn’t have a bias toward letting everything run. The technology doesn't assume a file is good until it’s evaluated. Our approach is to measure and decide on each and every file individually, and if it doesn't fit into our model of good, it leans towards bad.​

​

"Without a bunch of data to base a decision on, and without any real patterns of goodness to identify it as such, the engine leaned heavily on the structural bits that are odd and drew a line towards bad in this case.​

​

"When we train models, we train on hundreds of millions of good and hundreds of millions of bad files (samples). We look at several million potential data points (features) in each file...​

​

"...In general, a piece of code can become "bad" by doing things that lean towards bad. But it can also lean towards bad by not doing things that lean towards good. So in the most basic example provided (hello world in debug build):​

​

"The sample was small. It didn't show any bad, but it didn't show any good either; One function programs are almost always malware; Debug builds are statistically weird; Using mingw rather than visual studio is statistically weird. The output binary is 'odd.'​

 

[cruelsister]

user scan it at VT from quarantine and most everyone ID it as trojan

I would love to have the SHA-256 on that one.

robably due encrypted vpn connection

No way that would be the cause.

 

[artek]

What does snuck past mean? Like you ran it and it went through, or it just dropped into your download folder?

 

[simmerskool]

I would love to have the SHA-256 on that one.
No way that would be the cause.

no time right now, but will see if I can dig up the hash tonight. thanks for feedback re vpn. that was meant for the defenders ahead of cylance but compared to you I'm clueless in understanding how trojan got passed cf@cs. more later.

EDIT: CS, this is file cylanceProtect quarantined on 06aug at 1221am.
SHA-256 a4167795e3b650ec398554144b9911ebc5aa8d2ec6530da33543d4cca7f63b59
File name svchost.exe
File size 166 KB
Last analysis 2018-08-09 00:24:01 UTC
51/68

I have no immediate recollection of what I was doing at 1221am on 06aug, but this file got passed meraki atp and cf@cs before it was q'd by cylance. I must have DL'd it with something else or it was disguised as something else. I typically manually check the hash of every file I DL. Just checked cf and not finding anything in its logs.

 

[cruelsister]

Hi Simmer! Thanks for the file ID- that was sweet of you!

I just checked that file with Cruel CF- First off, I did shout off both the AV module as well as the Cloud Lookup option in File rating. With these on the file would have just been deleted on run. That being said:
1). With Containment on Restricted- the file was allowed to drop the Twin Sister, but this was also contained (in App Data/Local/Temp). Nothing more happened with it, and it eventually died in despair.
2). I then dumbed things down by resetting Containment to default PL setting- once again the Sister was contained, but here it was able to attempt to connect to the Network. These attempts were rejected by my Firewall setting. Other than that nothing, and I just flushed out this crap without system changes.

Please note that in both of the cases above the forking of csrss.exe as well as the keylogging mechanism of the malware was prevented.

But anyway, so as not to hijack this thread I decided to do a Cylance Smart AV quickie, to be released before I go out this evening. As I have been talking in the Cylance threads I felt that is was only appropriate to do one (using a couple of my Beloved Worms and a Zombie Bot).

Thank you again for the file Simmerskool!

 

[ForgottenSeer 58943]

I have no immediate recollection of what I was doing at 1221am on 06aug, but this file got passed meraki atp and cf@cs before it was q'd by cylance.

If your ATP logs showed it getting past, then it wasn't contained. I personally feel like a SIEM should be pointed at a test machine so you can be sure something didn't ex-filtrate for reasons such as this. Often it will appear containment has taken place, when in actuality, it didn't. You can only be sure if you have a logging appliance or application pointed 'externally' to that endpoint.

Nice job.

 

[Kuttz]

David- calc.exe itself was not detected by Cylance, but calc.exe packed will be.

Fun Fact- I initially wanted to use the Microsoft Solitaire application to pack, but when I ran it I saw this:

Antivirus scan for c38338fba450b9b471146b421a9d8402142bc4c94b676b69d252cc1e7325a7ca at 2018-08-15 17:23:02 UTC - VirusTotal

Cylance 100% detection secret

 

[509322]

David- calc.exe itself was not detected by Cylance, but calc.exe packed will be.

