Cylance Smart Antivirus

  • Thread starter Deleted Member 3a5v73x
  • Start date
Status
Not open for further replies.

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
he doesn't have the samples so he couldn't test it. He just assumed after the VM resource is corrected, cylance would get 100% => which is completely wrong
cylance smart AV doesn't support fileless malware protection (as tests have shown so far, not sure how it will change) so it is impossible for it to get 100%
off topic:
By the way, keep those windows defender tests coming(y)
 
D

Deleted Member 3a5v73x

Thread author
he doesn't have the samples so he couldn't test it. He just assumed after the VM resource is corrected, cylance would get 100% => which is completely wrong
cylance smart AV doesn't support fileless malware protection (as tests have shown so far, not sure how it will change) so it is impossible for it to get 100%
He does. Do you really think he blow out off @ss he's results? :D
 
  • Like
Reactions: vtqhtr413

artek

Level 5
Verified
May 23, 2014
236
but did he actually test it or just make assumption? I don't see any information regarding his test for cylance. Screenshots? Description?

He says he tested it. The only other minor criticism I have for the test is calling files misses after the system is locked up. I know you guys probably have other things to do than restore a VM every time some ransomware gets through, but if you're not sure, I don't think you should label it as a miss.
 
  • Like
Reactions: vtqhtr413

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
He says he tested it. The only other minor criticism I have for the test is calling files misses after the system is locked up. I know you guys probably have other things to do than restore a VM every time some ransomware gets through, but if you're not sure, I don't think you should label it as a miss.
I never labeled it as a ransomware infection. I said that attack was as bad as a ransomware attack because you no longer have access to your PC unless you restore from your image backup. No matter what you call it, it must be called a miss because you can't use your PC, an obvious indicator of infection

here is the test of the new samples, poor as expected 6/15 in overall . It missed 3 exe malwares. 1 of them actively closed process explorer and autoruns
https://malwaretips.com/threads/17-08-2018-15.86079/post-757906
 
Last edited:
F

ForgottenSeer 69673

Thread author
Cylance seems to hide+lock threats until full qualification is made. Once it's determined (fully) to be malicious, then it's purged. If it is determined safe, or you allow it, then the flags are removed and Cylance unlocks the file right back where it was. This is also why testing must be carefully conducted as many on-demand scanners will detect those benign hidden+locked files as being actual malware sitting there. You can demonstrate this for yourself, download malware, wait for Cylance to lock it for qualification, then scan the folder with HMP or Zemana, the malware will show up as being there. Don't trust secondary scans without manually inspecting the folder each time (AND the temp folders, etc) to make sure the file is actually there, in many cases, it won't be but those scans make make you think the machine isn't clean. I've noticed on 'tests' that secondary scans showing an unclean machine are actually files that are contained but have flags, and still show up on secondary scans. A hit and quarantine, reported as a miss.



View attachment 196009
I used the paid version of Cylance Protect and though the web portal is different to navigate, options are still there. Just like the past, this version leaves the files in their folder not accessible. A rescan of the folder with Kaspersky with update defs found noting with those files.
 

artek

Level 5
Verified
May 23, 2014
236
I never labeled it as a ransomware infection. I said that attack was as bad as a ransomware attack because you no longer have access to your PC unless you restore from your image backup. No matter what you call it, it must be called a miss because you can't use your PC, an obvious indicator of infection

here is the test of the new samples, poor as expected 6/15 in overall . It missed 3 exe malwares. 1 of them actively closed process explorer and autoruns
https://malwaretips.com/threads/17-08-2018-15.86079/post-757906

I agree with you, but the files that you were not able to run after the system was locked shouldn't be labelled as misses unless you ran them.
 
F

ForgottenSeer 69673

Thread author
Ok I just uploaded the files still in my folder and 40 of the scan engines on VT flag them and Kaspersky still says they are clean, even on VT. These are the 6 files Cylance quarantined. And so ForgottenSeer 58943 you are right about other av's detecting them even if they are locked, In my case, it was Kaspersky not detecting them.
 
F

ForgottenSeer 58943

Thread author
I agree with you, but the files that you were not able to run after the system was locked shouldn't be labelled as misses unless you ran them.

Every car accident we investigate there are skid marks, so therefore, it is quite likely that skid marks cause accidents - said the neophyte accident investigator. :giggle:

Nevertheless, anyone arguing that Cylance Smart Antivirus will protect you from all manner of threats and vectors is predisposing themselves to lose the argument. It won't. I said it won't. But don't believe me, see for yourself. It will protect you from a lot, especially some pretty targeted stuff, and very clearly from unknown things in many cases, including update channel compromises. But it is by no means comprehensive and I would not treat it as such.

Maybe some savvy folks here can find combos where it's bulletproof with zero system weight. Didn't someone here proclaim CF w/CS and Cylance to be a magical combo? Maybe pay attention to them. Or maybe look into the zero-weight setup of Cylance+OSArmor+SysHardener and Heimdal, which may or may not be 'almost' impenetrable. (test it if you want then let us know)

Ok I just uploaded the files still in my folder and 40 of the scan engines on VT flag them and Kaspersky still says they are clean, even on VT. These are the 6 files Cylance quarantined. And so ForgottenSeer 58943 you are right about other av's detecting them even if they are locked, In my case, it was Kaspersky not detecting them.

Indeed. Illustrating how important it is to know how something works first, and to perhaps study it.. (attempting VERY HARD to avoid sounding like Triple Hernia and WTFroot).
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I'm still puzzled that we have two different results for people running the same test set. I can't imagine both outcomes having veracity.
askalan, roboman and me have the same results with proof, it should tell you something, who you should believe
in theory, cylance is unable to achieve 100% result hence any claim of it having 100% result is lying

I can make cylance having 100% result with ease but it's disallowed in MT hub comparative tests
 
F

ForgottenSeer 69673

Thread author
OK I just ran today's samples by Cylance along with Kaspersky Cloud Personal. 157 samples of mostly Ransome ware. Kaspersky flagged all but 8, Cylance flagged zero. Next, I ran the ones missed through VirusTotal and at least 30 to 40 engines flagged those 8. Both Kaspersky and Cylance said they were clean. Might have to switch my AV from Kaspersky in my VM. I did not do a dynamic scan of those 8 files. Did not feel the need.
 

rsonic

Level 2
Verified
Jul 25, 2018
74
OK I just ran today's samples by Cylance along with Kaspersky Cloud Personal. 157 samples of mostly Ransome ware. Kaspersky flagged all but 8, Cylance flagged zero. Next, I ran the ones missed through VirusTotal and at least 30 to 40 engines flagged those 8. Both Kaspersky and Cylance said they were clean. Might have to switch my AV from Kaspersky in my VM. I did not do a dynamic scan of those 8 files. Did not feel the need.

.... Zero?
 
  • Like
Reactions: vtqhtr413 and AtlBo
F

ForgottenSeer 58943

Thread author
I'll ask quickly and directly: does anyone have the installation file for Cylance and can send it to me privately? I have the installation token, but unfortunately no installation file and no access to the cloud.

I just sent it to you. Godspeed.
 
  • Like
Reactions: vtqhtr413 and AtlBo
F

ForgottenSeer 69673

Thread author
OK, I just ran all the same files with only Cylance active and it caught all the same ones Kaspersky did except for those same eight files neither Cylance nor Kaspersky flag. Still, a pretty darn good percentage rate if you ask me. 157 samples. Guessing a better AV would catch them all instead of Kaspersky.
How do you send those files to Cylance again?
 
F

ForgottenSeer 58943

Thread author
I recommend combining solutions. So you don't run into things like this; but in cases like this, you might be pretty glad Cylance was around to back you up when the vast majority of other solutions will fail you. I suppose. I don't believe any single solution is going to provide magical results - except Chromebooks I guess. :love: Maybe a full VDI environment, but not much else.

Cylance1234.png
 
Last edited by a moderator:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top