ticklemefeet

Level 22
Verified
OK, I just installed intercept X from Sophos and the first thing it did was find all the files quarantined by Cylance. Funny thing is they were all on my C drive in the program data folder and so I am guessing that if you have Cylance installed on a VM and your host, the portal somehow also stores the quarantined files on the host? there were 99 to be exact. I think that a bit odd. I also got an e-mail saying there was an outbreak on my network lol. I have not looked over the portal all that much yet. And so Even though those files were from testmyav, even this detects them as malware/PUP's
 
5

509322

OK, I just installed intercept X from Sophos and the first thing it did was find all the files quarantined by Cylance. Funny thing is they were all on my C drive in the program data folder and so I am guessing that if you have Cylance installed on a VM and your host, the portal somehow also stores the quarantined files on the host? there were 99 to be exact. I think that a bit odd. I also got an e-mail saying there was an outbreak on my network lol. I have not looked over the portal all that much yet. And so Even though those files were from testmyav, even this detects them as malware/PUP's
If you copy-pasted the mlaicious files in the VM, then the files get saved to the host by VMWare. VMWare writes them to ProgramData if I recall correctly.

The Cylance portal is not writing malicious files from your VM Guest to the Host system.
 

Libera Milanesi

Level 2
Pre-moderated
I think Cylance could prevent this from happening if they were to encrypt the quarantined files. It would be a handy improvement for them but I do not think they would add this even if it was requested... they are probably focusing on other things right now.
 

ticklemefeet

Level 22
Verified
If you copy-pasted the malicious files in the VM, then the files get saved to the host by VMWare. VMWare writes them to ProgramData if I recall correctly.

The Cylance portal is not writing malicious files from your VM Guest to the Host system.
I use Virtual Box. Not sure VMware works. No copy and past. Files were downloaded directly to the downloads folder in the guest.
before installing Intercept, Cylance had quarantined them. I then disabled Cylance and installed Intercept. Intercept begin quarantining the files Cylance had already quarantined. I watched as Intercept was doing each one and the path was to C:/programdata/etc AS I said I didn't see how they could get there. those. I never copied any of the test files to my host.
 
5

509322

I use Virtual Box. Not sure VMware works. No copy and past. Files were downloaded directly to the downloads folder in the guest.
before installing Intercept, Cylance had quarantined them. I then disabled Cylance and installed Intercept. Intercept begin quarantining the files Cylance had already quarantined. I watched as Intercept was doing each one and the path was to C:/programdata/etc AS I said I didn't see how they could get there. those. I never copied any of the test files to my host.
There are reports that Cylance auto-move to quarantine does not function properly. You cannot go by what is listed in Cylance's quarantine list; you have to inspect the original and quarantine locations on the system. Did you check that the files were actually removed by Cylance quarantine ?
 

ticklemefeet

Level 22
Verified
There are reports that Cylance auto-move to quarantine does not function properly. You cannot go by what is listed in Cylance's quarantine list; you have to inspect the original and quarantine locations on the system. Did you check that the files were actually removed by Cylance quarantine?
Yes, then removed from Cylance quarantine by Intercept.
 
  • Like
Reactions: oldschool

Slyguy

Level 41
Is this related to what I reported that secondary scans will often detect files quaratined or under qualification by Cylance as malware? Those files, before/during qualification are flagged as hidden/locked. But often other products pick them up as active malware when in fact they are harmless files.

Or is this something different?
 

ticklemefeet

Level 22
Verified
Is this related to what I reported that secondary scans will often detect files quaratined or under qualification by Cylance as malware? Those files, before/during qualification are flagged as hidden/locked. But often other products pick them up as active malware when in fact they are harmless files.

Or is this something different?
You are right about the secondary scan picking up already quarantined files. The problem was user error on my part. I thought Intercept was picking those off from my host because it showed program data folder and then a bell went off on my last grey matter brain cell. I had not enabled hidden files on my VM and of course program data is a hidden folder. So after enabling hidden folders, sure enough, the two files that were left were in there.
 

ticklemefeet

Level 22
Verified

cruelsister

Level 36
Verified
Trusted
Content Creator
It is important to note that Intercept X is not intended as a Standalone Desktop product for home users. Just like Symantec Endpoint (which is horrible in the Unmanaged setup, but not so as a centrally managed application), Intercept will lose quite a bit if installed in a vacuum. So if you see any testing done on it, keep this in mind.

But some fun facts:
1). Intercept will turn on (assuming the user has it off) UAC on install; not that this is an issue, but it does show how simply the UAC settings can be changed without user input. This is still better than Trend Micro, which will actually LOWER the UAC setting to what they think is proper.
2). Intercept certainly will install a bunch of stuff- all the services listed in Post 12 above (I actually counted 16), and about 20 actively running files.
3). Make sure you have an Admin Password setup up before installation- you will need it to shut off Tamper Protection for an uninstall.
4). Just one thing specific to Intercept X detection routine- it will, like Cylance, arbitrarily mark packed files as malware.
 
Last edited:

cruelsister

Level 36
Verified
Trusted
Content Creator
As long as your firm has some other Endpoint protection to cover Network connections, Intercept X is indeed fine- but only to augment an already preexisting Security setup- it is NOT a stand-alone. And hope that IT monitors and understands Firewall alerts.