Namely, by appending a selected list of strings to a malicious file, we are capable of changing its score significantly, avoiding detection. Combining an analysis of the feature extraction process, its heavy reliance on strings, and its strong bias for this specific game, we are capable of crafting a simple and rather amusing bypass. Namely, if you could truly understand how a certain model works, and the type of features it uses to reach a decision, you would have the potential to fool it consistently, creating a universal bypass.īy carefully analyzing the engine and model of Cylance’s AI based antivirus product, we identify a peculiar bias towards a specific game. TL DRĪI applications in security are clear and potentially useful, however AI based products offer a new and unique attack surface. If you have access to the enterprise edition and can confirm the fix, please let us know in the comments box at the bottom of the page. The vendor has told us the enterprise edition (CylancePROTECT) has been fixed, but we were unable to verify that. Just append these into any malicious executable to make Cylance believe it’s benign.Īs of today, the bypass is still exploitable on the home edition (Cylance SmartAV). Some more goodies include the “special sauce” - the list of strings that appears in Rocket League’s executable and are part of Cylance’s Model. ![]() We can now reveal that the undisclosed game we’ve used is “Rocket League”, but many others work just as well (we’ve tried Fortnite, for example). We took this opportunity to make some of the yet unpublished materials public. We had the honour to present our findings in today’s BSides Sydney ( Slides).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |