Contents

Next Gen: Cylance Antivirus Review

About two years ago, I stumbled upon Cylance. They marketed their product, CylancePROTECT, as being ‘next
generation’ security software, utilising artificial intelligence and machine learning to beat malware and other online threats. Instantly I was intrigued. Wanting to know more, I started looking online for community reviews and/or downloadable trials. Unfortunately neither seemed to exist, so I put a bookmark in my browser and decided to return again another day.

Fast track to today, and things have changed. There’s been a public AMA on Reddit, NSS Labs and AV-TEST have tested the product, and best of all, it can now be purchased for use on individual PCs via MalwareManaged.

In this blog post I’m going to be testing the security effectiveness of Cylance PROTECT, and putting it head to head with other competing products from TrendMicro, ESET, Sophos, Webroot and Malwarebytes.

What is ‘next gen’?

Almost all of today’s traditional antivirus programs rely on the basic premise of blacklisting known malicious files. For example, a virus is released, picked up by a security company, and a short-while thereafter, a ‘definition’ or ‘signature’ file is ready for download by antivirus clients. The antivirus clients compare files on computers against the downloaded definition ‘backlist’ file. If something matches, the antivirus programme will attempt to remove the offending file or software.

Most antivirus vendors have now started to build-in heuristics, which aim to look for suspicious behaviour, and block unknown threats.

Next generation antivirus products are departing from the blacklisting approach, and instead rely upon algorithms and machine learning to look for the indicators of an attack. For example, does this executable file try to encrypt files on the hard drive in quick succession?

This new method is a great step in the right direction, as no longer is there a gap between an exploit or malware being released (0-day) and an appropriate patch or definition update being engineered, released, and then downloaded to antivirus clients.

Setup and Installation

I headed over to MalwareManaged’s website and purchased myself a license. Unfortunately they now seem to have discontinued selling licenses for home use, so it looks like I got mine just in time.

After purchasing, I was sent a download link to the installer, which is a 150MB .exe file.

Cylance PROTECT Installer

The installer asks for a password (provided after purchase), and is then literally a next > next > finish install.

Once up and running, the PROTECT logo sits in the system tray, and provides a few options for starting manual scans or checking for updates. The local agent has no controls or configuration options, instead these are set and managed remotely via the Cylance online console.

CylancePROTECT System Tray Icon

CylancePROTECT System Tray

The main interface is very basic, showing only blocked exploits/scripts/malware and a brief status of what the program is currently doing.

CylancePROTECT Windows Client

CylancePROTECT Windows Client

Mac users haven’t been left out of the action either, as there is a separate client for Mac OS.

CylancePROTECT Mac OS Client

CylancePROTECT Mac OS Client

CylancePROTECT Mac OS Client

CylancePROTECT Mac OS Client

Management

Monitoring and management is conducted via the Cylance console. Upon logging in, you are greeted with recent threat information, files scanned, and threat severity.

Cylance Console

Cylance Console

Under the ‘protection’ tab we can see files which have recently been quarantined, and the various threat indicators which led Cylance to believe the software was malicious.

Cylance Console

Cylance Console

For each detected threat, we can see the various ‘threat indicators’ used by Cylance to determine if a file is safe or malicious.

As my access to Cylance and this console was done through MalwareManaged, a managed security services provider, the console was locked down so I wasn’t able to configure anything.

In a real world deployment of Cylance, you would of course be able to make full use of the console, organise devices, and deploy custom settings. For the purposes of this review however, I’m going to proceed straight to testing with MalwareManaged’s default policies.

Testing Methodology

The products I’m putting head-to-head today are:

  • CylancePROTECT version 1.2.1418
  • TrendMicro Maximum Security 11
  • ESET NOD32 Antivirus 10.0.390
  • Sophos Endpoint 11.5.4 (with InterceptX)
  • Malwarebytes Premium 3.0.6
  • Webroot SecureAnywhere

My testing will be done in two stages:

Stage one

  1. Create multiple identical Hyper-V Virtual Machines.
  2. Install each product into its own VM and fully update.
  3. Create a Hyper-V Checkpoint
  4. Drop malware onto the machine’s desktop.
  5. Allow the AV to scan the files, then execute any files left over.

Stage two

  1. Where AV product’s were successful, revert the VM back to the Hyper-V checkpoint.
  2. Remove internet access
  3. Leave the machine idle for three days.
  4. Introduce new malware, three days newer than the AV’s definition files.

My testing methodology is hardly scientific or a true example of real world use, but it is a level playing field. I feel my results will provide a decent indication of how products may perform in production.

In order to obtain samples of Malware, I’ve been using TestMyAV.com. Each day various ZIP archives are uploaded containing a treasure trove of new malware. I’d highly recommend this to anyone looking to test their current or new security solutions.

Testing – Stage 1

CylancePROTECT

It took Cylance approximately 2 minutes to scan all of the files in my malware folder and clear up, removing all but one file. When I tried to execute the remaining file, it failed with an error. The machine was fully usable whilst scanning with the CPU utilisation reaching a maximum of approx 50%.

