Cylance

Name
Email
Subject
Comment *
File	Select/drop/paste files here
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Flag
Oekaki	Show oekaki applet (replaces files and can be used instead)
Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Password	(For file and post deletion.)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf Max filesize is 8 MB. Max image dimensions are 10000 x 10000. You may upload 3 per post.

File: 1458263415315.jpg (7.36 KB, 400x400, 1:1, cylance.jpg)

Cylance Anonymous 03/18/16 (Fri) 01:10:15 No.545426

What does /tech/ think of the Cylance antivirus stuff? I was reading through the white paper and it seems pretty interesting in how it operates.

As far as I can tell, it seems to operate by searching for discrepancies between the way a specific file is structured, how the average file of the type the file purports to be is structured, and how the average piece of malware is structured (i.e. a pdf shouldn't have an executable header etc).

Apparently it uses "over 6.2 million" metrics to attempt to differentiate between malware and legitimate files.

From http://www.eweek.com/security/cylance-delivers-the-anti-malware-product-of-the-future.html :

"The software works by examining anything that tries to run on the computer, regardless of whether it's running directly or being loaded from the Web. The software analyzes the internal workings and checks to see what it's presenting itself as. This means, according to CMO Greg Fitzgerald, that a Word document shouldn't contain executable code, code that's presenting itself as an application should have a user interface, and drivers shouldn't be executables. "If it has an icon saying it's a Word file, it should be a Word file," he said."

What does /tech/ think? It seems like traditional antivirus software is essentially useless against any malware that tries to keep from being detected; will Cylance do any better, or is it all marketing hype?

Also, does anyone have a more detailed knowledge about how Cylance works?

From https://community.spiceworks.com/topic/833551-does-anyone-actually-use-cylance :

"On more than one occasion it has stopped a zero-day threat that none of the other engines (including the one used by one of our billion-dollar multi-national vendors) were detecting"

"So we took it a step further and did some proof of concept testing. Loaded AVG on a test machine worked with a Cylance engineer to get the virus samples directly from Virus Total, that way we knew they were live samples and not something they could have prepared their systems for. Ran the test vs. AVG and out of 100 samples it only picked up 7. We ran the same test vs. Cylance and it picked up all 100."

>inb4 it's not free software

>inb4 it's currently only supported on Windows

>inb4 you're triggering my hyper autism shitlord

I don't care. I'm not a massive autist; I don't give a flying fuck about how it's licensed or if Richard Stallman is going to throw a shitfit about it. I want to talk about how it works and if it's going to have an impact.

And besides, they're apparently working on a Linux version.

>inb4 I use Common Sense Current Year Premium Edition and I don't need antivirus.

I don't use antivirus software either. And besides, it's currently only available to enterprises for Windows, and I'm an individual Linux user.

But I'm still interested in learning about how it works and if it's an important development in antivirus software.

Will Cylance be able to detect "stealth" malware, and will it be capable of improving detection rates putting the "defense" ahead of the "offense" in terms of computer security? And how will malware writers respond to keep their viruses from being detected?

Anonymous 03/18/16 (Fri) 01:18:38 No.545430

Also, here's a few other reports for anyone who's interested:

https://cdn2.hubspot.net/hubfs/270968/2015_cylance_website/assets/case_studys/prevention-vs-detect.pdf?t=1458251804413

Some Case Studies:

https://cdn2.hubspot.net/hubfs/270968/assets/PROTECT/case_studies/case-study-insurance.pdf?t=1458251804413

https://cdn2.hubspot.net/hubfs/270968/assets/PROTECT/case_studies/case-study-healthcare.pdf?t=1458251804413

Anonymous 03/18/16 (Fri) 01:34:23 No.545434

Over 6.2 million code branches heating your CPU because you wouldn't use an OS with pledge() or seccomp()

Anonymous 03/18/16 (Fri) 01:42:26 No.545442

>>545434

>Autism: the post

I didn't say I wanted to fucking use the damn thing, or that it was the best solution; I said I wanted to get more information on how it works and whether or not it will be able to improve malware detection capabilities.

feel free to ignore this thread and go back to fellating Theo the Rat and bitching about muh freedumbs if that's what you'd prefer, though.

