New (Again) user - 3 versions = Cylance Failure

New (Again) user - 3 versions = Cylance Failure

Postby dnewman » 23.04.2019, 15:54

For the last 3 versions have failed Cylance yet the AV page shows it as clean (most recent). I don't know what to do as our Security people don't like me running what they call as "bad programming". I personally love it and the functionality. Symantec doesn't have an issue. I can't understand why the difference with WSUS "detection" and what we are actually using. \Setup.exe, \654da12d-f652-4ca8-97b2-6910df9eaceb, UpdateInstaller.exe were all immediately quarantined during download! UpdateInstaller.exe was marked as UNSAFE. This makes no senses. Any ideas what's going on? Is this really being tested it sure doesn't appear it's actually being tested against the programs (at Cylance). Is there different versions of Cylance or maybe we have our settings cranked up. I don't have any exposure to that side - I just see it fails and I can't use it. It a real disappointment.
dnewman
 
Posts: 2
Joined: 23.04.2019, 14:45
Location: Circleville, OH

Re: New (Again) user - 3 versions = Cylance Failure

Postby Denniss » 23.04.2019, 20:04

our executables are created with AutoIT but many malware programmers seem to use that too so many security engines are alerted once they detect traces from AutoIT
Denniss
 
Posts: 869
Joined: 01.08.2009, 10:51

Re: New (Again) user - 3 versions = Cylance Failure

Postby Dalai » 24.04.2019, 18:26

Well, I've made the experience that VirusTotal scans don't paint the full picture. Local scanners can yield different results.

There's not much that could be done on our end. However, there's a couple of things you can do: Whitelist the download and/or archive and/or directory you use WSUS Offline from. Send the archive and/or EXEs to the anti-virus vendor to re-check their classification so that false positives don't happen anymore in the future (or at least reduce the chance for it). If your security people don't allow it, well, you either have to convince them or live with it. Note that it's not a good idea to work against company security policy, because (security) rules are there for a reason.

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: New (Again) user - 3 versions = Cylance Failure

Postby dnewman » 27.04.2019, 21:29

I very much appreciate the response. After doing some additional research, AutoIT has been recently updated to include 2019 C++ includes (I may be mistaken on the details). Locally, they have white listed for use on my PC for previous versions, but getting white listing for all PCs is a completely different animal. Cylance preventing the downloads of the new version changed everything from my perspective. I guess I was hoping for a work-around. Will WSUSOffline work OK if compiled with a previous version of AutoIT? It seemed to help when I recompiled locally and brought the files in from another PC. I will try this unless you say there will be issues with previous version of AutoIT. I will see if I can submit to Cylance too. I also greatly appreciate the advice on not pushing for white listing too much - I think that's very sound advice - I considered it but completely agree. This is one envelope best not tested - one of those - "not career enhancing" moves. Again, thank you very much!
dnewman
 
Posts: 2
Joined: 23.04.2019, 14:45
Location: Circleville, OH

Re: New (Again) user - 3 versions = Cylance Failure

Postby Dalai » 27.04.2019, 21:46

dnewman wrote:After doing some additional research, AutoIT has been recently updated to include 2019 C++ includes

Visual C++ 2019 has nothing to do with AutoIT. And although AutoIT itself is likely compiled with Visual C++, its linker version is 12.0 which is VC++ 2013, not 2019. The fact that WSUS Offline now downloads VC++ 2019 is completely independent from how UpdateGenerator/UpdateInstaller are compiled.

Will WSUSOffline work OK if compiled with a previous version of AutoIT?

Probably yes, but keep in mind that the compiler and the "scripting engine" AutoIT hasn't changed in over a year. In March 2018 AutoIT 3.3.14.5 was released and WSUS Offline updated to this version. Also keep in mind that different compiler/linker settings might yield different results, namely compression and packing (UPX).

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: New (Again) user - 3 versions = Cylance Failure

Postby mattrix007 » 08.05.2019, 23:06

Hi....

So my company is also using Cylance and also having problems. I downloaded 11.6.2, and while the zip doesn't hiccup VirusTotal, the UpdateGenerator.exe and UpdateInstaller.exe do.

UpdateGenerator.exe flags "Acronis" as "suspicious" and "Rising" as "Trojan.Win32.Agent_.rm (CLASSIC)"
https://www.virustotal.com/#/file/d577b ... ee/details

UpdateInstaller.exe just flags "Acronis" as "suspicious".

And Cylance hates both.
mattrix007
 
Posts: 2
Joined: 08.05.2019, 22:57

Re: New (Again) user - 3 versions = Cylance Failure

Postby mattrix007 » 08.05.2019, 23:14

I just downloaded https://www.autoitscript.com/cgi-bin/ge ... -setup.exe and figured to run that past VirusTotal to see what that does... and AutoIT3.exe flags as:
https://www.virustotal.com/#/file/237d1 ... /detection

Jiangmin gives the <!> "Trojan.Miner.ffr" and Webroot <!> Pua.Riskware.Autoit
mattrix007
 
Posts: 2
Joined: 08.05.2019, 22:57


Return to Installation / Updating

Who is online

Users browsing this forum: No registered users and 68 guests

cron