Enjoy the Cylance

11 May 2017 22:08 | security | macOS

I blogged about Cylance a couple of times earlier this year after testing their endpoint security product CylancePROTECT on MacOS. I ended up deleting both blog posts shortly after posting them because I was concerned about inaccuracies in the original post and wanted to give Cylance a chance to respond to the issues I raised.

Having now tested it for a good few months I think I’m in a good position to give a fair and honest review of the product. This post is 100% related to the MacOS version of CylancePROTECT - I have never tested the Windows version in any way.

My original post about Cylance highlighted the fact that after installing it I was able to find some OSX malware samples with a quick google search for “OSX malware samples” which were not detected by Cylance. The first result to my google search was objectivesee.com run by the very awesome Patrick Wardle, an independent security researcher. These samples included OSX.Mokes which was described in a blog post in September 2016 as a “sophisticated MacOS backdoor”:

https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/

Despite being blogged about publicly in early September and known to VirusTotal not long afterwards, the current release of CylancePROTECT I was using in February 2017 did not detect OSX.Mokes, along with a couple of other OSX samples.

I reported this issue to them and was told a couple of weeks later that they had “taken the issue very seriously”, “escalated it internally” and had “updated their math model” to deal with it.

So again I tested Cylance with the new malware and found that it did now detect it, but only the exact OSX.Mokes binary that I had reported. If I changed a single byte (such as a character in one of the c&c domains listed in the binary) Cylance would no longer detect it. I again reported this issue to Cylance and it turned out that although they had updated their math model, the new model hasn’t been released yet. As an interim measure Cylance had added the sha256 hash of the binary to a global quarantine list but this would only work if it was an exact match.

To be clear on the timeframes here:

The malware samples in question were known to VirusTotal in the latter part of 2016.
The false positives were reported to Cylance in early February 2017 - still undetected despite being in VirusTotal for at least 3 months

Around April 20th 2017 the InfinityEngine (Cylance’s cloud service) was updated with the new math model. Unfortunately this doesn’t really provide much protection - if a modified version of OSX.Mokes is scanned by Cylance it will initially not detect it, even if the modification is only a single byte. If the policy on the endpoint has auto-upload enabled it will upload un-previously-seen binaries to Infinity. Some time later the Infinity Engine, with its new math model, will classify the binary as bad and this will get picked up in the local user’s Cylance agent. However the time for this to occur is such that a user could easily have executed the binary and become compromised in the meantime.

At the time of writing, 11th May 2017 9pm BST, I still don’t have the updated math model that detects OSX.Mokes other than via a static sha256 hash. Modified version of it will eventually get picked up and blacklisted by the InfinityEngine but this is a fairly weak defence. Even free signature scanners like ClamAV are able to detect modified versions of Mokes that still contain the same signature.

More recently the handbrake.br website was hacked and the application was implanted with a malware called Photon.B. I tested the sample with the local agent I have and found that Cylance did not detect it. Additionally, uploading it to the Infinity Engine also did not result in detection, so the new math model that is pending release to local agents still doesn’t pick it up. Admittedly at the time I tested this the traditional signature scanners weren’t detecting it either but this is where Cylance is meant to be superior.

This is Patrick Wardle’s post about this attack:

https://objective-see.com/blog/blog_0x1D.html

At least this time Cylance were aware of the issue internally and are working to resolve it.

Another recent MacOS malware development is a new variant of the Dok malware. Dok.A is detected by Cylance but Dok.B is not. Cylance sells itself exactly on this kind of detection - variants and mutations of pre-existing malware - but here it is failing to do exactly what it is marketed to do.

ref: https://twitter.com/objective_see/status/859240059471638528

Another instance of Cylance failing to do its job was when I recently discovered an RCE vulnerability in a popular virtualisation product. I can’t give details yet because the vendor hasn’t patched it but essentially it allows a vector for injecting a malicious dylib. I quickly knocked up a dylib that had no actual library code but just a constructor that initiates a reverse tcp shell connection to the attacker on a pre-determined IP address. When compiled this was not detected by Cylance as malicious at all, despite it being a library with a) no library code and b) an obviously malicious constructor. The reason for putting the payload in the constructor is that this gets called as soon as the library is loaded into the parent process so there’s no need to wait for it to actually call a specific function in the library.

So all this negativity and failure.. at this point if you’re still reading you probably think I don’t think very highly of Cylance or their product. Surprisingly, that’s not the case. I actually think CylancePROTECT is a pretty cool product despite it’s apparent ineffectiveness as an antivirus solution.

In the media and even in Cylance’s own marketing the focus is on AV, and understandably so, but it does more than just AV. As well as the machine-learning AV engine CylancePROTECT also provides memory exploit protection and is able to stop a long list of memory exploitation techniques. It’s simple to test the effectiveness of these - grab MetaSploit and try running some MacOS memory corruption exploits. I quickly found that Cylance blocked them purely based on behaviour rather than statically analysing the binary.

It’s worth mentioning as well that of the malware binaries that Cylance did detect, I was able to modify them extensively without breaking the detection.

I’ve a pretty competent computer user and don’t really need antivirus in any form, the only reason I ever run it is because it’s required by the corporate policies of clients that I worked with when I’m on site. I know what malware looks like and what not to open so regardless of the effectiveness of the AV I’m probably not going to get owned like that (although handbrake.br getting owned is a potential and worrying vector!). 0day exploits however are a different thing entirely and having something that can actually defend against this kind of attack is pretty cool. Some of the incumbent AV products claim to defend against this but as far as I can tell it’s all just based on reacting to known threats and releasing signatures as fast as possible. Technologies like Bromium look like a really cool way to defend against exploits but it’s not available to end users or event SMBs running MacOS yet.

Cylance also has some pretty clever and well thought out protection against a local user disabling or bypassing the agent. With a “completely locked down” policy I have been unable to disable the agent even as root - despite a lot of effort spent trying. The kernel driver disallows access to pretty much every file related to Cylance and blocks all signals to its processes.

To summarise I think Cylance is cool tech and I hope that it gets better on MacOS over the next year or two. Given how much Cylance is valued at I’m willing to believe that the Windows version is way more effective at AV than the Mac version but I don’t really care enough about Windows to test it. It would stand to reason though - there’s likely much more Windows malware to train the ML algorithm with and a much bigger market to motivate the company.

I’d like to see Apple implement some of Cylance’s memory protection techniques into the kernel but I’m not holding my breath as they’re clearly not very focused on security.

If you know what you’re doing with computers, unlikely to click on a dodgy attachment and work in industries that could be deliberately targeted by attackers you might want to add CylancePROTECT to your defences.

I would also highly recommend BlockBlock by Patrick Wardle for Mac users looking for additional protection. BlockBlock was able to detect and block Photon.B from persisting itself when none of the traditional AV or CylancePROTECT was able to. And it’s free!

all posts

[year]
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015

[tag]
AWS
agile
apple
apple watch
aws
bash
cryptocurrency
development
email
exploits
iOS
iphone
linux
macOS
mining
mysql
php
ruby
scrum
security
synology
tailscale
touchID
vim
work