Time to say goodbye to Xcitium

I thought i will share our experience and why he have decided to move on. We have been using Xcitium for about 8 yrs now. For us it has always been a love/hate relationship. The problems of late have just pushed us over the edge and decided to look at other products on the market. After a couple of months, we have made our decision. We need an all-around great solutions covering all attack vectors, platforms etc.

Our conclusion still is, when it comes to unknown threats executing on endpoints, xcitium is the best but other vendors are very very close with protection and everyone is improving their tech. The issue for us is xcitium is one of the few endpoints on the market with now antispam, has web protection but we found this to almost never work and cannot manage it from the dashboard. You then have to use XEG and XIG to make up for this shortfall. They have very outdated dashboard and feels old. On this same note, there are settings on the endpoint you cannot manage from the dashboard, this is bad development. With the auto containment being so good but the av lacking in other security aspects and features, many bugs, it’s just not worth staying just for the containment.

With XIG there is still no way to easily upgrade the agent from the XIG portal. We have to battle with procedures, and they never work. We then have to uninstall this manually and install again on every endpoint. The reporting on XIG is not user friendly, unusable and all over the place. This is not productive for an “Enterprise” solution. Found also pages to be blocked randomly and in the most ridiculous category that is not remotely close the real category.

This is very sad for us, but we had to make a decision that was best for our business and customers. It’s a big task to change vendors and inform customers but it had to be done. Xctium has alot to do to grow as they can’t just relay on their containment tech to attract and keep customers. Now with the annual increase, the SOCaaP from $3.25 jumping to $12 is just crazy. How do we justify a x3 price increase to customers and still have to add profit on top of this, we are a non-US based company and have to take exchange rate into account. Strangely the SOCaaP is cheaper on the iTarian platform as well as XCS…

For most of you here, you might not have any real issues or complaints about Xcitium but this is unfortunately not the case for us. We had to log tickets for issues every month, most tickets stay open for weeks and even months. There were times support was waiting for us, but this is very little in comparison where have to follow up on tickets and what is happening. We can’t work like this anymore and there is always something up with the software an causing some sort of issues and generating alot of unnecessary support calls for us.

The other issue we have is with malware rating. We submit alot of malware on a monthly basis to help xcitium and possibly help our customers. There were many times we had to object to the rating, the very same VT button in Valkyrie takes you to the score, then for example 50 vendors will rate this a malware but xcitium does not. So, who is correct here? Or Valkyrie will show it’s clean, then on on VT xcitium is one of the vendors that rate it as malware. Very confusing. I can understand if Valkyrie shows malware and on VT not as there is a bit of a delay to update but not this way around.

We are moving to itarain as we will still use it for the remote support etc. This platform is also not very great for patch management as you have to jump through hoops to stop updates from installing automatically. Itarain is much better at the msp aspects than xcitium but that is what it was designed for. We are using another RMM just because we couldn’t really use it, but we have kept some less essential endpoint on it and will move them to itarain.

I do hope they improve and wish them nothing but the best, but we have to part ways.

@ilgaz can you please fix this?

@nivedithab please fix Xcitium

hi @QuickSilverST

Regret the inconveniences caused to you. I have forwarded your feedback regarding the XCS and other features which needs improvement and fix to the product management team to ensure the best service to be provided. I hope you could stay as a part of Xcitium and allow us serve you with our best service.

@melih you might want to have a read?

Hello QuickSilverST,
Reading your post, made me think that you stold my notes that I was keeping for my exit letter. I hate to see you go because you had great responses to some of the many questions that I had that others had asked. I knew something was up when I did not see your handle show up on the forum as frequently as it used to. What you posted was eligantly said. I am experiencing everything that you had written. At first I thought it was because I was new to Xcitium. I am sure I don’t manage near the clients that you do but it became a fulltime job fielding calls about things that work one month and the next month they don’t. I have a client that has nearly 2 million notifications on his profile. I can’t read them all ten lines at a time. I am thinking deleting all them if I can in a mass delete and starting over. I have lines in logs over and over that a procedure or a function was blocked then deemed safe. The stupid question from me is if it was rated safe once why the hell are we blocking over and over and rating safe over and over. Performance and network traffic has to suffer by this behaviour.

Yes the big frustration is that there are tabs on each Asset\Endpoint labeled Antivirus, HIPS, Firewall ect. You click on them and they are empty most of the time. Instead you have to go to Security and look under there in the pool of 50 or 100 machines and all of the messages generated by their presence. And decipher what the messages mean and hope that the machien you are working on is one of the number of endpoints the message is for…

Do I think this product can be good? Probably. I have to think it won’t let anything nefarious run, because much of the safe files don’t run either without the file being added to the list of safe programs, it seems. And this behaviour changes witht the wind. I don’t know how many One Drive notifications I received in the past but I am sure it was a bunch. So we have to manually exclude a Microsoft Signed application?