Time to scan: 2 minutes
CPU Use : 30-50% (Useable)
Files remaining: 1

Result: PASS – No infection

TrendMicro Maximum Security

TrendMicro was able to detect almost all of the malware, leaving only 17 samples behind. When I attempted to run the remaining files, they would either fail, or Trend would display a warning advising me not to run the file. The CPU was hit quite a bit, but the machine was still responsive.

Time to scan: 3 minutes, 45 seconds
CPU Use: 70-99%
Files remaining: 17

Result: PASS – No infection

ESET NOD32 Antivirus

Like the previous two, ESET completed the scan in reasonable time, detecting most of the malware samples. Of what remained, I was unable to execute on the machine. Although slow, the system was usable whilst the detection took place.

Time to scan: 2 minutes
CPU Use: 70-99%
Files remaining: 10

Result: PASS – No infection

Sophos Endpoint (with InterceptX)

After releasing my malware samples upon the system, Sophos pegged the CPU at 100%. The system was totally unusable. After 10 minutes of waiting, Sophos still hadn’t finished its detection. I therefore decided to start executing the samples remaining on the system.

Time to scan: 10 minutes +
CPU Use: 100%
Files remaining: Many

Result: FAIL – System infected

Sophos Endpoint Infected

Sophos Endpoint Infected

Sophos Endpoint Infected

Task Manager on infected Sophos Endpoint VM

Malwarebytes Premium 3

Malwarebytes was really hot off the mark, completing its folder scan in 50 seconds whilst utilising relatively little CPU. Unfortunately, this seems to be at the expense of protection, as the machine was quickly infected.

Time to scan: 50 seconds
CPU Use: 50%
Files remaining: Many

Result: FAIL – System infected

Malwarebytes Premium 3 Infected

Malwarebytes Premium 3 Infected

Webroot SecureAnywhere

Webroot markets its security product as ‘next generation’ just like Cylance. I was looking forward to testing this product, expecting a strong performance. The scan time was incredibly fast, and the client very lightweight with a simple and intuitive interface, however the protection leaves more to be desired.

Time to scan: 13 seconds
CPU Usage:20-30%
Files remaining: Many

Result: FAIL – System infected

Webroot SecureAnywhere Client

Webroot SecureAnywhere Client

Webroot SecureAnywhere Infected

Webroot SecureAnywhere Infected

Summary

CylancePROTECT – PASS
TrendMicro Maximum Security – PASS
ESET NOD32 Antivirus – PASS
Sophos Endpoint (with InterceptX) – FAIL
Malwarebytes Premium 3 – FAIL
Webroot SecureAnywhere – FAIL

Testing – Stage 2

Now down to three products, I restored each virtual machine back to its original state, disconnected its network connection and waited for three days.

On day 3, I downloaded the latest samples I could find from testmyav.com, and went to work on each VM.

The security products installed on each VM are still using the older antivirus signatures from three days ago, so this should be a good simulation of ‘0-day’ or in the wild malware.

CylancePROTECT

CylancePROTECT Client Quarantine

On this occasion Cylance detected every piece of malware in the folder. The above screenshot shows the main Cylance client populated with quarantined threats.

Result: PASS – No infection

TrendMicro Maximum Security

Trend put up a good fight against the new samples, and I really did think that it was going protect my machine. It used up a lot more processing power against the new malware that it had done in my previous test, but I didn’t mind as long as the machine was protected.

TrendMicro Maximum Security CPU Usage

TrendMicro Maximum Security CPU Usage

After the initial scan was completed, a few files remained which I executed. And then this happened…

TrendMicro Maximum Security Infected

TrendMicro Maximum Security Infected

Result: FAIL – Infected

ESET NOD32 Antivirus

Like Trend, ESET was seriously hitting my VM’s CPU during the scan on the new malware. I waited a few minutes for the machine to become responsive and found that ESET had left a few files behind. I executed each of the files and watched.

Initially, quite a few alerts were shown as the files ran.


and then… nothing.

It looked like NOD32 had done it! To make sure, I fired up the Windows Task Manager to check for any running processes.

What’s this?

One of the files was running in the background. I then noticed my system tray, and rather creepily, location services had suddenly turned on.

The time and date on this screenshot is slightly after my main test, as I forgot to take screenshots. 🙂

For a second opinion, I copied the file to another VM via the magic of Hyper-V and uploaded it to VirusTotal.

Here’s the results:

Upon reboot, the running processes were nowhere to be seen so the infection was not persistent. However, ESET had allowed a malicious programme to run on my VM.

Result: FAIL – Infected

Summary

CylancePROTECT – PASS
TrendMicro MaximumSecurity – FAIL
ESET NOD32 – FAIL

Closing Thoughts

Overall I am extremely impressed with Cylance’s protection capabilities. So much so that I actually purchased an additional license to protect my personal MacBook.

The PROTECT client was very light on system resources, and even when under attack, kept CPU usage low so as not to render the machine useless.

As we can see from my test results, the other ‘top tier’ antivirus vendors do offer good levels of protection, but only when they are able to continually update themselves with the latest definition files.

In this review, I’ve focused solely on the security effectiveness of each product, and not the encompassing suite of management tools, deployment, etc. Hopefully this is something Cylance or MalwareManaged might be able to provide me with access to in the future.

If you’re looking for the best antivirus going, I’d recommend Cylance.

Overall verdict: 5/5

Comments