A Silent Antivirus, A Smart Antivirus?

When asking around about the Cylance antivirus, hearing crickets chirping is not unusual. And the silence doesn’t just have to do with its name… As a relatively young company, it has entered the market in 2012. From the very beginning, its endpoint protection products aimed at businesses and enterprises. Now, contrary to their general direction, the Cylance Smart Antivirus actually caters to home users.

So, why would household users look for protection from a company that focused on business solutions for most of its existence? For starters, because the Cylance antivirus claims to deliver the same sophisticated technology. For an affordable cost!

Does artificial-intelligence-based malware protection sound like something you want to try? Join us in this review and decide if it looks like the right product for your personal needs.

Image of Cylance Protect

To begin with, who’s behind Cylance, anyway?

On the first encounter with the company and its products? Let’s shed some light on its profile and products first.

This is an American-based company specialized in cyber security technology. Founded in the summer of 2012, BlackBerry Cylance won the 2013 GTM Smart Grid Innovators award. Between then and now, it has won a couple of other awards and mentions, as shown on their official website:

  • The SC Media Innovator Hall of Fame 2018
  • The MSPAlliance MSPWorld Cup Award™ in 2018
  • A mention in the LinkedIn Top Companies/ Startups in 2017
  • A mention in the CDM Cyber Security Leaders 2017

Speaking of their official website… One look and it becomes obvious that they are trying to set themselves apart from the pack. The design is unique, and so is the copy of their website content. Their tone is witty and the message is focused around three key words: AI, prevention, and automation. In other words, they promise:

  • Artificial intelligence solutions…
  • For threat prevention and detection…
  • That takes places automatically, with minimum intervention from the end user.

From threat prevention to detection and, equally important, response capabilities, the company swears by its cybersecurity suite that does things automatically. Thir main product is the Cylance AI Platform, a cybersecurity suite that provides AI endpoint protection for business and enterprise clients. A small fraction of their offer, however, consists of the Cylance Smart Antivirus. This is the security solution dedicated to home digital devices that we are going to focus on.

The company sells the message that their products are fundamentally different from the ones of traditional antivirus software. More on how and why, coming up next in our Cylance antivirus review.

The antivirus offer & system requirements

In a nutshell, Cylance is selling an antivirus with AI-powered malware protection. It takes pride in its bloat-free offer, saying that it doesn’t include unnecessary features just to raise the price tag. And it promises easy installation, without any need for tweaking settings or configuring software.

There are currently three different packages available. They all offer the same technical features; the difference is made in terms of number of licenses.

Buyers can choose to:

  • Subscribe for 1 month, 1 year, or 2 years;
  • Benefit from Windows or Mac support;
  • Get licenses for 1 device, for 5 devices, or for 10 devices.

Regardless of the chosen package, the system requirements can be summed up to:

  • Windows operating system from Windows 7 to Windows 10 or Mac;
  • 500MB of free disk space;
  • 2GB of free memory;
  • Microsoft .NET framework 3.5 SP1;
  • Internet connection, for download and registration.

Image of Add Devices section

Like mentioned, with every package that they promote, the message is clear. They provide a powerful virus scanner, initially conceived for enterprise level, now revamped for the home environment. The antivirus relies on AI advanced threat prevention. And it should be easy to use and almost undetectable in terms of system performance impact.

Purchase and download happen online, where users must create an account with Blackberry Cylance. From that online account they will also be able to look at the analysis and performance reports later supplied. But what happens after downloading the Cylance Smart Antivirus?

Essential product features

So, you have paid for a package, downloaded and installed the software. You are probably expecting to see a traditional antivirus program, right? Nevertheless, Cylance is an endpoint security tool, hence it lacks any kind of traditional user interface. This may come as a surprise, but after clicking its icon to launch the antivirus, you will see nothing on your desktop. Where did it go, you wonder?

The only way to tell if it’s working or not is by looking within the notification bar. You should spot its icon in there.

The only available action is a right-click on that icon, which will extend a context menu. Details available at a glance would indicate:

  • How many files it analyzed so far;
  • How many events it logged.

Want to get into the details of what files it analyzed and what threats it stopped? You would have to go to the online dashboard. In there, you will also find a list of all the devices associated with that account. For each device, you have:

  • Connectivity status (online/offline)
  • Technical details (IP, MAC)
  • The list of detected threats

Want to see the quarantine folder and release certain files from there? That’s where things might get a little bit complicated… You would have to follow a particular system path, from where you can undo the .quarantine extension received by that particular file. After you do that, you can move the file back to its initial location.

While conducting our own Cylance antivirus review, we couldn’t help but notice that:

  • The product is very easy to install;
  • Requires no special configuration;
  • Uses a tiny amount of the system’s resources;
  • Runs silently in the background, without throwing pop-ups at you;
  • Requires no constant signature updates;
  • It self-updates, just as silently as it scans for threats.

In this type of protection, set-it-and-forget-it, the less technical users will probably find a lot of comfort. One doesn’t need to worry about deciding what to do with the threats found by the antivirus. If and when it spots something, it will also automatically move it to quarantine.

As it doesn’t fight in-progress attacks but rather prevents them, the software doesn’t need to scan all the files, all the time. This will help preserving the system resources and allow a smooth user experience while using other software and apps. Still, all these don’t answer the ultimate question…


What is so different about it?