Again it seems to be a full time job and that is not what people need. The software has to do a little bit of thinking for itself. Evidence of things going bad, is when you log into the portal and it times out with a message that an internal error has occurred try again later.

My customers are frustrated with me and my choice to move them off of Symantec, but I already have dealt with a RYUK breach with one of my clients which was “protected” with Symantec. The threat actor was undetected for as long as eight months. Symantec was quiet the whole time. I was not going through that experience again. I must say that the Xcitium has become the extreme the other direction.

I field a lot of calls now with angry clients and software vendors trying to figure out why their apps don’t work. If I am at my desk and have the computer on you may or may not see the layer of Xcitium acting on the program or app. Sometimes it takes twelve hours for it to show on the portal. I am still on 12.10 because of the other version problems that I had. So what does one do down the road? Upgrade and fight problems or find some thing that works a little more hands off.

I wish you well on your next adventure QuickSilverST.

@dickk_MpA Thank you for posting your problems. Really felt it’s just us and other people only have minor problems. I feel your pain of endless troubleshooting and figuring out why things are block, sometime there is no real why to immediately say it’s xcs, but i know in my gut it is and was right 90% of the time. Performance is a problem; clients have many times complained about this and will give us screenshots of task manager and you can see high usage from comodo. Sure, they did give us the performance feature which did help. Even with the basic level 1 profile we saw no real improvement when it comes to performance. The issues we have is full scans/quicks scans are either running hours/days or fail. This is not the first time this has happening and was fixed many times in previous releases. The issue of upgrading xcitium software stuck with “command in que”. Sending commands, procedures take forever to reach machines. Even with fast networks, internet and proper equipment and makes no difference.

We have a ticket open for months now, we can’t see HIPS events in the dashboard, firewall works fine but can’t see HIPS. Still no fix. We sometimes forget our own tickets and what we have open as we have so many at one stage. Many of our problems we don’t even log. We had clients where they refuse to have any xcitium software on their machines and had to remove them. We ran out of excuses, and they were tired of hearing them.

We had many machines just randomly on startup can’t load user profiles, then we know it’s HIPS due to experience with this, it’s a mission to get the endpoint removed. Once removed the machine is perfectly fine. Also, the remote control is very slow even on endpoints with other av solutions. Not sure if it is our country/region maybe but we will use comodo remote control, lags heavy take forever to do something remotely, then on that same machine we stay connected, then run TeamViewer/anydesk and it’s a night/day deference. Sure, these companies have been doing this for much longer and better but again not something that is very reliable. Now we still have this bug when comodo remote control is open, the shift, crtl etc buttons don’t work and battle to enter passwords. We have to wait of close/reconnect for it to work.

For us still the chat function does not work, we tried the isolate endpoint, doesn’t work. Loaded malware on it as it might only work once detection is detected, nope still does not isolate endpoint. Tried on many endpoints.

For use there are features still lacking, when we get them, they don’t work or get quietly deployed.

I can go on and on but i think the message is clear and tried to put everything of importance on this forum.

Fellow vendor, so, not going to bust XCITIUM’s balls here. May I offer technically-spoken light to the team, however.

At a technological level, XCITIUM has high effectiveness at containing threats, and helping protect users from a myriad of threats. XCITIUM is one of the few platforms that when I hold it in my digital hand, I feel I’m wielding something more powerful than most.

However, we’ve personally spotted these behaviors which we considered “out of bounds”:

• shortcuts self-hiding/self-evicting (XCS)
• profile de-syncing (XCS)
• procedures fail consistantly/constantly (XCS + RMM)
• manual verdicts not syncing (XCS)
• remote updates just…don’t work. Initially, chalked it up to “our DNS isn’t playing nice with XCITIUM servers and we need to fix that”, but, seeing this thread, I recant that assumption (XCS, CC)

When folks present bugs as such, we get told “run this file then create a ticket somewhere else”. If this is the required level to troubleshoot even very simple bugs, patching all of these is going to be a long haul. A few weeks/months ago, we reported an issue with Bulk Installers being unavailable. I still couldn’t grab one a few days ago. I still can’t now.

Absolutely no logs coming from my end could fix this; but a peek @ your web server logs might.

I…know no other way to say it than somebody at XCITIUM needs to bring some stronger coffee down to the developers, and we need a bug smashing week or something. Either that, OR see, bug frequency becomes easier to forgive with a rapid, effective update lifecycle.

