The Truth on Broken Samples

Let me start with a clear statement. Cylance is not distributing broken samples to game the system. We are trying to help security professionals to test for themselves, in their real-world environments. Let me explain how this particular instance of malware was distributed and how we had fixed this issue months ago.

We had an internal process that would download via an API known samples of malware from a well-known virus aggregation site, based on 10+ antivirus detections (I can’t mention their name), and then send them through an automated packing system to alter the hash of the malware (“creating a new piece of malware from an AV perspective”) so we could test efficacy of our own product as well as others, against “unknown samples,” as well as the un-mutated original sample. The goal here is to help us stop future attacks, as well as previous attacks.

After a couple months of being operational samples, both un-mutated and mutated began to get shared with partners and prospects because it’s almost impossible to test the efficacy of a security product with known malware, so our “unknown malware” eventually got handed out.

Once malware reaches the aggregation site that we were pulling from, the API lookups allow each Tier1 AV to crowdsource their detection, and by pulling “known malware” the AVs would already stop it due to the cryptographic hash. Since attackers are constantly crypting or packing their malware to evade hash based detection, you have to do the same, to test real world efficacy. It’s the reason that you see Tier 1 AVs getting 100% in antivirus tests, but you still get infected by malware when running it – everyone does, it’s not a secret that AV is dead, and everyday enterprises with fully patched and cloud connected AV’s are getting (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Jon Miller. Read the original post at: Cylance Blog