I was interested in this, seeing as it's a new technology and all, but apparently /tech/ is all about endless "which Linux distro is the most autistic guise?," "install Gentoo!" and facebook bitching threads and not actual technical discussion.

Anonymous 03/18/16 (Fri) 06:23:11 No.545536

>>545442

Calm the fuck down OP

Anonymous 03/18/16 (Fri) 06:36:40 No.545538

>>545442

Then You should know most of /tech/ doesn't give a shit about proprietary products or windows antiviruses. Your post is like throwing yourself in the fire for anyone to eat you alive. Common sense is a lot better then "Brand new $thing that protects you from yourself!!"

Anonymous 03/18/16 (Fri) 07:29:41 No.545557

>>545538

>common sense

What are drive by downloads?

What is rfi?

What is having stupid employees who didn't buy Common Sense Current Year Platinum Edition.

Maybe you don't have a reason for caring about malware, but there's plenty of reasons for people with control over data more important than frog maymays to worry, and so there is a reason for antivirus software to exist.

So I find it prudent to know about how different products work and how effective they may be.

Anonymous 03/18/16 (Fri) 10:09:40 No.545581

Until we get a bunch of unbiased tests, it looks like marketing garbage to me. Spiceworks link reeks of shilling, there's way too many posts from Cylance staff and happy customers in the thread and I'm having hard times finding any negative replies there.

There is some random test that shows it's still not 100% reliable and has a lot more false positives than any other AV

https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2015/cylance-protect-1.2-154676/

Just stick to stricter policies, use MAC, etc.

Anonymous 03/18/16 (Fri) 10:20:31 No.545587

>>545557

>proprietary antivirus

That's retarded. How can you know it's not malicious by itself?

SAGE SAGE 03/18/16 (Fri) 10:41:30 No.545596

SAGE YO

Anonymous 03/18/16 (Fri) 10:43:49 No.545597

>>545581

I'm not personally considering using it at the moment, since it's only available for enterprises running Windows and I'm a single user running Linux.

I know the Spiceworks link has a lot of posts that sound like shilling, and I'm well aware that the company is investing heavily in advertisement (there's a bunch of ads for Cylance literally all over the place where I live; first time I've ever seen ads for antivirus products tbh). That's why I decided to ask here -- because the huge number of ads I've seen piqued my interest and I was wondering if Cylance is really worth it or as big of a deal as people are making over it.

What made me consider that it may be effective was the Virus Total test where Cylance detected all the malware whereas AVG only got seven. That would appear to be a pretty good test to me, since the malware samples were both new and random, so they couldn't have tampered with the detection rules to improve the chance that Cylance would detect it.

Still not sure it's as effective as they claim, though. Since it checks for discrepancies between reported file types and the actual data regarding similar files, couldn't virus authors simply modify their malware to look more like the files they're purporting to be -- i.e. not try to pass off a kernel driver as an .exe file or passing off malware as a service instead of a user executable so Cylance doesn't check if it has a UI? How effective would you think Cylance would be against malware like that?

Anonymous 03/18/16 (Fri) 10:45:16 No.545599

deep neural networks used to detect malware

next up

deep neural networks used to hide malware from the deep neural network used to detect it

Anonymous 03/18/16 (Fri) 11:07:03 No.545608

>>545599

Yes, but which side has the upper hand?

I've heard before that the people writing malware have the upper hand over antivirus providers, but what evidence backs that up (especially given the 97+% detection rate for zero day threats (i.e. not old cataloged malware)), and why is it the case?

You'd think that antivirus vendors, with all the resources at their disposal, would be able to get ahead of the malware producers -- why isn't that the case?

