Connect with us

Hi, what are you looking for?


Application Security

BlackBerry Cylance Downplays, Patches Antivirus Bypass

BlackBerry Cylance has prepared an update for its CylancePROTECT product to address a recently disclosed bypass method, but the company has downplayed the impact of the issue.

BlackBerry Cylance has prepared an update for its CylancePROTECT product to address a recently disclosed bypass method, but the company has downplayed the impact of the issue.

Australia-based cybersecurity firm Skylight reported last week that its researchers had found a way to trick Cylance’s AI-based antivirus engine into classifying malicious files as benign.

They discovered what they described as a universal bypass method that involved taking strings from a certain video game — Cylance products appeared to give special treatment to files associated with this game — and appending them to known malware.

The researchers claimed they had achieved a success rate of over 83% in tests covering 384 malicious files, including hacking tools such as Mimikatz, ProcessHacker and Meterpreter, and malware such as CoinMiner, Dridex, Emotet, Gh0stRAT, Kovter, Nanobot, Qakbot, Trickbot and Zeus.

Skylight disclosed its findings — some details were not made public to prevent abuse — without giving BlackBerry Cylance the chance to release a patch. The vendor immediately launched an investigation and by Sunday it determined that “the issue was not a universal bypass as reported, but rather a technique that allowed for one of the anti-malware components of the product to be bypassed in certain circumstances.”

“Analyzing a file with machine learning is a multi-stage process. During this process a file is first examined by a parser which extracts artifacts from the file known as features. Features can be any aspect of a file which can be interpreted or measured. These features are then passed to a mathematical algorithm for analysis,” the company explained. “This vulnerability allows the manipulation of a specific type of feature analyzed by the algorithm that in limited circumstances will cause the model to reach an incorrect conclusion.”

In response to the issue, BlackBerry Cylance has made some changes that should detect feature manipulation and tampering attempts. An update has already been made to cloud-based systems and a new agent will be rolled out to customer endpoints over the next few days.

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Skylight to see if it has any comments on Cylance’s assessment.

Skylight noted that it chose Cylance for practical reasons, but believes other AI-based products are also susceptible to these types of attacks.

Related: Remote Code Execution Flaw Found in Kaspersky Products

Related: Check Point ZoneAlarm Flaw Allows Privilege Escalation

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...