BlackBerry Cylance Resolution on Bypass Disclosure
On July 18, 2019, independent researchers publicly disclosed a specific bypass of CylancePROTECT®. BlackBerry Cylance verified the issue was not a universal bypass as reported, but a technique that allowed for one of the anti-malware components to be bypassed in certain circumstances. The issue has been resolved for cloud-based scoring, customers have been notified, and a new agent will be rolled out to endpoints imminently.
Analyzing a file with machine learning (ML) is a multi-stage process. A file is first examined by a parser which extracts artifacts known as features. Features can be any aspect of a file that can be interpreted or measured. These features are then passed to a mathematical algorithm for analysis. The vulnerability allows manipulation of a specific type of feature analyzed by the algorithm, where in limited circumstances, will cause the model to reach an incorrect conclusion.
BlackBerry Cylance’s response to this vulnerability is three-fold:
- Anti-tampering controls have been added to the parser to detect feature manipulation and prevent them from impacting the model score.
- The model has been strengthened to detect when certain features become proportionally overweight.
- Features in the model that were the most susceptible to tampering have been removed.
Actions / Next Steps for Channel Partners
Partners and customers are encouraged to take the following steps to ensure security best practices:
- Follow the least privilege model; control privileged account elevation
- Ensure the latest versions of BlackBerry-Cylance-related products are installed
- Enable CylancePROTECT Memory Protection and Script Control in Block/Terminate mode
Partners may learn more by accessing the Threat Vector blog.