Cylance Smart Antivirus

[Moonhorse]

he doesn't have the samples so he couldn't test it. He just assumed after the VM resource is corrected, cylance would get 100% => which is completely wrong
cylance smart AV doesn't support fileless malware protection (as tests have shown so far, not sure how it will change) so it is impossible for it to get 100%

off topic:
By the way, keep those windows defender tests coming

 

[Deleted Member 3a5v73x]

he doesn't have the samples so he couldn't test it. He just assumed after the VM resource is corrected, cylance would get 100% => which is completely wrong
cylance smart AV doesn't support fileless malware protection (as tests have shown so far, not sure how it will change) so it is impossible for it to get 100%

He does. Do you really think he blow out off @ss he's results?

 

[Evjl's Rain]

He does. Do you really think he blow out off @ss he's results?

but did he actually test it or just make assumption? I don't see any information regarding his test for cylance. Screenshots? Description?

 

[artek]

but did he actually test it or just make assumption? I don't see any information regarding his test for cylance. Screenshots? Description?

He says he tested it. The only other minor criticism I have for the test is calling files misses after the system is locked up. I know you guys probably have other things to do than restore a VM every time some ransomware gets through, but if you're not sure, I don't think you should label it as a miss.

 

[Evjl's Rain]

He says he tested it. The only other minor criticism I have for the test is calling files misses after the system is locked up. I know you guys probably have other things to do than restore a VM every time some ransomware gets through, but if you're not sure, I don't think you should label it as a miss.

I never labeled it as a ransomware infection. I said that attack was as bad as a ransomware attack because you no longer have access to your PC unless you restore from your image backup. No matter what you call it, it must be called a miss because you can't use your PC, an obvious indicator of infection

here is the test of the new samples, poor as expected 6/15 in overall . It missed 3 exe malwares. 1 of them actively closed process explorer and autoruns
https://malwaretips.com/threads/17-08-2018-15.86079/post-757906

 

[ForgottenSeer 69673]

Cylance seems to hide+lock threats until full qualification is made. Once it's determined (fully) to be malicious, then it's purged. If it is determined safe, or you allow it, then the flags are removed and Cylance unlocks the file right back where it was. This is also why testing must be carefully conducted as many on-demand scanners will detect those benign hidden+locked files as being actual malware sitting there. You can demonstrate this for yourself, download malware, wait for Cylance to lock it for qualification, then scan the folder with HMP or Zemana, the malware will show up as being there. Don't trust secondary scans without manually inspecting the folder each time (AND the temp folders, etc) to make sure the file is actually there, in many cases, it won't be but those scans make make you think the machine isn't clean. I've noticed on 'tests' that secondary scans showing an unclean machine are actually files that are contained but have flags, and still show up on secondary scans. A hit and quarantine, reported as a miss.



View attachment 196009

I used the paid version of Cylance Protect and though the web portal is different to navigate, options are still there. Just like the past, this version leaves the files in their folder not accessible. A rescan of the folder with Kaspersky with update defs found noting with those files.

 

[artek]

I never labeled it as a ransomware infection. I said that attack was as bad as a ransomware attack because you no longer have access to your PC unless you restore from your image backup. No matter what you call it, it must be called a miss because you can't use your PC, an obvious indicator of infection

here is the test of the new samples, poor as expected 6/15 in overall . It missed 3 exe malwares. 1 of them actively closed process explorer and autoruns
https://malwaretips.com/threads/17-08-2018-15.86079/post-757906

I agree with you, but the files that you were not able to run after the system was locked shouldn't be labelled as misses unless you ran them.

 

[Evjl's Rain]

I agree with you, but the files that you were not able to run after the system was locked shouldn't be labelled as misses unless you ran them.

I did run them after I restored my VM. All were missed because they are fileless malwares

 

[ForgottenSeer 69673]

Ok I just uploaded the files still in my folder and 40 of the scan engines on VT flag them and Kaspersky still says they are clean, even on VT. These are the 6 files Cylance quarantined. And so ForgottenSeer 58943 you are right about other av's detecting them even if they are locked, In my case, it was Kaspersky not detecting them.

