Cylance Smart Antivirus PC MAG Review

[Digmor Crusher]

Everybody will eventually be breached, Google, Amazon, your bank , everyone. The only thing the common guy has going for us is that if they breach someone with 100 million users the chances of us being affected is very low. So my mantra is, dont worry be happy, they may have our info but chances are will never be used against us.

 

[ForgottenSeer 58943]

They couldn't make a proper software firewall back in 2014 and you trust them to make secure router firmware?

What the hell are you talking about? Please re-read what I said and apply comprehension to it. I wasn't talking about Cylance having a firewall.

 

[artek]

What the hell are you talking about? Please re-read what I said and apply comprehension to it. I wasn't talking about Cylance having a firewall.

I didn't think you were. What I was saying, and lets just pick one of those vendors you listed at random, say Norton Sphere. Back in 2014 their firewall was failing to prevent remote desktop connections and file sharing connections. Do you really trust them to design and secure a router?

 

[ForgottenSeer 58943]

I didn't think you were. What I was saying, and lets just pick one of those vendors you listed at random, say Norton Sphere. Back in 2014 their firewall was failing to prevent remote desktop connections and file sharing connections. Do you really trust them to design and secure a router?

Norton has a well regarded firewall among software firewalls. However I was simply listing a few random UTM type appliances without regard to individual merits. (or lack of) The fact is, Norton Sphere functions like a UTM and has web filtration. That was the point being made. Cylance has some pretty big limitations for handling anything other than file execution malware.

But paired with a UTM, it's probably quite nice as Umbra points out - in corporate environments it's probably great behind some nice gateway gear, tools, and a locked down AD environment with directory security managed properly.

 

[askmark]

As someone who has evaluated the corporate version of Cylance in my organisation I can tell you the only impressive thing i found was the agent's small footprint and low resource usage.

One of the test PC's during the POC (proof of concept) actually became infected with malware and Cylance was totally oblivious to its existence. It was only the user reporting odd behaviour of their PC that alerted us to their being something wrong. A scan with an on demand scanner confirmed a known trojan was persistent and active in memory.

Then their was the cost. At the time we were using Panda on all of our endpoints as it was 50% cheaper than Sophos (our previous solution). Cylance however worked out to be twice as expensive as Sophos!

Needless to say we went with Sophos as it proved more effective, due to its multilayer protection and also better value at half the cost of Cylance.

I so very nearly fell for all the flash marketing BS. If I had I don't think I'd still be in a job.

 

[ForgottenSeer 58943]

As someone who has evaluated the corporate version of Cylance in my organisation I can tell you the only impressive thing i found was the agent's small footprint and low resource usage.

One of the test PC's during the POC (proof of concept) actually became infected with malware and Cylance was totally oblivious to its existence. It was only the user reporting odd behaviour of their PC that alerted us to their being something wrong. A scan with an on demand scanner confirmed a known trojan was persistent and active in memory.

Then their was the cost. At the time we were using Panda on all of our endpoints as it was 50% cheaper than Sophos (our previous solution). Cylance however worked out to be twice as expensive as Sophos!

Needless to say we went with Sophos as it proved more effective, due to its multilayer protection and also better value at half the cost of Cylance.

I so very nearly fell for all the flash marketing BS. If I had I don't think I'd still be in a job.

Very interesting. Thank you for sharing your experiences.

 

[Kubla]

Cylance talks about the PCMag review:

Cylance News

 

[509322]

Cylance is big on the bitching and moaning that it isn't getting any fairness within the industry. That it has been wrongly characterized and insidiously persecuted. And it accuses others of non-existent wrong-doing - making it up as they go along. Threatens law suits and then balks when confronted with legal action.

Sound familiar ?

 

[ForgottenSeer 58943]

Cylance talks about the PCMag review:

Cylance News

"In an industry dominated by companies making empty promises using broken, outdated technology, It’s good to be different."

Shots fired!

 

[509322]

"In an industry dominated by companies making empty promises using broken, outdated technology, It’s good to be different."

Shots fired!

It's the same marketing mantra used by everyone. The problem is that some are much, much more sensitive to it than others. They cannot help themselves.

No security software can function as a replacement for knowledge and experience.

Actually security softs create more questions for users than they ever answer.

 

[ForgottenSeer 58943]

It's been 3 days since I opened a ticket and provided logs. Not even a 'Great, we got your ticket and will get back to you' response..

 

[ForgottenSeer 58943]

Bugs/anomalies noted so far with Cylance.

1) .net crash errors on some clients. (logs provided to Cylance, but it's a rare event)
2) No notification of threats. Similar to what Neil experienced.
3) Possible corruption of core windows DLL on one machine. (logs submitted but could be something other than Cylance)

4) Sometimes it actually does scan files that aren't executed contrary to their operational statements and stated lack of interest in stagnant files doing nothing.. We've noticed that contrary to what they claim, it does scan non-executed files. Our logging clearly shows this activity. We we seeded 5 pieces of malware on a drive to see if it is scanning anytime other than execution. It does, these 5 threats were buried on a drive where there was no execution of any program. So it does scan folders under some conditions.

