Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cylance Accused of Distributing Fake Malware Samples To Customers To Close Deals (arstechnica.com)

Posted by BeauHD on from the art-of-the-deal dept.

New submitter nyman19 writes: Ars Technica reports how security vendor Cylance has been distributing non-functioning malware samples to prospective customers in order to "close the sale[s] by providing files that other products wouldn't detect" According to the report: "A systems engineer at a large company was evaluating security software products when he discovered something suspicious. One of the vendors [Cylance] had provided a set of malware samples to test -- 48 files in an archive stored in the vendor's Box cloud storage account. The vendor providing those samples was Cylance, the information security company behind Protect, a 'next generation' endpoint protection system built on machine learning. In testing, Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. Curious, the engineer took a closer look at the files in question -- and found that seven weren't malware at all."

18 of 32 comments (clear)

  1. sorry by Anonymous Coward · · Score: 1

    wish there was a cylance stand alone product so we could test it ourselves.

    i don't get why cylance (we are so good even without access to updates) can't make a home/end user product and put the money where the mouth is.

  2. Fraud by mfh · · Score: 4, Insightful

    Jail time for anyone involved, or we will keep seeing fauds like this in the IT safety community. I have no tolerance for unethical people in this business and neither should you!

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:Fraud by zlives · · Score: 3, Informative

      i don't buy your argument as clearly you are senile (56) :)

      on the other hand, i watched their demo at RSA and it looks really good right upto the point that you start asking questions like rate of false positives, and links and scripts that are legit use, and the ability to test the environment without their mandatory supervision. its definitely intriguing but they are way too cryptic about their product. and that does not leave a good taste considering today's lack of vendor trust environment.

    2. Re:Fraud by chispito · · Score: 1

      Jail time for anyone involved, or we will keep seeing fauds like this in the IT safety community. I have no tolerance for unethical people in this business and neither should you!

      I really doubt this is a conspiracy. It was probably just an engineer phoning it in when they download stuff from VT and repack them to change the file signatures. I don't fully trust Cylance but this would be a pretty stupid way to try to game the system if it's on purpose. Obviously you'd want to test the files that your current AV isn't catching to see what they do.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
  3. Same here by Anonymous Coward · · Score: 2, Informative

    Happened to us too in EU, but by the time we got to test the samples we were fed up with how bad Cylance was. When we saw that it detected all malicious files from their team but not ours and all other vendors didn't manage to detect their files as malicious we just burst in to laughter and closed all relations, i think any team with common sense will spot and differentiate bad solutions and frauds from good ones.

  4. Re:Happy Monday from The Golden Girls! by Anonymous Coward · · Score: 1

    how's that hook taste buddy?

  5. Weird Feeling When Attended by Anonymous Coward · · Score: 3, Informative

    I had a really weird vibe from them when I attended a seminar. Then when they basically said they could detect all the malware they had on a disk... well I rolled my eyes, naturally they can detect all the malware they brought with them.

    And when I tried to get the difference between what they were selling and the common heuristics that other AV vendors used... well I never got a satisfactory answer. Sounds like the same thing to me.

    1. Re:Weird Feeling When Attended by Anonymous Coward · · Score: 1

      Disclosure - I work form a company that sells cylance and I have run this demo myself.

      The real reason that the couldn't be specific about what heuristic they use is that they honestly don't know. The 'risk factors' are documented and publicly available, but how they are combined to made a 'safe/suspicious" decision is based on a machine developed algorithm.

      This is what the whole Machine Learning/AI buzzword is about. Its not that the agent is an AI, but the heuristics that it implements are developed by a machine learning system

  6. Loss of Trust in a Company We are suposed to trust by Anonymous Coward · · Score: 2, Interesting

    Of all the assets a security company possess, customer trust in the firm's integrity is the most valuable. They were once a close competitor for Sophos Security, and Palo Alto Networks, but now Cylance is only a sad historic attempt by tricksters to steal our money.

  7. Fireeye is no different ! by Anonymous Coward · · Score: 1

    Fireeye is not different in their tactics. They have always bullshit their customers to close deals

  8. Not surprising at all... by Midnight_Falcon · · Score: 4, Interesting
    I was looking at next-gen AV solutions and came across Cylance. I saw a demo of their software -- which consisted of two VMs, one running AVG and another Cylance. The AVG one only got about 20% of samples picked by the sales peson from VirusTotal. Cylance got 100%.

    Why?

    Because Cylance uses the VirusTotal API! So, of course it would get all these samples..using simple SHA1 hash checksums.

    Their sales team seems to focus on low-skill (read: fix the copier, what's devops?) IT departments with smoke and mirrors tactics like this. I called it out right away, and went with a competing product. But based on that scammy behavior, this doesn't seem far off.

    1. Re:Not surprising at all... by The+MAZZTer · · Score: 1

      Wait, it uses an online API? So if my computer is infected and I take it offline to disinfect and I use their product, what happens? Doesn't sound promising.

    2. Re:Not surprising at all... by Midnight_Falcon · · Score: 1

      I'm not sure how they exactly use the VirusTotal data as google did disable API access for startups to VirusTotal, but I believe they aggregate that data on their own backend as an 'intelligence source' -- same difference to me!