Practice has taught us that developers can say many things to sell their products. That is why the simple promise of a unique, artificial intelligence technology isn’t enough to convince us. So, we had to review what Cylance promises, along with what the lab tests and our own tests showed. Here’s what we found…

Like mentioned, Cylance Smart Antivirus claims to be different from traditional AV software. For this reason, it also denies the efficiency of a wide range of threat investigation mechanisms, as follows:

  • Signature pattern matching – a lot more inflexible than pattern recognition, this type of matching can be easily bypassed by attackers. All it takes is making small changes in the essential parts of the malware’s signature.
  • Heuristic investigations – the set of properties an antivirus looks at when running heuristic investigations is also quite inflexible. For an attacker to make its malware unrecognizable, suffices to change as little as one rule from the set of investigated rules.
  • Behavioral analysis – the actions flagged as dangerous through behavioral analysis are only detected after the malware entered the system. Since it requires letting the threat in before fighting it, Cylance would, again, disregard this option.
  • Hash-based approaches – it’s just like signature pattern matching; if the attacker changes one bit of the file… There’s a high chance that the hashes including that code sequence won’t trigger any flag during the scanning.

Image of Windows ToolbarTo sum up, Cylance insists on the idea that traditional AV would often let the virus run before acting against it. And that attackers can easily make changes in the malware’s code, turning the AV powerless in identifying the threat.

Consequently, their antivirus will not scan static files, but only files that are about to be launched. Thanks to this operation mode, Cylance

  • Doesn’t need to scan the disk regularly;
  • And aggregate CPU and memory usage are significantly spared while it runs;
  • So is the network bandwidth usage, significantly reduced;
  • Hence the feeling that the system works so smoothly that there is no antivirus running in the background.

How it really works?

Cylance promotes a signatureless approach based on a combination of artificial intelligence and machine learning. All in an attempt to block malicious code from executing. But AI and ML have been tackled by other brands of antivirus software as well. So, again, we have to ask… How does it recognize malicious code while it rejects all the well-known methods above mentioned?

Sure, the algorithm that the Cylance Smart Antivirus relies on is also looking into virus-specific features. But they claim that they don’t work with a simple step-based process. And that they are not looking into a very specific (and small) number of suspicious behaviors. Instead, they look into no less than 1.4 million features. All these are disposed into an almost impossible to untangle (for the attackers) neural network.

The purpose of this heavy system is to make its virus-recognition patterns very complex. So complex that the attackers will not be able to identify it. And when they can’t tell what exposes their malware code, they cannot really fight to keep disguising it.

This neural network that they also call branched structure, generates confidence scores. The more layers of potentially threatening behaviors and characteristics is spots, the higher the confidence score. Along with it, the more certain the antivirus will be that it has identified a malicious sample. And all this should be possible even for models that Cylance has never seen before.

On one hand, the Cylance Smart Antivirus uses huge amounts of data, collected in the past, to build a predictive model. It relies on this continuously evolving predictive model, a maze-like model. And it can identify threats that it has never encountered before.

On the other hand, attackers who want to reverse-engineer a malware code previously detected by Cylance, are in great difficulty. As suggested, they would have to know exactly what elements used the antivirus when it identified their malware. And since there are so many factors taken into account, their odds diminish significantly.

So far, so good…

Are there any drawbacks of the Cylance operation mode?

We’ve made it clear in the introduction of this review that Cylance is well-known in the field of business endpoint security. Yet the Cylance Smart Antivirus is their first consumer-level product. So, we might need more time to draw a fair conclusion on its effectiveness.

  • In fact, the antivirus is not just the first of its kind in the company’s portfolio. It is also so new that independent testing labs haven’t included it in their testing yet. This one would probably have to do with the fact that its complicated detection methodology is hard to test. Or with the fact that the company accused these labs of bad practices…
  • For now, we know that the company commissioned a test with the AV-Test institute and one with the SE Labs. The second test is particularly interesting. It included putting a three-years old version face to face with WannaCry, Petya and BadRabbit malware strains. The findings?
  • Even though they blocked all software updates, the 3-year old version successfully passed the test. The conclusion was that it managed to spot threats released up to 2 years following the release of the tested antivirus version.

The Cylance course of action is clear: it sits and waits for files waiting to be launched. Only then it puts its huge network of data into action and analyses it. While the strategy is good for the system resources, it shows some significant flaws…

  • For starters, it doesn’t care where the malware came from. This means it won’t try to identify malware-hosting websites. Otherwise said, it has no URL-monitoring and no protection against phishing sites.
  • Also, it lacks features found in other antivirus software versions. We mean features designed to minimize the damage in the unfortunate event that it misses a ransomware attack. For sure, it could have used a bit more ransomware protection.
  • Last but not least, it is not sure if it offers any kind of spyware protection.

On top of all that, we might also argue that:

  • The feature list is quite limited and looking at the basic status information won’t help much;
  • For the more experienced users, the difficulty of investigating whatever Cylance moved to quarantine is not pleasant at all;
  • If you’re used to tweaking your antivirus, you might not like the lack of local settings or of the traditional Scan button.

Image of Cylance Antivirus Software Device Protection Section

Of course, if the Cylance Smart Antivirus would offer the kind of protection it swears by… None of the drawbacks above mentioned would matter. The antivirus should block any threat before it reaches the system, thus making this discussion entirely irrelevant. To answer whether it really does so or not, we would need to see some independent lab tests, which we currently don’t have. Or sit around and wait for the next big security threat and see how it handles it. Or what happens with our personal data…

To draw the line, only time will tell how effective Cylance really is. In the meantime, we can all agree that it promises pretty amazing things. And that the price tag (along with the number of licenses) is convincing enough for us to keep testing it.