Do not let poor inter-connectivity and poor inter-operability be the “thing” that makes XCITIUM unbearable to consumers, because what are the grand alternatives out there, honestly. CrowdStrike, where we flag everything, analyze nothing, pray to our AI gods? Symantec? (Don’t choose Symantec, if you’re reading this, medusa will pop your EP’s). Trellix or FireEye or whatever the hell, which is just re-skinned McAfee roots? I mean, Okta just recently showed us that I guess “In MalwareBytes Free we Trust” is the move in 2024, so hell, MalwareBytes? None of these are practical answers compared to what XCITIUM clients, customers, and shoppers require.

I feel some of the assessments of XCITIUM on this post come across extremely critical. Equally, it’s important that criticality here translates into frustration - as amazing as XCITIUM’s toolkit is, you’ve frustrated a consumer into being THAT professionally critical of you. That’s an achievement amongst us.

I would like to see a response to this en-masse out-cry that indicates a roadmap for getting this platform where all of us need it to function to perform our individual tasks with technical responsiveness and utility.

@QuickSilverST best of luck if you do transition to another vendor. I wish you equal luck with their own strokes and oddities; they’re prevalent no matter what direction you turn.

@BeeHiveCyberSecurity Howdy, thank you for your input. I think this thread was a good idea to maybe air the problems other customers have. As you say not to dunk on xcitium but maybe bring these issues to light from this angle. No one wants to change their vendor, it’s a hassle. But we had to do this as we can’t wait one day for things to be better or swing in our favor, we have a business to run and clients to keep happy. We are fatigued as it is. It’s a busy year and a lot of responsibilities to keeps systems running don’t want to troubleshoot constantly and fix issues in the software that is supposed to make this easier.

We did see in the itarain platform it has the containment profile only and the pricing it think you can just take that but will find out from our account manager; we will look into this to see if we can run this alongside our new solutions and any problems, but this will be later. Fur us to be honest it’s only the containment that made us stay this long. Yes, the other modules are good as well, but better than the big players, i don’t really think so. As you mentioned the other vendors, we won’t touch any of them with a 10 foot pole. The vendor we chose is a very good all-rounder, every vendor has pro’s and cons, and obviously our new vendor has less cons as we know this vendor also for a very long time.

We also had xcitium not stop phishing websites and alot of non-malware types of threats, then MS365 defender came in for the rescue. Xcitium is good for when things try to run on the machine, other than that not so great.

a lot to unpack here. I asked product management team to take all the feedback and push it into our development roadmap.

but let me shed some light to few misconceptions…

The enemy is the “Payload”… and as you noticed Xcitium does that really well.
Protecting the System vs Protecting the Data are two different things.
https://www.youtube.com/watch?v=Frx52YMHZ24 Xcitium does the protection of the system (and data if these payloads result in data exfiltration)

There is a simple trick Cybersecurity pros use against phishing…“they never enter any details from clicking on a link on email”… a very simple and extremely effective strategy against phishing

There is an active work on bringing some cool DLP capabilities to the platform for “Data Protection”…watch this space…

Bottom line, we are extremely grateful for your feedback and we take it very seriously. @ilgaz heads up our product management and he will work with you guys and identify any issues anyone has one by one, take it…create a ticket (that’s how we feed the devs ) push it into their sprints, feed them a lot of pizza and coffee…free massage…more pizza and coffee…and deliver what you guys want.
Again, thank you for your patience and participation! We want to protect you!

@BeeHiveCyberSecurity these are great insights/bugs, please keep’em coming, THANK YOU!!!

@ilgaz pls create tickets for these and report back when we could provide a solution to these.

hi @BeeHiveCyberSecurity , we have put all those on our roadmap.

• CS-49708: shortcuts self-hiding/self-evicting (XCS)
• CS-49709: profile de-syncing (XCS)
• CS-49710: procedures fail consistantly/constantly (XCS + RMM)
• CS-49275: manual verdicts not syncing (XCS)
• CS-49711: remote updates just…don’t work. Initially, chalked it up to “our DNS isn’t playing nice with XCITIUM servers and we need to fix that”, but, seeing this thread, I recant that assumption (XCS, CC)

We will work with engineering on all issues, and we will provide delivery dates for each of them as soon as possible.

Thank you very much for your participation! All the feedback is invaluable to us!

