Follow Slashdot stories on Twitter


Forgot your password?
Businesses Security Software Technology

Cylance Accused of Distributing Fake Malware Samples To Customers To Close Deals ( 32

New submitter nyman19 writes: Ars Technica reports how security vendor Cylance has been distributing non-functioning malware samples to prospective customers in order to "close the sale[s] by providing files that other products wouldn't detect" According to the report: "A systems engineer at a large company was evaluating security software products when he discovered something suspicious. One of the vendors [Cylance] had provided a set of malware samples to test -- 48 files in an archive stored in the vendor's Box cloud storage account. The vendor providing those samples was Cylance, the information security company behind Protect, a 'next generation' endpoint protection system built on machine learning. In testing, Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. Curious, the engineer took a closer look at the files in question -- and found that seven weren't malware at all."
This discussion has been archived. No new comments can be posted.

Cylance Accused of Distributing Fake Malware Samples To Customers To Close Deals

Comments Filter:
  • by Anonymous Coward

    wish there was a cylance stand alone product so we could test it ourselves.

    i don't get why cylance (we are so good even without access to updates) can't make a home/end user product and put the money where the mouth is.

  • Fraud (Score:5, Insightful)

    by mfh ( 56 ) on Monday April 17, 2017 @05:27PM (#54252325) Homepage Journal

    Jail time for anyone involved, or we will keep seeing fauds like this in the IT safety community. I have no tolerance for unethical people in this business and neither should you!

    • Re:Fraud (Score:4, Informative)

      by zlives ( 2009072 ) on Monday April 17, 2017 @05:34PM (#54252375)

      i don't buy your argument as clearly you are senile (56) :)

      on the other hand, i watched their demo at RSA and it looks really good right upto the point that you start asking questions like rate of false positives, and links and scripts that are legit use, and the ability to test the environment without their mandatory supervision. its definitely intriguing but they are way too cryptic about their product. and that does not leave a good taste considering today's lack of vendor trust environment.

    • Jail time for anyone involved, or we will keep seeing fauds like this in the IT safety community. I have no tolerance for unethical people in this business and neither should you!

      I really doubt this is a conspiracy. It was probably just an engineer phoning it in when they download stuff from VT and repack them to change the file signatures. I don't fully trust Cylance but this would be a pretty stupid way to try to game the system if it's on purpose. Obviously you'd want to test the files that your current AV isn't catching to see what they do.

  • Same here (Score:2, Informative)

    by Anonymous Coward

    Happened to us too in EU, but by the time we got to test the samples we were fed up with how bad Cylance was. When we saw that it detected all malicious files from their team but not ours and all other vendors didn't manage to detect their files as malicious we just burst in to laughter and closed all relations, i think any team with common sense will spot and differentiate bad solutions and frauds from good ones.

  • by Anonymous Coward on Monday April 17, 2017 @05:55PM (#54252487)

    I had a really weird vibe from them when I attended a seminar. Then when they basically said they could detect all the malware they had on a disk... well I rolled my eyes, naturally they can detect all the malware they brought with them.

    And when I tried to get the difference between what they were selling and the common heuristics that other AV vendors used... well I never got a satisfactory answer. Sounds like the same thing to me.

    • by Anonymous Coward

      Disclosure - I work form a company that sells cylance and I have run this demo myself.

      The real reason that the couldn't be specific about what heuristic they use is that they honestly don't know. The 'risk factors' are documented and publicly available, but how they are combined to made a 'safe/suspicious" decision is based on a machine developed algorithm.

      This is what the whole Machine Learning/AI buzzword is about. Its not that the agent is an AI, but the heuristics that it implements are developed by

  • by Anonymous Coward

    Of all the assets a security company possess, customer trust in the firm's integrity is the most valuable. They were once a close competitor for Sophos Security, and Palo Alto Networks, but now Cylance is only a sad historic attempt by tricksters to steal our money.

    • Um... nobody trusts AV companies. It's all smoke and mirrors to sell to grandma and appease regulators.
  • by Anonymous Coward

    Fireeye is not different in their tactics. They have always bullshit their customers to close deals

  • by Midnight_Falcon ( 2432802 ) on Monday April 17, 2017 @06:39PM (#54252751)
    I was looking at next-gen AV solutions and came across Cylance. I saw a demo of their software -- which consisted of two VMs, one running AVG and another Cylance. The AVG one only got about 20% of samples picked by the sales peson from VirusTotal. Cylance got 100%.


    Because Cylance uses the VirusTotal API! So, of course it would get all these samples..using simple SHA1 hash checksums.

    Their sales team seems to focus on low-skill (read: fix the copier, what's devops?) IT departments with smoke and mirrors tactics like this. I called it out right away, and went with a competing product. But based on that scammy behavior, this doesn't seem far off.

    • Wait, it uses an online API? So if my computer is infected and I take it offline to disinfect and I use their product, what happens? Doesn't sound promising.
      • I'm not sure how they exactly use the VirusTotal data as google did disable API access for startups to VirusTotal, but I believe they aggregate that data on their own backend as an 'intelligence source' -- same difference to me!
  • by ffkom ( 3519199 ) on Monday April 17, 2017 @06:55PM (#54252835)
    They are both thriving on your fear and money while pretending to protect something they are actually the worst enemies of.
  • Not surprised really, I tried Cylance for MacOS twice recently and found it quite ineffective against malware samples that were hashed by VirusTotal 3 months prior to when I tested it. Their support people just apologised and said they "took the issue very seriously". I tested it again when a major release came out and found little improvement (the undetected samples were hashed but still not detected by the ML-derived algorithm).
  • Let me start with a clear statement. Cylance is not distributing broken samples to game the system. We are trying to help security professionals to test for themselves, in their real-world environments. Let me explain how this this particular instance of malware was distributed and how we had fixed this issue months ago.

    We had an internal process that would download via an API known samples of malware from a well known virus aggregation site, based on 10+ AV detections, (I can't mention their name) and t

I THINK MAN INVENTED THE CAR by instinct. -- Jack Handley, The New Mexican, 1988.