5) Aggressive quarantine of newer non-malware files as malware is fairly routine. Also, they seem to examine hashes of known files and any variance of the hash from known file triggers it. Without regard to the actual malware validity at the time.

6) Aggressive quarantine of OLDER files without respect to their validity. For example I was able to go way back to a sample of a legitimate program, but dated, Cylance immediately quarantined and removed it because it simply wasn't in their database yet. Without any respect to it's threat validity.

7) Support may lack. I haven't gotten a response in 3 days. <sniff>

More soon.

 

[rsonic]

Here's a screen grab of the 5 hidden malware samples

For an AV that prides itself on "pretty", that screen is pretty basic; looks the same as the dry enterprise screen on the endpoints.

I'm commenting on that because that's all I'm qualified for.

 

[509322]

For an AV that prides itself on "pretty", that screen is pretty basic; looks the same as the dry enterprise screen on the endpoints.

I'm commenting on that because that's all I'm qualified for.

Yeah, well... you'd be surprised how many people use a security soft because the graphics are the most important thing to them. That's as about as idiotic as it gets.

 

[artek]

Bugs/anomalies noted so far with Cylance.

1) .net crash errors on some clients. (logs provided to Cylance)
2) No notification of threats. Similar to what Neil experienced.
3) Possible corruption of core windows DLL on one machine. (logs submitted)

4) Sometimes it actually does scan files that aren't executed contrary to their operational statements and stated lack of interest in stagnant files doing nothing.. We've noticed that contrary to what they claim, it does scan non-executed files. Our logging clearly shows this activity, in fact in one logging session it scanned every single file in an encrypted directory that we 'staged' to test this. We we seeded 5 pieces of malware on the encrypted drive to see if it is looking for encrypted files and snooping around around. Well, those encrypted directories and malware were NEVER executed but the threats were found. That seems to be the opposite of their claims, why was it scanning an encrypted folder on a data drive without user activity? Here's a screen grab of the 5 hidden malware samples I put in the encrypted directory before installation of Cylance.

View attachment 193898

5) Aggressive quarantine of newer non-malware files as malware is fairly routine. Also, they seem to examine hashes of known files and any variance of the hash from known file triggers it. Without regard to the actual malware validity at the time.

6) Aggressive quarantine of OLDER files without respect to their validity. For example I was able to go way back to a sample of a legitimate program, but dated, Cylance immediately quarantined and removed it because it simply wasn't in their database yet. Without any respect to it's threat validity.

7) Support blows. You'll be ignored. If you want a refund, you might be waiting 30 days to get the 30 day refund honored.

That's all I have for today. It's a decent basic antivirus IMO. Nothing more. I don't see any magical unicorn activity in it, but that's just me. Sure it's tiny, and doesn't use much CPU. But why do I care about that? I have 16 cores sitting here idle most of the time. I'd put OSArmor/VS and Heimdal next to it or I wouldn't run it. OSArmor/VS is going to give you exploit protection and alternative vector protection. Heimdal will protect your DNS and give you robust URL filtering. This combo 'should' be incredibly lightweight and highly effective. Or put Cylance behind a UTM-Like router along with OSArmor/VS and call it a day. You won't get infected.

I had the problem with notifications too, and I just noticed this today. Not sure if you had that ticked, but it's off by default.

Show Notifications

I've seen it scan folders too, but I'm not sure exactly what triggers it, because I've also pointed explorer to other folders, and it doesn't scan them at all. I think it might be some other process touching the files which triggers a Cylance scan, but don't quote me on that.

 

[artek]

That's all I have for today. It's a decent basic antivirus IMO. Nothing more. I don't see any magical unicorn activity in it, but that's just me. Sure it's tiny, and doesn't use much CPU. But why do I care about that? I have 16 cores sitting here idle most of the time. I'd put OSArmor/VS and Heimdal next to it or I wouldn't run it.

That's the unicorn. Look at this test: Advanced Endpoint Protection Test | AV-Comparatives It's providing the same, and in some cases better, protection than more bloated alternatives. Bitdefender, Kasperksy, Sophos, my system was crawling. You're telling me with this tiny, nimble, next-gen product I can get a similar level of protection without my system slowing down? Where do I sign up?

Real-world protection test, no url filtering, other products have URL filtering, what kind of detection rate advantage do they have versus Cylance? Bitdefender had a 100 percent detection rate, the next top products, including Cylance, all had 99.7. You mean I can get a comparable detection rate absent net slowdowns? Absent a security suite hooking into my browser and downgrading my SSL/TLS connections?