  9. Cylance protects IT like secret agencies democracy by ffkom · · Score: 2

    They are both thriving on your fear and money while pretending to protect something they are actually the worst enemies of.

  10. Re:Loss of Trust in a Company We are suposed to tr by chispito · · Score: 2

    Um... nobody trusts AV companies. It's all smoke and mirrors to sell to grandma and appease regulators.

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  11. Not surprised by negev · · Score: 2

    Not surprised really, I tried Cylance for MacOS twice recently and found it quite ineffective against malware samples that were hashed by VirusTotal 3 months prior to when I tested it. Their support people just apologised and said they "took the issue very seriously". I tested it again when a major release came out and found little improvement (the undetected samples were hashed but still not detected by the ML-derived algorithm).

  12. I am the Chief Research Officer of Cylance by humperdink · · Score: 1

    Let me start with a clear statement. Cylance is not distributing broken samples to game the system. We are trying to help security professionals to test for themselves, in their real-world environments. Let me explain how this this particular instance of malware was distributed and how we had fixed this issue months ago.

    We had an internal process that would download via an API known samples of malware from a well known virus aggregation site, based on 10+ AV detections, (I can't mention their name) and then send them thru an automated packing system to alter the hash of the malware ("creating a new piece of malware from an AV perspective") so we could test efficacy of our own product as well as others, against 'unknown samples', as well as the un-mutated original sample. The goal here is to help us stop future attacks, as well as previous attacks.

    After a couple months of being operational samples both un-mutated and mutated began to get shared with partners and prospects because its almost impossible to test the efficacy of a security product with known malware, so our "unknown malware" eventually got handed out.

    Once malware reaches the aggregation site that we were pulling from, the API lookups allow each Tier1 AV to crowdsource their detection, and by pulling "known malware" the AVs would already stop it due to the cryptographic hash. Since attackers are constantly crypting or packing their malware to evade hash based detection, you have to do the same, to test real world efficacy. It's the reason that you see Tier 1 AVs getting 100% in antivirus tests, but you still get infected by malware when running it, everyone does, it's not a secret that AV is dead, and every day enterprises with fully patched and cloud connected AV's are getting owned by malware left and right. The problem is everyone is testing with malware that they sourced by an antivirus program calling it malware.

    Once the samples were shared externally we realized that there were issues where broken pieces of malware were getting distributed. Automatically UPX packing or MPRESS packing a potentially already packed piece of malware sometimes caused an issue where the malware would not execute, or the packing process would corrupt the sample in a way that prevented execution.

    In response we built a new process, by starting with a known working piece of malware, then crypting it with the same underground tools that are being used right now to evade AV, and testing it for function before we share it, ensures that we get a unique sample that would evade signature AV the exact same way the underground attackers are doing it.

    When testing malware samples you have to run them on an unprotected system to figure out what works and what doesn't, many pieces of malware have protection to protect them from being emulated or run in a virtual machine, it means they won't run, but are still active malware. Take those samples that ran, and then alter them and test again for a products ability to detect a net new sample.

    In conclusion, have we distributed samples that were broken, yes, but only by accident, and any testing or analysis would show they are broken, if the sample doesn't run, you can’t use it to test efficacy. We have built automation to ensure that it doesn't happen anymore, but you must always test for yourself using some from of the scientific process. Source samples from all different places, make sure they run, and test them in a lab. That's exactly what we are trying to get customers to do at Cylance, test for yourself, and make your own opinion.

    If anyone would like to see a live test and have the ability to ask questions check Cylance.com for our upcoming 'Underworld Tour Demo', coming to cities in over 60 international destinations. We will do a live demo right in front of you, and if you bring a flash drive we'll even let the malware go home with you for your own analysis.

    We aren't trying to hide anything, but we are disrupting the industry in a majo

    1. Re:I am the Chief Research Officer of Cylance by humperdink · · Score: 1

      AV companies actually use ML to identify trends and then use that information to build heuristic signatures. You are correct we do use it on the endpoint where they use ML on the back end in their clouds, but the difference is, when a files runs or is blocked from execution, it's due to the score that the ML generates when the file is going to execute, if you are on the internet or not, you get the same level of protection, and aren't forced to update signatures two times a day, and it doesn't matter if it's a new variant of an existing piece of malware or something brand new that you wrote yourself, we are analyzing the binary itself, rather than searching it for static indicators, then saying "yup, this matches one, it must be malware". We actually extract over 4.5 million features from every file to feed the ML, and every decision relies on a combination of hundreds or thousands of features, before we call it malicious.

      I don't know if it's artisanal, but its certainly farm to table and fair trade.

      Cylance and traditional AV work differently and inherently have different strengths and weaknesses. As I said in my post, test for yourself, you can't just assume that something is the same, or different, or better, or worse. We are new and different, and I would strongly recommend reaching out to someone thats running our product and asking them their experience over a month or six months or a year. I think you'll be surprised at how happy people are with our tech, or reach out get a copy for yourself and goto town testing it.

      I will say this, I had the opportunity to test Cylance almost 4 years ago, prior to commercial release, and I was so impressed I asked them for a job, it was easy to see that the approach Cylance was using was going to be the winner. If you want to stop malware you have to do it pre-execution, otherwise you open yourself up to way too many attacks that can subvert your protections, Cylance is the only tech that focuses on not letting malware run.