Slashdot Mirror
Cylance Accused of Distributing Fake Malware Samples To Customers To Close Deals (arstechnica.com)
New submitter nyman19 writes: Ars Technica reports how security vendor Cylance has been distributing non-functioning malware samples to prospective customers in order to "close the sale[s] by providing files that other products wouldn't detect" According to the report: "A systems engineer at a large company was evaluating security software products when he discovered something suspicious. One of the vendors [Cylance] had provided a set of malware samples to test -- 48 files in an archive stored in the vendor's Box cloud storage account. The vendor providing those samples was Cylance, the information security company behind Protect, a 'next generation' endpoint protection system built on machine learning. In testing, Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. Curious, the engineer took a closer look at the files in question -- and found that seven weren't malware at all."
wish there was a cylance stand alone product so we could test it ourselves.
i don't get why cylance (we are so good even without access to updates) can't make a home/end user product and put the money where the mouth is.
Jail time for anyone involved, or we will keep seeing fauds like this in the IT safety community. I have no tolerance for unethical people in this business and neither should you!
The dangers of knowledge trigger emotional distress in human beings.
Happened to us too in EU, but by the time we got to test the samples we were fed up with how bad Cylance was. When we saw that it detected all malicious files from their team but not ours and all other vendors didn't manage to detect their files as malicious we just burst in to laughter and closed all relations, i think any team with common sense will spot and differentiate bad solutions and frauds from good ones.
how's that hook taste buddy?
I had a really weird vibe from them when I attended a seminar. Then when they basically said they could detect all the malware they had on a disk... well I rolled my eyes, naturally they can detect all the malware they brought with them.
And when I tried to get the difference between what they were selling and the common heuristics that other AV vendors used... well I never got a satisfactory answer. Sounds like the same thing to me.
Of all the assets a security company possess, customer trust in the firm's integrity is the most valuable. They were once a close competitor for Sophos Security, and Palo Alto Networks, but now Cylance is only a sad historic attempt by tricksters to steal our money.
Fireeye is not different in their tactics. They have always bullshit their customers to close deals
Why?
Because Cylance uses the VirusTotal API! So, of course it would get all these samples..using simple SHA1 hash checksums.
Their sales team seems to focus on low-skill (read: fix the copier, what's devops?) IT departments with smoke and mirrors tactics like this. I called it out right away, and went with a competing product. But based on that scammy behavior, this doesn't seem far off.
They are both thriving on your fear and money while pretending to protect something they are actually the worst enemies of.
Um... nobody trusts AV companies. It's all smoke and mirrors to sell to grandma and appease regulators.
The Daddy casts sleep on the Baby. The Baby resists!
See subject: ... & is lighter on resources + prevents infection blocking its source = APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads/script & malware rob speed/security/privacy
Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!
* Via what u NATIVELY have (IP stack) in FASTER kernelmode!
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
The challenge about simulating real world has been around for over a decade. It's really really hard to accurately simulate. Even for a company who's trying to do the best they can.
What cylance is doing seems to be going well beyond, and is poisoning the well for the av industry overall though.
...who trusts anything whatsoever that a security vendor says beyond "we want your money. Money. Now. Gimme." doesn't belong in the security field.
You test it. And you test it again. And you test it some more.
That said, I test these things. For a living. All day. If someone said to me "can you guarantee that every single test file you have is malicious or ill cut your balls off" I would quit on the spot. There are millions of samples and some are the end result of a long chain of false positives that no human ever reverse engineered.
Bea Arthur has a massive cock so it's worth it.
Posting AC for obvious reasons...
I'm in charge of security at a Fortune 500 company. We were an (apparently very) early adopter of Cylance because, as we know, AV has been worthless for 10 years. I can simply say, in 3 years since our deployment, we've not a single malware outbreak. I'll look around again when we get close to renewal -- I'm not married to it. But for all the nay-sayers and jumpers-upon; there you are. -T
Well, this is clearly Fake News.
Not surprised really, I tried Cylance for MacOS twice recently and found it quite ineffective against malware samples that were hashed by VirusTotal 3 months prior to when I tested it. Their support people just apologised and said they "took the issue very seriously". I tested it again when a major release came out and found little improvement (the undetected samples were hashed but still not detected by the ML-derived algorithm).
Let me start with a clear statement. Cylance is not distributing broken samples to game the system. We are trying to help security professionals to test for themselves, in their real-world environments. Let me explain how this this particular instance of malware was distributed and how we had fixed this issue months ago.
We had an internal process that would download via an API known samples of malware from a well known virus aggregation site, based on 10+ AV detections, (I can't mention their name) and then send them thru an automated packing system to alter the hash of the malware ("creating a new piece of malware from an AV perspective") so we could test efficacy of our own product as well as others, against 'unknown samples', as well as the un-mutated original sample. The goal here is to help us stop future attacks, as well as previous attacks.
After a couple months of being operational samples both un-mutated and mutated began to get shared with partners and prospects because its almost impossible to test the efficacy of a security product with known malware, so our "unknown malware" eventually got handed out.
Once malware reaches the aggregation site that we were pulling from, the API lookups allow each Tier1 AV to crowdsource their detection, and by pulling "known malware" the AVs would already stop it due to the cryptographic hash. Since attackers are constantly crypting or packing their malware to evade hash based detection, you have to do the same, to test real world efficacy. It's the reason that you see Tier 1 AVs getting 100% in antivirus tests, but you still get infected by malware when running it, everyone does, it's not a secret that AV is dead, and every day enterprises with fully patched and cloud connected AV's are getting owned by malware left and right. The problem is everyone is testing with malware that they sourced by an antivirus program calling it malware.
Once the samples were shared externally we realized that there were issues where broken pieces of malware were getting distributed. Automatically UPX packing or MPRESS packing a potentially already packed piece of malware sometimes caused an issue where the malware would not execute, or the packing process would corrupt the sample in a way that prevented execution.
In response we built a new process, by starting with a known working piece of malware, then crypting it with the same underground tools that are being used right now to evade AV, and testing it for function before we share it, ensures that we get a unique sample that would evade signature AV the exact same way the underground attackers are doing it.
When testing malware samples you have to run them on an unprotected system to figure out what works and what doesn't, many pieces of malware have protection to protect them from being emulated or run in a virtual machine, it means they won't run, but are still active malware. Take those samples that ran, and then alter them and test again for a products ability to detect a net new sample.
In conclusion, have we distributed samples that were broken, yes, but only by accident, and any testing or analysis would show they are broken, if the sample doesn't run, you can’t use it to test efficacy. We have built automation to ensure that it doesn't happen anymore, but you must always test for yourself using some from of the scientific process. Source samples from all different places, make sure they run, and test them in a lab. That's exactly what we are trying to get customers to do at Cylance, test for yourself, and make your own opinion.
If anyone would like to see a live test and have the ability to ask questions check Cylance.com for our upcoming 'Underworld Tour Demo', coming to cities in over 60 international destinations. We will do a live demo right in front of you, and if you bring a flash drive we'll even let the malware go home with you for your own analysis.
We aren't trying to hide anything, but we are disrupting the industry in a majo