On July 18th, researchers publicly disclosed a specific bypass of CylancePROTECT®. We verified the issue was not a universal bypass as reported, but rather a technique that allowed for one of the anti-malware components of the product to be bypassed in certain circumstances. The issue has been resolved for cloud-based scoring and a new agent will be rolled out to endpoints in the next few days.
What is the Vulnerability?
Analyzing a file with machine learning is a multi-stage process. During this process a file is first examined by a parser which extracts artifacts from the file known as features. Features can be any aspect of a file which can be interpreted or measured. These features are then passed to a mathematical algorithm for analysis.
This vulnerability allows the manipulation of a specific type of feature analyzed by the algorithm that in limited circumstances will cause the model to reach an incorrect conclusion.
What is the Solution?
Our response to this vulnerability is three-fold: First, we have added anti-tampering controls to the parser in order to detect feature manipulation and prevent them from impacting the model score. Second, we have strengthened the model itself to detect when certain features become proportionally overweight. Lastly, we have removed the features in the model that were most susceptible to tampering.
By leveraging the power of our cloud architecture, we are able to automatically deploy these enhancements, minimally impacting our customers.
Machine learning remains the most effective approach to anti-malware, but it is not the only aspect of our solution, which includes memory defense, script control, and device control with CylancePROTECT®. Our comprehensive platform includes instrumentation and interdiction capabilities with our endpoint detect and respond (EDR) product CylanceOPTICS™ and our Managed Detection and Response (MDR) solution CylanceGUARD™.
AI and machine learning models are, by nature, living models. They are designed to evolve and do require periodic retraining and field servicing when appropriate. As we raise the bar against threats, those seeking to bypass these models will continue to search for new vulnerabilities.
Nonetheless, machine learning remains the most effective tool in combating malware, which is why the technique has been nearly universally adopted by security vendors. The BlackBerry Cylance platform is designed to be agile and to easily support updates. We are on our 6th generation of machine learning models and the advancements we have made allow us to quickly adapt as the industry evolves.
A Note on Coordinated Disclosure
We appreciate the efforts of security researchers who responsibly disclose vulnerabilities and move the industry forward. BlackBerry Cylance takes all vulnerabilities seriously and encourages researchers to engage with us directly. Our unwavering commitment to our customers drives us to work tirelessly to remediate any and all vulnerabilities in BlackBerry Cylance products.