Julia blocked by CylanceUI

I’m trying to use Julia for a work project and have installed it through brew cask install julia. I can launch the REPL but anytime I try to run any code, Julia gets killed by zsh. I then get a notification from CylanceUI (I suppose my work’s virus protector) saying that it blocked Julia.

I opened up the details pane of CylanceUI and get this:

I know this is probably more of a question for IT, but would there be any reason Julia is blocked? I have no problems running other REPL’s like R and Python.

UPDATE: It looks like it’s being shutdown because of a StackPivot which is a known vulnerability.

I am running with Cylance protection and have no issue running Julia. Cylance does use AI based algorithms so maybe it thinks your usage pattern changed unexpectedly.

I imagine that your IT department should be able to whitelist it then (usually, these tools provide limited, if any, controls to the end user, but YMMV).

Would it be possible for you to share some information Cylance surely is providing about the reason Julia has been terminated? If possible, versioninfo() from the REPL (or, alternatively, julia version) would be nice.

“Stack pivoting” is a technique used in exploit development to gain control of the control flow of a vulnerable program, so if that indeed is the reason Cyclance terminates Julia that’s an issue that should be fixed.

I’m currently running Julia 1.2.0. Here is a screen shot of what exactly is happening when I try to run Julia. The REPL will actually launch, but the first command will kill the program.

My computer is running Cylance 2.0.1530.505

Looks like I can only share one image per post as a new user:

Here is another screenshot of Cylance showing the details behind killing Julia:

Does this also happen when you put

using InteractiveUtils

println(versioninfo())

in a file (e.g. tmp.jl) and run the file via the commandline (with julia tmp.jl)?

IIRC folks have worked around this false positive in the past by getting their IT to whitelist Julia. It’d be great to report this directly to Cylance themselves, but I think you — as a Cylance customer — need to be the one to do that.

4 Likes

It seems to work when I run it through a file on the command line, although I’m getting an error, not sure if’s related to Cylance:

$> julia tmp.jl
Julia Version 1.2.0
Commit c6da87ff4b (2019-08-20 00:03 UTC)
Platform Info:
  OS: macOS (x86_64-apple-darwin18.6.0)
  CPU: Intel(R) Xeon(R) CPU           X5670  @ 2.93GHz
  WORD_SIZE: 64
  LIBM: libopenlibm
  LLVM: libLLVM-6.0.1 (ORCJIT, westmere)
ERROR: LoadError: ArgumentError: `nothing` should not be printed; use `show`, `repr`, or custom output instead.
Stacktrace:
 [1] print(::Base.TTY, ::Nothing) at ./show.jl:587
 [2] print(::Base.TTY, ::Nothing, ::Char) at ./strings/io.jl:48
 [3] println(::Base.TTY, ::Nothing) at ./strings/io.jl:75
 [4] println(::Nothing) at ./coreio.jl:4
 [5] top-level scope at /Users/mcdodj/tmp.jl:4
 [6] include at ./boot.jl:328 [inlined]
 [7] include_relative(::Module, ::String) at ./loading.jl:1094
 [8] include(::Module, ::String) at ./Base.jl:31
 [9] exec_options(::Base.JLOptions) at ./client.jl:295
 [10] _start() at ./client.jl:464
in expression starting at /Users/mcdodj/tmp.jl:4

Ok, that’s good - I get the same error and I’m not running Cylance, so that’s unrelated (but should probably be fixed nonetheless). That at least rules out core julia (well, and InteractiveUtils) and localizes the problem to the REPL, if I’m not mistaken.

Julia uses multiple stacks to implement coroutines (aka tasks), which is a fundamental feature of the language. If Cylance thinks that what Julia does is an attack that’s somewhat understandable, but it’s perfecrly legitimate for programs to have multiple stacks. You can try the JULIA_COPY_STACKS environment variable in the upcoming Julia 1.3 release to avoid actually jumping to any stacks but the main one at the cost of reduced performance of task switching. The real solution here is for Cylance to have better precision when detecting what is an attack and what isn’t.

5 Likes

Ah, gotcha!

1 Like

I have a stack of filed issues with my IT department for this. I still have to get each release of Julia whitelisted. I haven’t been able to file a complaint directly to Cylance because I’m technically not the customer so I cant file a log through their official channels

2 Likes

Even though you can’t officially file a complaint, you can submit a case at https://support.cylance.com/s/?language=en_US. Perhaps if enough folks do that, they’ll take notice even if we’re not Cylance administrators.

2 Likes

This may be useful, but I still think that the best way to solve this is people affected by this asking their IT to open a ticket a Cyclance. They are, after all, paying for a product, for which they should get support.

Has anyone here done this?

So I’ve been going back and forth higher and higher in the IT department. I finally caught someone from our department IT team in a lecture hall and sent him an email while sitting next to him and said “I’m sending you an email about this issue so you have another official ticket but here are the problems…”.

I was sent an email that my IT issue ticked had been closed and that the downloads of Julia needed to be a signed binary or we would have to manually whitelist each release. So I sent him this link (which was sent to IT in the 3rd iteration of me trying to get this fixed in May).

My IT issue ticket has now been updated to “waiting for support”. Meanwhile, I’ve been updated to exasperated.

4 Likes

I’m in the same boat as you. I emailed Cylance and CC’d the head of our IT, I attached this thread to my IT request. I got a guy to supposedly unblock it, but when I went to update my Cylance policy nothing happened.

What does it take to make it a signed binary? I’m just curious why I don’t have this problem with every other language I can freely download.

If you follow the link above it takes you to where I was kindly shown that it is a signed binary. I don’t know if this has different meanings though. I’m pretty skeptical of Cylance as a whole though and read something a while ago that seemed like a pretty poor way automating what gets whitelisted.

Finally got a response last night from IT and they claim Julia is now white listed by Cylance. I was able to get the latest release candidate running on my laptop. I’ll try it on my work desktop today to see if they actually fixed it or just white listed it for my computer (which is what they did before for individual releases).

If anyone has the time and opportunity it would be nice to see if they could build Julia on a Cylance monitored machine. This was also impossible to do without the operation being aborted prematurely by Cylance.

3 Likes

Also, anyone ever noticed the similarity between Cylance and Cylon?