Anti-virus outfit Cylance appears to have been caught out trying to create false positives in clients machines as part of a sales gimmick.
According to Ars Technica the scheme was rumbled when a systems engineer at a large company was evaluating security software products when he discovered something suspicious.
Cylance had provided him with 48 malware files in an archive stored in the vendor’s Box cloud storage account. The idea was to show the company how good its Protect, a “next generation” endpoint protection system built on machine learning really was.
Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. But when the engineer took a closer look at the malware files in question—and found that seven were not malware.
He reasoned that Cylance was using the test to close the sale by providing files that other products wouldn’t detect—that is, bogus malware only Protect would catch. Cylance claims Protect uses AI to train itself using “the DNA markers of 1 billion known bad and 1 billion known good files.”
But over the past year, competitors and testing companies have accused Cylance of using product tests that favour the company. These critics have also accused Cylance of using legal threats to block independent, competitive testing.
Cylance executives reply accuses testing companies of running tests that inaccurately represent performance.
Ars says that the Cylance appears to be “re-packing” existing malware samples and turning them into “fresh” malware mostly using packers to convert executable files into self-extracting archives or otherwise obscure their executable code.
Cylance executives said there is no foul in that, because that is exactly what hackers do – share malware and repackage that malware to evade signature-based detection. The files that only Cylance caught in the test were all repacked in some way; five of the files were processed with MPRESS and the remainder were packed with other tools, including what appears to be a custom packer.
Of the nine files in question, testing by the customer, by Ars, and by other independent researchers showed that only two actually contained malware. One of the MPRESS-packed samples appeared to contain a copy of the MPRESS packer itself. The remainder of the MPRESS files contained either “husks”—essentially empty files—or samples that had been corrupted in packing. Two others crashed on execution, after opening a bunch of Windows resources without using them.