Fun Fact- I initially wanted to use the Microsoft Solitaire application to pack, but when I ran it I saw this:

Antivirus scan for c38338fba450b9b471146b421a9d8402142bc4c94b676b69d252cc1e7325a7ca at 2018-08-15 17:23:02 UTC - VirusTotal

As you already know, Cylance mis-informs the local residents that this happens because PROTECT and Smart AV are not really default-allow solutions. Instead, if its algorithms cannot definitively rate as SAFE, then they rate as UNSAFE. I can pick apart their marketing, but you know... here a logical, well-laid argument isn't going to work nor matter because there are those that are gunning for it to be proven here as something that it isn't. In any case, there is massive user confusion because user-land is reliant upon the soft to tell them what is safe and what isn't. This is an ongoing issue from Cylance's beginning.

A little bit of knowledge and a default-deny solution will be much, much more efficient, effective and safer. There is a reason that Microsoft keeps pushing their best practices built upon their (atrociously documented) default-deny solutions to IT Pros - even with the "new" Ai\ML Windows Defender. And that is that Microsoft knows all these default-solutions, including its own, will never keep the systems clean in and of itself.

Most people want the easier, softer way. And, consequently, they get what they get. That isn't a mocking statement. It is just the facts... that people are the ones who make choices for themselves - mostly choices based upon ignorance - willful or otherwise - and, consequently, people are responsible.

 

[ForgottenSeer 69673]

So now my eyes are opened to who all the Cylance critics are. It appears they are trying to get this thread closed too. This is getting ridiculous.
AS Lockdown mentioned in the other thread they always get locked because narrow-minded people click report. Please, if you have nothing good to say about a product, don't post. That is pretty simple. AS sluguy mentioned ironically in the other thread, The CIA sees another sucker installed Cylance, but guess what, they are not watching the people that installed Cylance but instead the always on people that bash it.

 

[509322]

So now my eyes are opened to who all the Cylance critics are. It appears they are trying to get this thread closed too. This is getting ridiculous.
AS Lockdown mentioned in the other thread they always get locked because narrow-minded people click report. Please, if you have nothing good to say about a product, don't post. That is pretty simple. AS sluguy mentioned ironically in the other thread, The CIA sees another sucker installed Cylance, but guess what, they are not watching the people that installed Cylance but instead the always on people that bash it.

On all forums, there is a hive mentality. And if the hive doesn't get its way on a thread, some in the hive start to report posts. They want a thread to be biased - all one-sided in favor of their point of view or whatever it is that they want. This has always been the case with these AV threads.

What I have posted about Cylance is factual and provable. It's out there on the web for anyone who bothers to look. And I have openly stated that I do not oppose the product. Everyone should use whatever works best for them. However, there are greater issues being debated here. What is happening isn't Cylance bashing - as some people claim - so as to provoke people to report posts and shutdown the thread. If people cannot handle open and healthy debate, then they have no business being here. Period. If people don't like what I just posted, then that's too bad. No one is forced to read a post. People can just ignore posts. But instead they want to cause a ruckus.

I know all too well that there are those that want these Cylance threads to be 100 % one-sided in favor of the product. That's not a problem. The problem are the people who run Cylance, the company... - and all the underhanded stuff that they have done over the past years. So there is backlash. And it will continue. My opposition to Cylance, the company - which includes its products - is one based upon principles. The company is unpopular within the industry not because it is so innovative and doing everything better than everyone else. It is unpopular because of the underhanded tactics that it has used - primarily against Sophos. And I don't care one bit about Cylance versus Sophos products. However, I do side wholly with Sophos (and others) against Cylance management - what they have done and continue to do.