 

[ForgottenSeer 58943]

That's the unicorn. Look at this test: Advanced Endpoint Protection Test | AV-Comparatives It's providing the same, and in some cases better, protection than more bloated alternatives. Bitdefender, Kasperksy, Sophos, my system was crawling. You're telling me with this tiny, nimble, next-gen product I can get a similar level of protection without my system slowing down? Where do I sign up?

Don't get me wrong, I love how lightweight it is. More specifically, how it 'feels' on your system, it really does feel like there isn't any AV running at all which is exceedingly nice. I'm pretty much recommending Cylance to people with caveats.

I believe Cylance should be more than enough (with the caveats below noted) to provide a near zero weight/impact and solid protection. Barring a UTM/NGFW on the gateway, I would pair up Cylance with OSArmor and Heimdal. That's just my opinion, I probably wouldn't run Cylance vanilla with nothing else and would choose one or the other.

With all of the negatives and/or questions, I will post what I like (love?) about Cylance;

1) Administration Panel - I like web panels for my security. Force of habit from the corporate world. While short on settings, Cylance has a speedy, attractive panel where you can quickly get a sight on your devices and see what is going on, and whitelist/etc. Very nice.
2) Weight and Speed - systems feel FAST with Cylance on them. No mistaking that! Impressively light..
3) Strong Awareness of application integrity and anomalies. I'm picky, I want to know if any application, module or update diverges from the norm. Cylance provides that awareness by alerting to anomalies. I have confidence if anything gets hijacked, altered/tampered, or something with an application update channel gets replaced with a subverted module Cylance WILL find it and alert.,
4) Spartan interface - love it! I'm tired of bloat, like you. Give me the data I need and stop giving me flashy whistles and lights.
5) Enthusiasm - let's face it, there is a lot of enthusiasm around Cylance. It's contagious. You know the people there probably love the product and it shows. Nobody gets excited (or cares) about Avast anymore. Cylance is doing cool things and has an edgy feel to it. ;-)

So would I recommend Cylance? After 2 weeks of toying with it, I am shifting it to my recommendation category with caveats*

1) You probably need a router/firewall with some UTM features w/Cylance. (pick a brand)
and/or
2) You probably should pair it up with Heimdal and/or OSArmor.

Cylance+Gryphon is so good, I think it's my recommended combo for anyone looking to get a couple different artificially intelligent technologies working on their network and systems that totally compliment each other. Since both of them use ML/AI, and both would totally compliment each other, it's like the perfect combo IMO. Gryphon is going to seal right up any potential areas Cylance might falter.

Here's my 15 second marketing graphic for this combo;

 

[rsonic]

Here's my 15 second marketing graphic for this combo;

View attachment 193905

Oh God, they should hire you to design their material.

I'm looking for a solution that I can put on friends' and relatives' machines and manage through a web interface if they aren't blocking their updates and letting the malware run amok; perhaps Cylance isn't what I need, then.

 

[509322]

You're telling me with this tiny, nimble, next-gen product I can get a similar level of protection without my system slowing down? Where do I sign up?

You can get an almost identical detection rate, but at the same time a whole lot less protection against the stuff that isn't detected.

LOL...

And unless you are using obsolete\insufficient hardware and\or Windows or have your system loaded down with softs and a taxing configuration, then there shouldn't be system slowdowns.

 

[artek]

You can get an almost identical detection rate, but at the same time a whole lot less protection against the stuff that isn't detected.

LOL...

And unless you are using obsolete\insufficient hardware and\or Windows or have your system loaded down with softs and a taxing configuration, then there shouldn't be system slowdowns.

Test Bitdefender Internet Security 22.0 for Windows 10 (181491)

On a high-end system, like you said, 23% slower launching of popular webpages by bitdefender. A significant slowdown if I don't say so myself.

Norton slows down the browsing of web-pages on a high end PC by 14%
Test Norton Norton Security 22.12 for Windows 10 (181416)

Avira seems fairly fast here with only 6% slower launching of popular webpages: Test Avira Antivirus Pro 15.0 for Windows 10 (181480)
However Av-Comparatives indicates that Avira has a significant performance impact when downloading files: Performance Test April 2018 | AV-Comparatives
Which is odd, because AV-Test shows that Avira is relatively quick at this, and probably indicative that the performance impact differs from system to system. But this begs the question. If Cylance can match and beat the detection rate of these products without this kind of negative performance impact why use this type of protection at all.

People with high-end PCs, particularly in the enthusiast markets are paying several hundreds of dollars for 10%+ performance. How do you think they feel about losing 14% of that to their anti-malware?

Protecting against undetected malware sounds like the webroot approach. It's not without merit, but I'd much prefer something with a high initial detection rate because I feel like remiditation is a fools game at best. I would much rather be notified post-infection and start over fresh.