I could see antivirus vendors being easily overwhelmed back in the days when all AV did was signature checking that had to be updated manually, but you'd think that today with heuristics, neural networks, sandbox execution, inter-group collaboration, mathematical based discrepancy detection, and automated file analysis, it would be possible for antivirus vendors to keep up with the threat and find ways to defeat it.

Anonymous 03/18/16 (Fri) 11:27:04 No.545616

>>545597

>>545608

I wouldn't speculate on how Cylance actually works because it's obviously their trade secret, but yeah, there is no 100% way to tell if the software is actual malware or not.

Malware does what end user does not want the software to do, but since end user is not the part of the system, AVs can only speculate if the program is malicious or not by detecting shady behavior. Simple program that deletes files on disk can be a program that cleans cache or program that tries to cause system malfunction. Don't know about 7-8-10, but XP allowed any random application to exhaust window handle pool, rendering UI unusable. Program that allows remote access to user PC may be set up by the user himself or may be an actual backdoor. Notice how Cylance detects 0-day better but gives a lot more false positives.

If you need protection you need actual access control, not analysis.

Anonymous 03/18/16 (Fri) 23:50:15 No.546086

>>545616

But can't you use fine details about what a program is doing to tell if it's malware? For example, how common is it for a non-malicious program to inject itself into a browser? How common is it for a cache-cleaning program to not delete just a few files, but everything in your documents folder?

It seems like if you go for more fine-grained analysis, it should be easy to tell malware from normal software. Why isn't it that easy in reality?

And how feasible would it be for an antivirus to actually disassemble an executable and analyze the actual machine instructions? That would seem to be able to provide a very detailed analysis of how it operates, which could be useful.

Anonymous 03/19/16 (Sat) 05:31:00 No.546275

It's just that. The only people who'd benefit are run of the mill windows users who otherwise still buy norton and mcafee. If it works better, then good, though wait to hear about false positives first.

But everyone who's serious about their security is already doing something stronger and this is just a novelty.

Anonymous 03/19/16 (Sat) 05:41:48 No.546283

>>545557

>What are drive by downloads? What is rfi?

What is ublock, requestpolicy, noscript, chocolatey for winfags, wget, or curl?

Browsers are for browsing, package managers are for downloading/installing programs, and everything else that "needs" to be downloaded is best left to wget/curl

>What is having stupid employees

Try not encouraging them

>but there's plenty of reasons for people with control over data more important than frog maymays to worry

Desktop Viruses are 99% pebkec. Antiviruses are redundant when the user is in complete control.

>and so there is a reason for antivirus software to exist.

...no there really isn't. That's the same as saying "there should always be someone holding your hand before you walk across the street"

Anonymous 03/20/16 (Sun) 12:23:17 No.547117

>>545426

What interests me more is how malware authors will subvert this method.

Computer security is an endless cat and mouse game and these faggots are selling their product as a final answer. Let it prove itself and we'll see how well it works in the real world.

Anonymous 03/20/16 (Sun) 15:32:12 No.547197

>>545557

most viruses are obtained via the browser or an executable. to make firefox a lot more secure, change its default settings to sane ones (some good suggestions here: https://gist.github.com/haasn/69e19fc2fe0e25f3cff5), install ublock origin, request policy continued or umatrix or policeman, noscript, self destructing cookies, betterprivacy (if you use flash), https everywhere, and refcontrol. some of these require a little setup to use properly.

as for executables, the sane OSes have package managers and security software thats worth using, plus most viruses aren't made for them. on windows you're limited to chocolatey and common sense.

Anonymous 03/20/16 (Sun) 15:40:50 No.547204

>>545426

>I don't give a flying fuck about how it's licensed or if Richard Stallman is going to throw a shitfit about it. I want to talk about how it works and if it's going to have an impact.

Sorry, but that's just dumb. I can accept that you're interested in it and willing to use it even though it's proprietary, but if you want to talk about how it works, you should at least care about whether or not you're allowed to study it.

Anonymous 03/20/16 (Sun) 19:15:29 No.547295

>>545426

is no one going to point out that drivers are executables, but are linked to different libraries, at least on windows