The problem is not those who make opposition posts. The problem are those that are too emotionally involved, easily offended, and want to manipulate the outcome of the thread by constantly reporting opposition posts - and ultimately have the thread shutdown. It's a recurring pattern in all these AV threads. Because there are those that want no debate. And when they cannot prevent it, they turn the thread into acrimony... they lash out and make personal attacks.

If open debate is no longer permitted here, then we should all close-up shop and go home forever.

 

[ForgottenSeer 58943]

Most AV's suck in one way or another.. Pick from the list..

-Bugs, bugs and more bugs
-System Slowdowns
-Instability
-Inconvenience
-Bad updates
-Junk GUI
-Slow Web Surfing
-Weak protection with X threat (you pick)
-Crappy support
-Slower network performance (Lan->Wan, Wan->Lan, Lan->Lan, whatever)
-Slower directory populating
-Ruin gaming
-Telemetry Monsters (or Datamining Tools in the case of Avast hehe)
-on and on and on and on (and yes, WD isn't immune)

The reason people play musical AV is because SOMETHING always angers them.. (I bet the average person around here has 2, 3, even 6-10 AV licenses) They have doubts about this or that. Whatever. But customer satisfaction of AV's is rock bottom. If there is one BIG thing I can say for Cylance.. It really doesn't suffer from 99% of those issues. So it makes a great part of a modular protection system without causing you headaches or hassles IMO. BTW: Modular systems are often more effective because of the additional protection layers providing barriers to threat actors.

Try this -> Cylance+OSArmor+Heimdal, also run Syshardener before doing all of this. Then let me know how magical your system feels. Also, if you are feeling cheeky, run that combo through your best 'pack' or real world testing and report back if you wish. I promise that combo won't anger you, make your system feel like a 486sx, cause instabilities, etc. But it will protect you. (if it doesn't, come back and shame me.)

 

[509322]

Most AV's suck in one way or another.. Pick from the list..

-Bugs, bugs and more bugs
-System Slowdowns
-Instability
-Inconvenience
-Bad updates
-Junk GUI
-Slow Web Surfing
-Weak protection with X threat (you pick)
-Crappy support
-Slower network performance (Lan->Wan, Wan->Lan, Lan->Lan, whatever)
-Slower directory populating
-Ruin gaming
-Telemetry Monsters (or Datamining Tools in the case of Avast hehe)
-on and on and on and on (and yes, WD isn't immune)

The reason people play musical AV is because SOMETHING always angers them.. (I bet the average person around here has 2, 3, even 6-10 AV licenses) They have doubts about this or that. Whatever. But customer satisfaction of AV's is rock bottom. If there is one BIG thing I can say for Cylance.. It really doesn't suffer from 99% of those issues. So it makes a great part of a modular protection system without causing you headaches or hassles IMO. BTW: Modular systems are often more effective because of the additional protection layers providing barriers to threat actors.

Try this -> Cylance+OSArmor+Heimdal, also run Syshardener before doing all of this. Then let me know how magical your system feels. Also, if you are feeling cheeky, run that combo through your best 'pack' or real world testing and report back if you wish. I promise that combo won't anger you, make your system feel like a 486sx, cause instabilities, etc. But it will protect you. (if it doesn't, come back and shame me.)

Exactly. Bingo.

All softs have bugs. Crossing the street... the grass isn't greener, it's just a different kind of grass. And security softs have among the highest rate of customer dissatisfaction and complaints of all products in the U.S. A lot of that has to do with user ignorance and unrealistic expectations. So, once again, it all goes back to user knowledge and experience. That's not to say that security softs aren't part of the problem, because they certainly are.

I swim in green, nasty bug soup.

 

[cruelsister]

Please, if you have nothing good to say about a product, don't post.

Tickle- You know I love you but I have to disagree with you on this. Not everything is Rainbows and Unicorns; as long as a poster has knowledge of the inadequacies of a product I feel they have an obligation to bring this up. Otherwise some innocent may be deceived by Corporate Marketing.

And trust me on this- it is not easy being a dissenting view.

 

[Deleted Member 3a5v73x]

It's obvious who is the core problem why Cylance threads are locked up. Self-righteous cancer.