Cylance Smart Antivirus

[BoraMurdar]

Marketing and commercialization of own products is nothing new, as AVs in the past used the good old line "100% detection", and they kinda didn't lie, as the product catches 2 malware out of 2 samples, but it's not either the truth as it was said in the obvious context that average user may think and/or can be fooled to think that this product will protect it 100% of the time.

Many companies use some kind of Machine Learning and call it Artificial Intelligence as it sounds cooler, and unfortunately, it sounds like you don't have to have intelligence or brains, as there is an artificial one that will make decisions for you. As far as I can tell, only a few big companies like Microsoft, Google (Alpha Lella Chess Zero), IBM can do a real business with this, as they have enough power to do it and enough data to feed the monster.

It's easy (it's not really easy, but extremely hard) to make an AI that will play chess, you teach it with rules, teach it basic and advanced reward/punishment motivation systems and let it play with itself to infinity.

Malware doesn't play by the rules, so using AI against it, is or will be our big achievement.

 

[RoboMan]

https://malwaretips.com/threads/signed-malware-12-08-2018.85911/#post-756830

This is so sad Alexa play Despacito

 

[SHvFl]

https://malwaretips.com/threads/signed-malware-12-08-2018.85911/#post-756830

This is so sad Alexa play Despacito

If you continue posting such results people will move to sentinelone. I don't know if that is good or bad but i am worried. Please stop. Kappa. /s.

 

[ForgottenSeer 69673]

If you continue posting such results people will move to sentinelone. I don't know if that is good or bad but i am worried. Please stop. Kappa. /s.

Sentinel one is good for scripts where Cylance is not but costs twice as much.

 

[SHvFl]

Sentinel one is good for scripts where Cylance is not but costs twice as much.

Not exactly. One has a home version and the other is the enterprise version. When Cylance didn't have a home version as a home user you could buy it at the same price as sentinelone now. Cylance homeversion is not really comparable with the enterprise one as you don't have access to most settings to tighten security.
Ps sentinelone claims they are good with scripts but that is yet to be seen. They have other interesting stuff though and cover more attack vectors. Anw this a different product topic and don't want to mess it up so i will stop here.

 

[RoboMan]

I'm starting to believe I lost those 10 bucks to Umbra when I claimed that Cylance was gonna perform great. Lets stay tuned to @askalan reports who will take the lead on Cylance and luckily will prove my tests garbage.

 

[Deleted Member 3a5v73x]

I'm starting to believe I lost those 10 bucks to Umbra when I claimed that Cylance was gonna perform great. Lets stay tuned to @askalan reports who will take the lead on Cylance and luckily will prove my tests garbage.

Your tests are not garbage. Confirmed bypass on my test as well. Reported to Cylance. Thanks buddy.

 

[ForgottenSeer 58943]

I'm starting to believe I lost those 10 bucks to Umbra when I claimed that Cylance was gonna perform great. Lets stay tuned to @askalan reports who will take the lead on Cylance and luckily will prove my tests garbage.

Your tests are great, and we appreciate it. This is precisely why I offered testers Cylance (on my dime) because we need to get to the bottom of things. I think this thread, and your testing illustrates the great value of this forum. Our discourse on Cylance is proving valuable, and none of us are 'wedded' to any particular solution and really just want to get past the marketing hype and fud with each product/service.

 

[upnorth]

https://malwaretips.com/threads/signed-malware-12-08-2018.85911/#post-756830

This is so sad Alexa play Despacito

Spoiler

I think you should pay Umbra or give the money to some charity.

 

[509322]

Marketing and commercialization of own products is nothing new, as AVs in the past used the good old line "100% detection", and they kinda didn't lie, as the product catches 2 malware out of 2 samples, but it's not either the truth as it was said in the obvious context that average user may think and/or can be fooled to think that this product will protect it 100% of the time.

Many companies use some kind of Machine Learning and call it Artificial Intelligence as it sounds cooler, and unfortunately, it sounds like you don't have to have intelligence or brains, as there is an artificial one that will make decisions for you. As far as I can tell, only a few big companies like Microsoft, Google (Alpha Lella Chess Zero), IBM can do a real business with this, as they have enough power to do it and enough data to feed the monster.