QuickSilverST
This thread is a good idea! I would like to see what is already released fixed and working before any new features are added to the software. It might be lack of experience on my part but it seems to me that some parts of this system which should be intuitive to run are not easy to work with. An example would be a client calling me stating that their software vendor has been remoted into their machine for two hours trying to fix a problem that out of the blue showed up and they are not getting anywhere with it. I would like to bring the machine in question up in the portal go to the tabs called HIPS, or Containment or whatever and open that section up to see if there is an entry in there for the software that is misbehaving. I dont see the trouble there. I have to go to Security and dig for issues there. Many times there is nothing to look for. The next day while working on a different problem the software pops up as being flagged in Containment or maybe it is a part of a HIPS event. When the customer is on the phone with their software vendor it looks better if I can see a problem quickly, respond to it and move on. Only in a perfect world i guess.

I appreciate XCITIUM staff and users unilaterally speaking out here and responding. It’s good to see initiative of awareness.

What we do is already just like…hellacious enough, in any unique regard. SOC work depending on the angle yknow, it can be tedious, boring, just ick. Couple years ago yknow, weren’t we reducing alert fatigue n all of that crap and now we’re using AI to replace the alerts we reduced The larger thing though is the investment, I feel that many folks felt provoked to indeed add their input here, because they did not feel an informational investment from the XCITIUM team. This is not to point the finger at XCITIUM’s entire team and say “bad dog”, but, we have a common enemy, a common goal, and it’s so god mf damn frustrating when we’re working to reach it at different paces, some unsupporting of business operations as normal as has become evident in QuickSilver’s case.

@ilgaz took the time to chat with us earlier regarding ease of reporting. I feel that with more enabled options to report issues that don’t directly involve de-routing a human to follow a specific guide, overall bugs and issues will be more forgivable by being easier to report and communicate about. I look forward to seeing these updates uber-specifically.

I feel that all of us unilaterally, regardless of who or what we’re protecting or utilizing XCITIUM for, we want to feel that the development of the platform, is invested in the enablement of it’s users, to execute the operations of our requirement, and I feel the lack of that inspired much of the “scrappery” to create this post.

TY all for taking this seriously <3

@dickk_MpA Yes, i had that many times. They will phone and say your antivirus is blocking us. Then i see stuff running in containment. This was 2nd nature for me to see where HIPS/containment was interfering and i fixed it. Sometimes i had an issue witht the firewall but not as much as the other 2 modules. Because of so much interfering’s etc over years one tends to pick up the issues quickly but is still a bit of the pain when you have the other tech guy on the phone and try to explain how containment work, after years i gave up on that and just said i will fix it hehe

Good use case for us to solve.
Can you please tell us exactly where you want to see and what you want to see, perhaps you can do a screenshot of the UI and tell us exactly what you would like.
these are all great and important ideas, we want to make sure we understand it fully so that we can build it for you asap!
thank you again!

this is hillarious but true!

@dickk_MpA , this is great feedback! I would love to fully understand the exact use case, and what would you like to see and where. Even a very basic mockup would help a lot. The key here is full alignment… so that we can give you exactly what you want. Thank you very much!

I will try to prepare some screen shots and events for you. I used one of my clients licenses and enrolled one of my laptops in their portal. I put in its own group and began using the laptop for various things last night. I also wear the hat of a commercial broadcast engineer. I launched a program used in one of my stations that is an automation program that handles the audio that gets aired day by day. I launch the program from a batch file that has several lines in it. It maps drive letters to specific network shares and local directoriess are substituted to drive letters. And finally calls the exe to start the program. The batch file was contained, as the green boarded was a tell tale sign. This is the part that is frustrating to me and which causes me trouble with my clients. So I know what is going on, the batch file is running in containment. I go to the machine in question on the assets tab and choose it. This is where it seems logical to go when something is being blocked to find it and make the corrections. I choose the containment tab and the screen is blank… No results. Parallel this scenario with my clients software vendor remoted in at $300 per hour troubleshooting a quirk issue. He grabs an update trys to run it. It gets contained. After about an hour of screwing around they call me. I see the problem after going to Security and digging through the entries. I mark the file as trusted. Doesnt help. Then exclude it doesnt help. If you wait long enough and the syntax was correct enough and general enough the software vendor can finish his update. More times than not I have to finish the update because the mitigation of the problem does not work right away. I blame myself for not knowing how to simply let a program through that is trusted. With the laptop now with a program that I see gets contained, I can run through trying to make the thing run and I time myself. It is not pretty and in my opinion should not be that hard to do. If containment blocks it then exclude it in containment. If it is a HIPS issue one should be able to go there and fix it with ease. I am sorry but it is not happening in my world.

Hi @dickk_MpA , thank you very much for the detailed explanation! I extracted 3 issues out of what you wrote:

1- Containment Logs are absent on device details: CS-49789
2- Trusted file gets contained: CS-49791
3- File gets contained even if it is excluded: CS-49792

Our support team started investigation and will contact you as needed.