BlackBerry Cylance Resolution on Bypass Disclosure

On July 18, 2019, independent researchers publicly disclosed a specific bypass of CylancePROTECT®. BlackBerry Cylance verified the issue was not a universal bypass as reported, but a technique that allowed for one of the anti-malware components to be bypassed in certain circumstances. The issue has been resolved for cloud-based scoring, customers have been notified, and a new agent will be rolled out to endpoints imminently.

The Vulnerability

Analyzing a file with machine learning (ML) is a multi-stage process. A file is first examined by a parser which extracts artifacts known as features. Features can be any aspect of a file that can be interpreted or measured. These features are then passed to a mathematical algorithm for analysis. The vulnerability allows manipulation of a specific type of feature analyzed by the algorithm, where in limited circumstances, will cause the model to reach an incorrect conclusion.

The Solution

BlackBerry Cylance’s response to this vulnerability is three-fold:

  • Anti-tampering controls have been added to the parser to detect feature manipulation and prevent them from impacting the model score.
  • The model has been strengthened to detect when certain features become proportionally overweight.
  • Features in the model that were the most susceptible to tampering have been removed.

Actions / Next Steps for Channel Partners

Partners and customers are encouraged to take the following steps to ensure security best practices:

  1. Follow the least privilege model; control privileged account elevation
  2. Ensure the latest versions of BlackBerry-Cylance-related products are installed
  3. Enable CylancePROTECT Memory Protection and Script Control in Block/Terminate mode

More Information

Partners may learn more by accessing the Threat Vector blog.