It's easy (it's not really easy, but extremely hard) to make an AI that will play chess, you teach it with rules, teach it basic and advanced reward/punishment motivation systems and let it play with itself to infinity.

Malware doesn't play by the rules, so using AI against it, is or will be our big achievement.

There is no such thing as "Truth in Advertising." Unfortunately. Almost everything is an embellishment. I am a harsh critic of our own marketing materials. I see statements, while technically true, but there are exceptions and the exceptions aren't mentioned. And I don't like grey language that has layers of meaning... that can be interpreted in different ways by different people. I suppose it would be too much to hand a person a 10 page marketing brochure that lists all the caveats, corner cases to what is promoted, and describes stuff in-detail... instead of a single page one. The thing about the one page is that it works, but for the 10 pager by the beginning of the second page you've lost the person. Anyway, that's just a few issues with marketing that most people don't stop to think about.

However, the thing that is pertinent here is that Cylance has been both extremely aggressive and defensive of their marketing. It's tour and the methods used in it were, well, how is a diplomatic way to put it... underhanded ? Sohpos is on record as just calling Cylance a pack of liars. There's a lot of folks in the industry that agree with Sophos. It's points were valid. And then during the tour and afterwards, making extraordinary efforts to quash objections about the exceptions that weren't mentioned - such as disabling competitor settings or using non-malicious malware as samples - or, more often, arguing that the industry and testing is flawed, that Cylance is unfairly persecuted because there are those set against it, that it is being violated because people just don't understand or are creating falsehoods about the product. Everything and everyone is the problem except Cylance. Sounds just like Webroot (mostly fanboys) and some other products that I know of (mostly developers). And that is where I think people, like myself, have problems with Cylance - problems with the organization... or more specifically, the people running it - as opposed to the product itself.

 

[artek]

There is no such thing as "Truth in Advertising." Unfortunately. Almost everything is an embellishment. I am a harsh critic of our own marketing materials. I see statements, while technically true, but there are exceptions and the exceptions aren't mentioned. And I don't like grey language that has layers of meaning... that can be interpreted in different ways by different people. I suppose it would be too much to hand a person a 10 page marketing brochure that lists all the caveats, corner cases to what is promoted, and describes stuff in-detail... instead of a single page one. The thing about the one page is that it works, but for the 10 pager by the beginning of the second page you've lost the person. Anyway, that's just a few issues with marketing that most people don't stop to think about.

However, the thing that is pertinent here is that Cylance has been both extremely aggressive and defensive of their marketing. It's tour and the methods used in it were, well, how is a diplomatic way to put it... underhanded ? Sohpos is on record as just calling Cylance a pack of liars. There's a lot of folks in the industry that agree with Sophos. It's points were valid. And then during the tour and afterwards, making extraordinary efforts to quash objections about the exceptions that weren't mentioned - such as disabling competitor settings or using non-malicious malware as samples - or, more often, arguing that the industry and testing is flawed, that Cylance is unfairly persecuted because there are those set against it, that it is being violated because people just don't understand or are creating falsehoods about the product. Everything and everyone is the problem except Cylance. Sounds just like Webroot (mostly fanboys) and some other products that I know of (mostly developers). And that is where I think people, like myself, have problems with Cylance - problems with the organization... or more specifically, the people running it - as opposed to the product itself.

I sympathize with them a bit. If you're an infosec startup - they've moved far beyond that point by now - And someone puts out one of those game'd comparatives from an AV-Testing site, there's not a lot of information out there about your product. It could lead to the death of company. I would be telling people the same thing: test the product yourself. Not that the unbelievable tour wasn't a tad shady. But I also feel that putting your product out there for people in the crowd to bring samples to try and bypass is a bit better than paying for one of those biased product comparison pieces on major testing sites.

 

[509322]

I sympathize with them a bit. If you're an infosec startup - they've moved far beyond that point by now - And someone puts out one of those game'd comparatives from an AV-Testing site, there's not a lot of information out there about your product. It could lead to the death of company. I would be telling people the same thing: test the product yourself. Not that the unbelievable tour wasn't a tad shady. But I also feel that putting your product out there for people in the crowd to bring samples to try and bypass is a bit better than paying for one of those biased product comparison pieces on major testing sites.

"Poor" or "Bad" test performance has never led to the demise of a company. Not that I know of. There are products out there that always perform poorly, but organizations and the buying public keep on purchasing the product(s). Not to mention that there are products out there that have little to no documented test history and the same applies - organizations and people keep buying the product.

Sure, AV test lab results are marketing, but they don't have the kind of influence to bring down a company's house. Afterall, the company can simply stop participating - and still - their product will sell. Webroot and G DATA are examples.

Their tour was a lot more than just shady. And therefore, the backlash position that some take against it is not a technical one, but instead one based upon principle.

 

[artek]

"Poor" or "Bad" test performance has never led to the demise of a company. Not that I know of. There are products out there that always perform poorly, but organizations and the buying public keep on purchasing the product(s). Not to mention that there are products out there that have little to no documented test history and the same applies - organizations and people keep buying the product.

Sure, AV test lab results are marketing, but they don't have the kind of influence to bring down a company's house. Afterall, the company can simply stop participating - and still - their product will sell. Webroot and G DATA are examples.

Their tour was a lot more than just shady. And therefore, the backlash position that some take against it is not a technical one, but instead one based upon principle.

Maybe death of a company is a little extreme. But Webroot and GDATA weren't brand new, and I think that a poorly designed comparative could really hurt a new company.

 

[Evjl's Rain]

off-topic
people criticize me testing products with syshardener
here is an example of Sophos Home premium with fully tweaked syshardener (almost everything was checked, identical to avast)
syshardener couldn't save sophos from an infected status because it missed 1 malware (.exe)

https://malwaretips.com/threads/13-08-2018-19.85938/post-756902

 

[Deleted Member 3a5v73x]

Well.. I won't give any spoilers for recently posted pack (thanks to @silversurfer ), and let's wait for official MH tester results, but imo it's ride to death to use just Cylance Smart AV alone.. system will most likely end up infected after every test and that's understandable that they protect only from PE's, but today's @RoboMan's test is simple proof that it can't protect against all PE's. I vote for SysHardener to be added together with it in MH tests.

 

[ForgottenSeer 58943]

off-topic
people criticize me testing products with syshardener
here is an example of Sophos Home premium with fully tweaked syshardener (almost everything was checked, identical to avast)
syshardener couldn't save sophos from an infected status because it missed 1 malware (.exe)

https://malwaretips.com/threads/13-08-2018-19.85938/post-756902

That pack is brutalizing everything. But it's time sensitive as the pack is being submitted so any results after a couple hours are probably jaded due to submissions. I'd remind people - some of SHP's stronger assets aren't utilized in the test. I suspect it likely SHP would snag that with their web filtration, heuristic traffic evaluation and new file reputation on download. (My favorite protection category)

As I said day one - Cylance alone as the sole solution is probably not all that good of an idea. I believe it's a nice solution but only when paired up. What is surprising is it's missing EXE's it should clearly have known as modified/untrusted. I am reaching out to a well known and trusted expert in that field and getting his thoughts on that. (non-Cylance guy) I have a suspicion as to why it missed something, and it's NOT flawed testing.

 

[upnorth]

Third test in the HUB : https://malwaretips.com/threads/13-08-2018-19.85938/#post-756916

Thanks @askalan

 

[AlanOstaszewski]

The samplepack was really very dangerous, as @ForgottenSeer 58943 said. Cylance did not prevent another harmfull program from setting a password.

 

[artek]

"(I could test only seven because of the restart)"

Wait, so static scan detects 7/19, which leaves 12 files left. And out of those 12 files you were only able to to test 7 further. So there are 5 more files that could have potentially been detected, but are still being counted as misses in your results?

Am I reading this wrong?

 

[AlanOstaszewski]

@artek
You're right. Updated and thank you very much!