Cylance Predictive Malware Response Test - March 2018

[Hawaii007]

Interesting

Source: SE Labs
Download PDF: https://selabs.uk/download/enterprise/march-2018-pmr.pdf

This test was designed to examine Cylance's claim that the Artificial Intelligence (AI) technology at the heart of its endpoint protection product is self-contained, in terms of being effective without relying on regular updates or cloud queries. It was also intended to determine whether or not an AI model created some months and even years in the past could identify and handle threats that subsequently attacked systems on the internet. Predictive Advantage (PA) is the time difference between the creation of the model and the first time a threat is seen by victims and security companies protecting those victims. Out of 45 threats, 43 were detected and prevented from compromising the system with an average PA of 25 months. The threats used in the test were 4. Conclusions discovered in the wild at dates ranging from 11 months to two years and nine months (33 months) after the creation of the AI model. Not only does the data demonstrate that CylancePROTECT (agent v1300, model May 2015) was capable of preventing threats that did not exist at the time the AI model was 'trained', but it provides an insight into how far ahead in time it could be effective without new knowledge. In practical terms, this indicates that regular updates to the product are not always needed, although we would expect Cylance to develop and deploy newly-trained models over time, simply because product development is an ongoing process and machine learning continues to take into account new threats to predict future ones.

 

[Deleted member 65228]

Do you work for Cylance?

 

[509322]

Do you work for Cylance?

The person quoted from the SE Labs' test results.

 

[Deleted member 65228]

The person quoted from the SE Labs' test results.

Hadn't checked it out yet so didn't realize, thanks for letting me know. I don't understand why people don't just use QUOTE tags... Would be easier to understand IMO.

 

[Hawaii007]

Do you work for Cylance?

No, I installed it a few days back, and was looking for some more info on Cylance and found this.
So far I like it, and oh so light on the system.

 

[Deleted member 65228]

No, I installed it a few days back, and was looking for some more info on Cylance and found this.
So far I like it, and oh so light on the system.

A few others I know have said the exact same... about it working nicely and being really lightweight.

 

[ForgottenSeer 58943]

No, I installed it a few days back, and was looking for some more info on Cylance and found this.
So far I like it, and oh so light on the system.

CIAlance? No way.

 

[upnorth]

@mekelek is testing it.

https://malwaretips.com/threads/mixed-threats-15-20-04-2018.82168/#post-728739
https://malwaretips.com/threads/17-4-2018-17.81995/#post-727768

 

[simmerskool]

No, I installed it a few days back, and was looking for some more info on Cylance and found this.
So far I like it, and oh so light on the system.

same here +1

 

[simmerskool]

CIAlance? No way.

yeah but... you're the only one here who can hide behind all that hardware they know all about me, what's the point in trying to hide??

 

[simmerskool]

@mekelek is testing it.

https://malwaretips.com/threads/mixed-threats-15-20-04-2018.82168/#post-728739
https://malwaretips.com/threads/17-4-2018-17.81995/#post-727768

thanks for those links mekelek mentions both manual scan and on execution. My cylance does not have any control of on-demand manual scans, but it does do a very deep background scan when installed, but after that my understanding is that it only scans on execution. Maybe he got access as some sort of super_user? Maybe he will clarify for me / us.

 

[Hawaii007]

same here +1

Are you running it with any other software? or by itself?

 

[Bleak]

Personally I've never seen a security product produce such weird & stupid false positives as this one does. For one example, it detects anything compiled with a certain C compiler (Pelles C, which is based on LCC), even tried ones as simple as a one line code of 'Hello world' still detects it the same, and if I remember correctly it does the same with MinGW executable.

I understand that a product can catch these type of files based on their date and being unknown, but I believe this kind of detection shall not be caught by signatures.

 

[Hawaii007]

Personally I've never seen a security product produce such weird & stupid false positives as this one does. For one example, it detects anything compiled with a certain C compiler (Pelles C, which is based on LCC), even tried ones as simple as a one line code of 'Hello world' still detects it the same, and if I remember correctly it does the same with MinGW executable.

I understand that a product can catch these type of files based on their date and being unknown, but I believe this kind of detection shall not be caught by signatures.

 

[mekelek]

thanks for those links mekelek mentions both manual scan and on execution. My cylance does not have any control of on-demand manual scans, but it does do a very deep background scan when installed, but after that my understanding is that it only scans on execution. Maybe he got access as some sort of super_user? Maybe he will clarify for me / us.

you can do on-demand manual scans without having admin access on the panel.
it's at the same place where you can stop and start the background scan.
maybe your policy set by the admin isn't allowing you to change these settings? if so, ask support, they will change the policy

i'm not gonna lie, it is on par with the fastest signatures from kaspersky/norton/eset, and if you set up a ruthless policy, you will be secured.
time will tell, i need to test it more, but as others mentioned, it's very very light on the system.

 

[mekelek]

Personally I've never seen a security product produce such weird & stupid false positives as this one does. For one example, it detects anything compiled with a certain C compiler (Pelles C, which is based on LCC), even tried ones as simple as a one line code of 'Hello world' still detects it the same, and if I remember correctly it does the same with MinGW executable.

I understand that a product can catch these type of files based on their date and being unknown, but I believe this kind of detection shall not be caught by signatures.

cylance isn't using signatures, it's using AI , hence the FPs.

 

[Deleted member 65228]

cylance isn't using signatures, it's using AI , hence the FPs.

Sophos did testing of their own on Cylance a long time ago and they actually came to the conclusion that Cylance were indeed using signatures as well. IIRC.

It was in a bash video which they later took down for legal reasons but I doubt they lied on it despite the video's intentions.

 

[ForgottenSeer 69673]

I used it for a few years and then just didn't want to pay 60 bucks a year to renew. With my version, I had a login portal.
From there I was able to do a Virus Total scan and remove them FP's. I can't remember it the files were inspected as they came on my machine or just when I tried to execute them. Also not sure how it will handle file-less malware.

 

[DeepWeb]

For all I care, Cylance is a stubborn company that refuses to whitelist perfectly normal programs. It's poisoning the results in VirusTotal with its ridiculous false positives.

 

[509322]

cylance isn't using signatures, it's using AI , hence the FPs.

They are using file hash lookups. Just because Cylance is reporting something falsely does not mean that Cylance has not used a VT lookup itself. Such are the shenanigans. See through it. Do an in-depth web search and study of CYLANCE and you will locate prior employee revelations of CYLANCE shenanigans - or "tips & tricks" as they call it internally.