Buzzwords against viruses: How Cylance is revolutionising the antivirus industry
Most modern virus scanners use reactive and proactive methods to protect against malware. In the reactive method, the "fingerprint" when a suspicious file is executed is compared with a database of fingerprints of known viruses, a so-called signature database. If there is a match, the virus is recognised as such and neutralised before it can cause any damage. The disadvantage is obvious: if there is no match and it is still malware, the user only notices this when it is already too late. In addition, a new virus copy must be analysed "by hand" by specialists in a time-consuming process before it can be added to the signature database and is thus available for all other instances of the antivirus programme.
Many modern computer viruses have mechanisms to circumvent this method of virus removal. As with their real counterparts, this is called "mutation": The structure of the virus is automatically changed in such a way that even virus protection programmes that have already indexed an older version of the same malware do not recognise the new mutation.
Therefore, virus protection often uses additional proactive methods such as behavioural analyses or heuristics. This is to ensure that even unknown computer viruses are quickly detected and automatically indexed. The antivirus software monitors and checks the behaviour of all running programmes in real time. This happens either during active operation or in a sandbox, a sealed-off area within the system. If characteristics of known viruses are identified in unknown programmes or if a certain threshold of suspicious actions is exceeded by a seemingly harmless programme, an alarm is sounded.
Although these methods are much more successful in detecting unknown malware, they also bring disadvantages for the end user: In both cases, the malware must first be executed before it can be recognised as such. In a sandbox, this is much safer, but often very time- and resource-intensive. User-friendliness must inevitably give way to security.
Where other providers continue to rely on daily updates of signature databases, the trained eye of specialists and running potentially dangerous programmes, Cylance, founded in 2012, takes an innovatively different approach. They rely on a preventive approach: their antivirus protection CylancePROTECT uses a mixture of artificial intelligence, machine learning and the cloud to stop known as well as unknown malware before it can even be executed. What sounds like buzzword bingo and "Minority Report" at first glance is astonishingly effective in practice: in independent virus protection tests by MRG Effitas and AV-Comparatives, CylancePROTECT achieved a 91.6 % and 92 % detection rate respectively for viruses from the wild - and that entirely without traditional methods such as a signature database or heuristics. And the trend is upwards.
But how?
According to Cylance, which is currently one of the most schnellsten wachsenden Security-Startups in the world, CylancePROTECT breaks down each file into its basic components in order to analyse individual characteristics. To do this, the artificial intelligence at the core of CylancePROTECT uses a mixture of applied mathematics and machine learning based on a dataset of both secure and insecure files. This allows it to decide in a split second whether an unknown file is threatening or not. It does not rely on an internet or cloud connection to do this - all testing is done locally. This unusual approach even enables CylancePROTECT's AI to protect against zero-day exploits across platforms.
However, when analysing foreign files, the virus software often proceeds very aggressively at first, which can lead to false alarms under certain circumstances. Behind this is another feature of CylancePROTECT: after manual adjustment, the adaptive AI quickly adapts to the circumstances of a new environment and can thus protect against threats even more effectively.
CylanceHYBRID allows CylancePROTECT instances to be set up even without connecting all endpoints to the cloud. This means that internal networks or networks with sensitive data without a direct internet connection can also be protected efficiently and safely. By using CylanceAPI, the antivirus software can be easily integrated into existing security solutions. The package is rounded off by CylanceOPTICS, a comprehensive Endpoint Detection and Response (EDR) tool, which helps to analyse and display the causes of a block by CylancePROTECT.