AV companies actually use ML to identify trends and then use that information to build heuristic signatures. You are correct we do use it on the endpoint where they use ML on the back end in their clouds, but the difference is, when a files runs or is blocked from execution, it's due to the score that the ML generates when the file is going to execute, if you are on the internet or not, you get the same level of protection, and aren't forced to update signatures two times a day, and it doesn't matter if it's a new variant of an existing piece of malware or something brand new that you wrote yourself, we are analyzing the binary itself, rather than searching it for static indicators, then saying "yup, this matches one, it must be malware". We actually extract over 4.5 million features from every file to feed the ML, and every decision relies on a combination of hundreds or thousands of features, before we call it malicious.
I don't know if it's artisanal, but its certainly farm to table and fair trade.
Cylance and traditional AV work differently and inherently have different strengths and weaknesses. As I said in my post, test for yourself, you can't just assume that something is the same, or different, or better, or worse. We are new and different, and I would strongly recommend reaching out to someone thats running our product and asking them their experience over a month or six months or a year. I think you'll be surprised at how happy people are with our tech, or reach out get a copy for yourself and goto town testing it.
I will say this, I had the opportunity to test Cylance almost 4 years ago, prior to commercial release, and I was so impressed I asked them for a job, it was easy to see that the approach Cylance was using was going to be the winner. If you want to stop malware you have to do it pre-execution, otherwise you open yourself up to way too many attacks that can subvert your protections, Cylance is the only tech that focuses on not letting malware run.
Let me start with a clear statement. Cylance is not distributing broken samples to game the system. We are trying to help security professionals to test for themselves, in their real-world environments. Let me explain how this this particular instance of malware was distributed and how we had fixed this issue months ago.
We had an internal process that would download via an API known samples of malware from a well known virus aggregation site, based on 10+ AV detections, (I can't mention their name) and then send them thru an automated packing system to alter the hash of the malware ("creating a new piece of malware from an AV perspective") so we could test efficacy of our own product as well as others, against 'unknown samples', as well as the un-mutated original sample. The goal here is to help us stop future attacks, as well as previous attacks.
After a couple months of being operational samples both un-mutated and mutated began to get shared with partners and prospects because its almost impossible to test the efficacy of a security product with known malware, so our "unknown malware" eventually got handed out.
Once malware reaches the aggregation site that we were pulling from, the API lookups allow each Tier1 AV to crowdsource their detection, and by pulling "known malware" the AVs would already stop it due to the cryptographic hash. Since attackers are constantly crypting or packing their malware to evade hash based detection, you have to do the same, to test real world efficacy. It's the reason that you see Tier 1 AVs getting 100% in antivirus tests, but you still get infected by malware when running it, everyone does, it's not a secret that AV is dead, and every day enterprises with fully patched and cloud connected AV's are getting owned by malware left and right. The problem is everyone is testing with malware that they sourced by an antivirus program calling it malware.
Once the samples were shared externally we realized that there were issues where broken pieces of malware were getting distributed. Automatically UPX packing or MPRESS packing a potentially already packed piece of malware sometimes caused an issue where the malware would not execute, or the packing process would corrupt the sample in a way that prevented execution.
In response we built a new process, by starting with a known working piece of malware, then crypting it with the same underground tools that are being used right now to evade AV, and testing it for function before we share it, ensures that we get a unique sample that would evade signature AV the exact same way the underground attackers are doing it.
When testing malware samples you have to run them on an unprotected system to figure out what works and what doesn't, many pieces of malware have protection to protect them from being emulated or run in a virtual machine, it means they won't run, but are still active malware. Take those samples that ran, and then alter them and test again for a products ability to detect a net new sample.
In conclusion, have we distributed samples that were broken, yes, but only by accident, and any testing or analysis would show they are broken, if the sample doesn't run, you can’t use it to test efficacy. We have built automation to ensure that it doesn't happen anymore, but you must always test for yourself using some from of the scientific process. Source samples from all different places, make sure they run, and test them in a lab. That's exactly what we are trying to get customers to do at Cylance, test for yourself, and make your own opinion.
If anyone would like to see a live test and have the ability to ask questions check Cylance.com for our upcoming 'Underworld Tour Demo', coming to cities in over 60 international destinations. We will do a live demo right in front of you, and if you bring a flash drive we'll even let the malware go home with you for your own analysis.
