This product is the poster child for next-generation anti-malware. The administrative console is cloud based, but all the analysis and decisions are made on the endpoint taking an average of 16 milliseconds. We watched while Cylance technologists ran it against a completely random sample of malware pulled down from VirusTotal. The sample had only malware that had been uploaded that day and included some ransomware. The demonstrators had no idea what they were getting. When the tool was run against the 100 samples, it caught 99 of them and the 100th was a damaged file. We never have seen anything like that.
The approach also is like nothing we've yet seen. For starters, it treats every sample as if it is a zero-day. It uses no signatures and no traditional heuristics. What Cylance has done is break down what malware does into 6.2 million indicators. It then scans every sample looking for those indicators and scores the sample based on its finding. Cylance told us that they achieve a typical 99 percent catch rate, even including zero-days.
Installation of CylancePROTECT on the endpoint is trivial. All of the heavy lifting is done in the endpoint. This becomes very important when the device is off the network or unable to connect to the cloud. The opening dashboard is deceptively simple but under the pretty skin the drill-downs are impressive.
Installation takes a matter of minutes. All a user needs to do is log into the cloud-based system and provide a token provided by the administrator. Once you're up and running, as administrator you can get a global list of the malware seen on your enterprise. Drilling down from there gets you a threat details screen that has a lot to say about the sample. Cylance has scored the sample and that score is on the threat details screen, as well as various confidence levels that indicate that the sample really is what Cylance says it is. Should you have a sample that was not picked up by Cylance for whatever reason - perhaps it is on a computer that is not part of the network - you can upload it directly to the cloud for analysis.
The product is policy-driven and building policies and models is very easy. Another feature we were taken with is that the administrator can build whitelists of applications that are allowed to run on the endpoint. If your app is not on the list it won't run.
Also, the endpoint does not have to be connected to the internet. The agent will keep the computer safe until it returns to a point where it can communicate and then it updates if necessary. The only changes it would see are product updates. There never are any new signature files since it does not use them. So the updating, when the computer returns to the web, simply involves those changes in the product that occurred while the computer was disconnected.
Documentation is complete and has the requisite hyperlinks and screen shots. So anything that seems necessary to use or administer the tool is at your fingertips. Pricing is reasonable, if a tad high, for this coverage. However, for a 99 percent catch rate on random samples we may be forgiven if we remind you that you get what you pay for. We know of no other anti-malware product that achieves 99 percent as an average.
The website has a lot of resources and eight-hours-a-day/five-days-a-week support is part of the offering. Fee-based support packages also are available. Overall, we really like this product. It may set a trend for next-generation anti-malware, a term we took, initially, as marketing speak. Looking at how Cylance achieves its objectives, however, convinced us that such definitely is not the case. In addition to its anti-malware capabilities, it has intrusion prevention for the endpoint and application whitelisting also is available. Memory inspection and monitoring for exploitation attempts is, as one would expect, part of the package.