I was recently invited to the Cylance Unbelievable Tour  (a new breed of Anti-virus vendor) by Rob Russell (Armadillo) and was completely blown away by the effectiveness of their solution when compared to 3 leading vendors who to save their blushes shall remain anonymous.

They describe their solution as “Advanced Threat Prevention Built on Artificial Intelligence and Machine learning” and to say I was impressed is the understatement of the year.

Why They Are Different?

Most AV solutions requite one or more patient zero’s, an unfortunate company or individual who gets infected so that that the virus vendors can update their databases of threats and protect the rest of their users. This is a direct comparison to how doctors need to discover new illnesses before they can develop a vaccination to protect against these illnesses.

When you sit back and think of the implications it’s not great, a fee paying client of these companies will be infected before the rest of their clients can be protected. I was sat next to a IT manager at a 200 strong firm who were infected with a new piece of Ransomeware, and had 70% of a shared drive encrypted before they realised. On contacting their AV supplier it was a further 36 hours before the AV supplier updated their systems to protect the rest of their clients. The source of the original infection was a trusted website that had been hacked and infected with Malware.

The Cylance way

Cylance uses an algorithm to decide in under a 100ms if an executable is safe to open, and if not it is pushed to a sandbox in the “cloud” where it can be tested to see what the outcome would have been. This enables bonafide applications to be whitelisted in case the alert was a false positive.

Does it Work?

It really does, in a real life test with 200 fresh (less than 24 hours old) malware and virus files Cylance identified them in every single case. With the other vendors they had a large number of failures. With Malware files that were further modified to still work, but have a different signature file Cylance still had a 100% hit rate with the other solutions having a larger number of failures than the first test.

How do they do it

A large team of very clever people develop a programmatically advanced method of detecting threats that can even run if the machine is offline. Its also incredibly fast, and less processor intensive than traditional solutions – a big plus for users who can be frustrated when an AV solution slows their machine and workflow.

It is available for PC’s Macs and is soon to be released for Linux based machines.

The Scary Stuff about Viruses and Malware

It’s huge business, there are now software houses that do noting but create new malware and ransomware exploits as they an earn a substantial income with ransomware returning between $250 to $1000 per paid ransom.

Its also easies than ever to “genetically” engineer malware to look different to existing threats using really available software which changes the signature file, rendering traditional AV solutions less effective

The software houses are also getting more cunning about how they package ransomware. One “in-famous” infection needed you to click on an “allow” button so that it could have admin rights on your files. As most people clicked cancel to deny this, the cunning software engineers added a second program so that clicking cancel encrypted your hard disk anyway!

The proof of the pudding…..

30 minutes after getting back to the office I emailed to place an order as I was so convinced that we needed this solution. This is where the only negative I could find reared its head. Cylance had just upped their minimum number of licences from 10 to 50 – effectively putting this amazing and some could argue essential tool outside the budgets of exactly the small and medium sized companies who could probably use it the most.

I am sure there is an overhead which makes selling low numbers of licences less profitable but it is a real shame. We now need to decide if the advantage is worth the vastly increased annual fee we would need to invest as we would have a large number of unused licences.