 

[ForgottenSeer 58943]

I agree with you, but the files that you were not able to run after the system was locked shouldn't be labelled as misses unless you ran them.

Every car accident we investigate there are skid marks, so therefore, it is quite likely that skid marks cause accidents - said the neophyte accident investigator.

Nevertheless, anyone arguing that Cylance Smart Antivirus will protect you from all manner of threats and vectors is predisposing themselves to lose the argument. It won't. I said it won't. But don't believe me, see for yourself. It will protect you from a lot, especially some pretty targeted stuff, and very clearly from unknown things in many cases, including update channel compromises. But it is by no means comprehensive and I would not treat it as such.

Maybe some savvy folks here can find combos where it's bulletproof with zero system weight. Didn't someone here proclaim CF w/CS and Cylance to be a magical combo? Maybe pay attention to them. Or maybe look into the zero-weight setup of Cylance+OSArmor+SysHardener and Heimdal, which may or may not be 'almost' impenetrable. (test it if you want then let us know)

Ok I just uploaded the files still in my folder and 40 of the scan engines on VT flag them and Kaspersky still says they are clean, even on VT. These are the 6 files Cylance quarantined. And so ForgottenSeer 58943 you are right about other av's detecting them even if they are locked, In my case, it was Kaspersky not detecting them.

Indeed. Illustrating how important it is to know how something works first, and to perhaps study it.. (attempting VERY HARD to avoid sounding like Triple Hernia and WTFroot).

 

[artek]

I did run them after I restored my VM. All were missed because they are fileless malwares

I'm still puzzled that we have two different results for people running the same test set. I can't imagine both outcomes having veracity.

 

[Evjl's Rain]

I'm still puzzled that we have two different results for people running the same test set. I can't imagine both outcomes having veracity.

askalan, roboman and me have the same results with proof, it should tell you something, who you should believe
in theory, cylance is unable to achieve 100% result hence any claim of it having 100% result is lying

I can make cylance having 100% result with ease but it's disallowed in MT hub comparative tests

 

[ForgottenSeer 69673]

OK I just ran today's samples by Cylance along with Kaspersky Cloud Personal. 157 samples of mostly Ransome ware. Kaspersky flagged all but 8, Cylance flagged zero. Next, I ran the ones missed through VirusTotal and at least 30 to 40 engines flagged those 8. Both Kaspersky and Cylance said they were clean. Might have to switch my AV from Kaspersky in my VM. I did not do a dynamic scan of those 8 files. Did not feel the need.

 

[rsonic]

OK I just ran today's samples by Cylance along with Kaspersky Cloud Personal. 157 samples of mostly Ransome ware. Kaspersky flagged all but 8, Cylance flagged zero. Next, I ran the ones missed through VirusTotal and at least 30 to 40 engines flagged those 8. Both Kaspersky and Cylance said they were clean. Might have to switch my AV from Kaspersky in my VM. I did not do a dynamic scan of those 8 files. Did not feel the need.

.... Zero?

 

[ForgottenSeer 58943]

I'll ask quickly and directly: does anyone have the installation file for Cylance and can send it to me privately? I have the installation token, but unfortunately no installation file and no access to the cloud.

I just sent it to you. Godspeed.

 

[AlanOstaszewski]

see it

 

[ForgottenSeer 69673]

.... Zero?

Yes because Kaspersky gets them first. I will try the test with just Cylance later.

 

[ForgottenSeer 69673]

OK, I just ran all the same files with only Cylance active and it caught all the same ones Kaspersky did except for those same eight files neither Cylance nor Kaspersky flag. Still, a pretty darn good percentage rate if you ask me. 157 samples. Guessing a better AV would catch them all instead of Kaspersky.
How do you send those files to Cylance again?

 

[DeepWeb]

View attachment 196009

LMAO. There's some truth in everything. If anything this is a great public beta for Cylance.

 

[ForgottenSeer 58943]

I recommend combining solutions. So you don't run into things like this; but in cases like this, you might be pretty glad Cylance was around to back you up when the vast majority of other solutions will fail you. I suppose. I don't believe any single solution is going to provide magical results - except Chromebooks I guess. Maybe a full VDI environment, but not much else.