We aren't trying to hide anything, but we are disrupting the industry in a majo
Slashdot Mirror
AV companies actually use ML to identify trends and then use that information to build heuristic signatures. You are correct we do use it on the endpoint where they use ML on the back end in their clouds, but the difference is, when a files runs or is blocked from execution, it's due to the score that the ML generates when the file is going to execute, if you are on the internet or not, you get the same level of protection, and aren't forced to update signatures two times a day, and it doesn't matter if it's a new variant of an existing piece of malware or something brand new that you wrote yourself, we are analyzing the binary itself, rather than searching it for static indicators, then saying "yup, this matches one, it must be malware". We actually extract over 4.5 million features from every file to feed the ML, and every decision relies on a combination of hundreds or thousands of features, before we call it malicious.
I don't know if it's artisanal, but its certainly farm to table and fair trade.
Cylance and traditional AV work differently and inherently have different strengths and weaknesses. As I said in my post, test for yourself, you can't just assume that something is the same, or different, or better, or worse. We are new and different, and I would strongly recommend reaching out to someone thats running our product and asking them their experience over a month or six months or a year. I think you'll be surprised at how happy people are with our tech, or reach out get a copy for yourself and goto town testing it.
I will say this, I had the opportunity to test Cylance almost 4 years ago, prior to commercial release, and I was so impressed I asked them for a job, it was easy to see that the approach Cylance was using was going to be the winner. If you want to stop malware you have to do it pre-execution, otherwise you open yourself up to way too many attacks that can subvert your protections, Cylance is the only tech that focuses on not letting malware run.
Let me start with a clear statement. Cylance is not distributing broken samples to game the system. We are trying to help security professionals to test for themselves, in their real-world environments. Let me explain how this this particular instance of malware was distributed and how we had fixed this issue months ago.
We had an internal process that would download via an API known samples of malware from a well known virus aggregation site, based on 10+ AV detections, (I can't mention their name) and then send them thru an automated packing system to alter the hash of the malware ("creating a new piece of malware from an AV perspective") so we could test efficacy of our own product as well as others, against 'unknown samples', as well as the un-mutated original sample. The goal here is to help us stop future attacks, as well as previous attacks.
After a couple months of being operational samples both un-mutated and mutated began to get shared with partners and prospects because its almost impossible to test the efficacy of a security product with known malware, so our "unknown malware" eventually got handed out.
Once malware reaches the aggregation site that we were pulling from, the API lookups allow each Tier1 AV to crowdsource their detection, and by pulling "known malware" the AVs would already stop it due to the cryptographic hash. Since attackers are constantly crypting or packing their malware to evade hash based detection, you have to do the same, to test real world efficacy. It's the reason that you see Tier 1 AVs getting 100% in antivirus tests, but you still get infected by malware when running it, everyone does, it's not a secret that AV is dead, and every day enterprises with fully patched and cloud connected AV's are getting owned by malware left and right. The problem is everyone is testing with malware that they sourced by an antivirus program calling it malware.
Once the samples were shared externally we realized that there were issues where broken pieces of malware were getting distributed. Automatically UPX packing or MPRESS packing a potentially already packed piece of malware sometimes caused an issue where the malware would not execute, or the packing process would corrupt the sample in a way that prevented execution.
In response we built a new process, by starting with a known working piece of malware, then crypting it with the same underground tools that are being used right now to evade AV, and testing it for function before we share it, ensures that we get a unique sample that would evade signature AV the exact same way the underground attackers are doing it.
When testing malware samples you have to run them on an unprotected system to figure out what works and what doesn't, many pieces of malware have protection to protect them from being emulated or run in a virtual machine, it means they won't run, but are still active malware. Take those samples that ran, and then alter them and test again for a products ability to detect a net new sample.
In conclusion, have we distributed samples that were broken, yes, but only by accident, and any testing or analysis would show they are broken, if the sample doesn't run, you can’t use it to test efficacy. We have built automation to ensure that it doesn't happen anymore, but you must always test for yourself using some from of the scientific process. Source samples from all different places, make sure they run, and test them in a lab. That's exactly what we are trying to get customers to do at Cylance, test for yourself, and make your own opinion.
If anyone would like to see a live test and have the ability to ask questions check Cylance.com for our upcoming 'Underworld Tour Demo', coming to cities in over 60 international destinations. We will do a live demo right in front of you, and if you bring a flash drive we'll even let the malware go home with you for your own analysis.
We aren't trying to hide anything, but we are disrupting the industry in a majo