BlackBerry Cylance addresses AI-based antivirus engine bypass

Pierluigi Paganini July 22, 2019

BlackBerry Cylance has addressed a bypass vulnerability recently discovered in its AI-based antivirus engine CylancePROTECT product.

Experts at cybersecurity firm Skylight announced last week that they have devised a method to bypass BlackBerry Cylance’s AI-based antivirus engine, now the company addressed the issue with an update and attempted to downplay the impact of the issue.

They discovered that the AI-based engine appeared to give special treatment to the files associated with a popular unnamed videogame.

The experts used specific strings from the game’s executable and appended them to known malicious file to masquerade them.

“We chose Cylance for practical reasons, namely, it is publicly available and widely regarded as a leading vendor in the field,” reads a post published by Skylight. “However, we believe that the process presented in this post can be translated to other pure AI products as well.

Skylight tested the universal bypass technique with popular hacking tools such as Mimikatz, ProcessHacker and Meterpreter, and well-known malware such as CoinMiner, Dridex, Emotet, Gh0stRAT, Kovter, Nanobot, Qakbot, Trickbot, and Zeus. The results were disconcerting, the technique obtained a success rate of over 83% in bypassing the Cylance engine when tested against 384 malicious files. In most of cases the files were rated as harmless.

Skylight publicly disclosed the issue without giving time to BlackBerry Cylance to address the flaw with the release of a security patch, anyway Cylance investigated the problem during the weekend.

The vendor explained that the technique could not be classified as a universal bypass.

“On July 18th, researchers publicly disclosed a specific bypass of CylancePROTECT®.” reads the post published by Cylance. “We verified the issue was not a universal bypass as reported, but rather a technique that allowed for one of the anti-malware components of the product to be bypassed in certain circumstances. The issue has been resolved for cloud-based scoring and a new agent will be rolled out to endpoints in the next few days. ”

The vendor added that the issue, in limited circumstances, could be used to manipulate the type of features analyzed by the engine.

“Features can be any aspect of a file which can be interpreted or measured. These features are then passed to a mathematical algorithm for analysis.” continues Cylance.

“This vulnerability allows the manipulation of a specific type of feature analyzed by the algorithm that in limited circumstances will cause the model to reach an incorrect conclusion.”

BlackBerry Cylance has implemented some changes to the algorithm that should detect feature manipulation. An update has already been pushed to the systems and the company plans to release a new agent to its endpoints over the next days.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cylance AI-based antivirus engine, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment