Enjoy the Cylance

11 May 2017 22:08 | security | macOS

I blogged about Cylance a couple of times earlier this year after testing their
endpoint security product CylancePROTECT on MacOS.  I ended up deleting both
blog posts shortly after posting them because I was concerned about
inaccuracies in the original post and wanted to give Cylance a chance to
respond to the issues I raised.

Having now tested it for a good few months I think I'm in a good position to
give a fair and honest review of the product.  This post is 100% related to the
MacOS version of CylancePROTECT - I have never tested the Windows version in
any way.

My original post about Cylance highlighted the fact that after installing it I
was able to find some OSX malware samples with a quick google search for "OSX
malware samples" which were not detected by Cylance.  The first result to my
google search was objectivesee.com run by the very awesome Patrick Wardle, an
independent security researcher.  These samples included OSX.Mokes which was
described in a blog post in September 2016 as a "sophisticated MacOS backdoor":

https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os.../

Despite being blogged about publicly in early September and known to VirusTotal
not long afterwards, the current release of CylancePROTECT I was using in
February 2017 did not detect OSX.Mokes, along with a couple of other OSX
samples.

I reported this issue to them and was told a couple of weeks later that they had
"taken the issue very seriously", "escalated it internally" and had "updated
their math model" to deal with it.

So again I tested Cylance with the new malware and found that it did now
detect it, but only the exact OSX.Mokes binary that I had reported.  If I
changed a single byte (such as a character in one of the c&c domains listed in
the binary) Cylance would no longer detect it.  I again reported this issue to
Cylance and it turned out that although they had updated their math model, the
new model hasn't been released yet.  As an interim measure Cylance had added the
sha256 hash of the binary to a global quarantine list but this would only work
if it was an exact match.

To be clear on the timeframes here:

- The malware samples in question were known to VirusTotal in the latter part of
  2016.

- The false positives were reported to Cylance in early February 2017 - still
  undetected despite being in VirusTotal for at least 3 months

Around April 20th 2017 the InfinityEngine (Cylance's cloud service) was updated
with the new math model.  Unfortunately this doesn't really provide much
protection - if a modified version of OSX.Mokes is scanned by Cylance it will
initially not detect it, even if the modification is only a single byte.  If the
policy on the endpoint has auto-upload enabled it will upload un-previously-seen
binaries to Infinity.  Some time later the Infinity Engine, with its new math
model, will classify the binary as bad and this will get picked up in the local
user's Cylance agent.  However the time for this to occur is such that a user
could easily have executed the binary and become compromised in the meantime.

At the time of writing, 11th May 2017 9pm BST, I still don't have the updated
math model that detects OSX.Mokes other than via a static sha256 hash.
Modified version of it will eventually get picked up and blacklisted by the
InfinityEngine but this is a fairly weak defence.  Even free signature scanners
like ClamAV are able to detect modified versions of Mokes that still contain
the same signature.

More recently the handbrake.br website was hacked and the application was
implanted with a malware called Photon.B.  I tested the sample with the local
agent I have and found that Cylance did not detect it.  Additionally, uploading
it to the Infinity Engine also did not result in detection, so the new math
model that is pending release to local agents still doesn't pick it up.
Admittedly at the time I tested this the traditional signature scanners weren't
detecting it either but this is where Cylance is meant to be superior.

This is Patrick Wardle's post about this attack:

https://objective-see.com/blog/blog_0x1D.html

At least this time Cylance were aware of the issue internally and are working to
resolve it.

Another recent MacOS malware development is a new variant of the Dok malware.
Dok.A is detected by Cylance but Dok.B is not.  Cylance sells itself exactly on
this kind of detection - variants and mutations of pre-existing malware - but
here it is failing to do exactly what it is marketed to do.

ref: https://twitter.com/objective_see/status/859240059471638528

Another instance of Cylance failing to do its job was when I recently discovered
an RCE vulnerability in a popular virtualisation product.  I can't give details
yet because the vendor hasn't patched it but essentially it allows a vector for
injecting a malicious dylib.  I quickly knocked up a dylib that had no actual
library code but just a constructor that initiates a reverse tcp shell
connection to the attacker on a pre-determined IP address.  When compiled this
was not detected by Cylance as malicious at all, despite it being a library with
a) no library code and b) an obviously malicious constructor.  The reason for
putting the payload in the constructor is that this gets called as soon as the
library is loaded into the parent process so there's no need to wait for it to
actually call a specific function in the library.

So all this negativity and failure.. at this point if you're still reading you
probably think I don't think very highly of Cylance or their product.
Surprisingly, that's not the case.  I actually think CylancePROTECT is a pretty
cool product despite it's apparent ineffectiveness as an antivirus solution.

In the media and even in Cylance's own marketing the focus is on AV, and
understandably so, but it does more than just AV.  As well as the
machine-learning AV engine CylancePROTECT also provides memory exploit
protection and is able to stop a long list of memory exploitation techniques.
It's simple to test the effectiveness of these - grab MetaSploit and try running
some MacOS memory corruption exploits.  I quickly found that Cylance blocked
them purely based on behaviour rather than statically analysing the binary.

It's worth mentioning as well that of the malware binaries that Cylance did
detect, I was able to modify them extensively without breaking the detection.

I've a pretty competent computer user and don't really need antivirus in any
form, the only reason I ever run it is because it's required by the corporate
policies of clients that I worked with when I'm on site.  I know what malware
looks like and what not to open so regardless of the effectiveness of the AV
I'm probably not going to get owned like that (although handbrake.br getting
owned is a potential and worrying vector!).  0day exploits however are a
different thing entirely and having something that can actually defend against
this kind of attack is pretty cool.  Some of the incumbent AV products claim
to defend against this but as far as I can tell it's all just based on
reacting to known threats and releasing signatures as fast as possible.
Technologies like Bromium look like a really cool way to defend against exploits
but it's not available to end users or event SMBs running MacOS yet.

Cylance also has some pretty clever and well thought out protection against a
local user disabling or bypassing the agent.  With a "completely locked down"
policy I have been unable to disable the agent even as root - despite a lot of
effort spent trying.  The kernel driver disallows access to pretty much every
file related to Cylance and blocks all signals to its processes.

To summarise I think Cylance is cool tech and I hope that it gets better on
MacOS over the next year or two.  Given how much Cylance is valued at I'm
willing to believe that the Windows version is way more effective at AV than the
Mac version but I don't really care enough about Windows to test it.  It would
stand to reason though - there's likely much more Windows malware to train the
ML algorithm with and a much bigger market to motivate the company.

I'd like to see Apple implement some of Cylance's memory protection techniques
into the kernel but I'm not holding my breath as they're clearly not very
focused on security.

If you know what you're doing with computers, unlikely to click on a dodgy
attachment and work in industries that could be deliberately targeted by
attackers you might want to add CylancePROTECT to your defences.

I would also highly recommend BlockBlock by Patrick Wardle for Mac users looking
for additional protection.  BlockBlock was able to detect and block Photon.B
from persisting itself when none of the traditional AV or CylancePROTECT was
able to.  And it's free!