Fileless Malware, The Archilles Hill Of Traditional Antivirus Software
A typical antivirus products and End Point services today generally speaking comes with two ways of detecting malware:
The signature-based antivirus has evolved since the days of the earliest MS-DOS malware, but still follows the tried-and-tested formula of using sample part of the malware code in order to identify malware infection in the computer. MSAV, the built-in antivirus of MS-DOS 6.0 followed that formula the same way that the latest Microsoft-created antimalware for Windows, Defender is today.
Heuristics requires intensive antimalware processes to be installed deep into Windows operating system, installing hooks into its functionalities in order to “monitor” the activities of the computer in a granular level to detect “suspicious behaviors” similar to what a malware does. More potent than signature-based antimalware method, but highly prone to false positives.
However, even with the combined strength of signature-checking and heuristics, they have a hard time detecting one-type of malware, the type that does not use a file stored on the storage device for it to operate: fileless malware. McAfee, a mainstream antimalware vendor has emphasized how hard to find malware that resides in memory only, no file on the disk hosting it. With this, it is fairly difficult to monitor the operations of the malware.
“Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove,” explained McAfee representative.
The problem is these fileless viruses use regular Windows APIs in order to perform the actual operations like deleting a file instead of the virus authors programming the functionality in the virus itself.
To protect against fileless malware, organizations need to adopt an approach to cybersecurity that combines user behavior, processes, and technology.
- Conduct user education not to execute suspicious link clicks and attachments
- Keep all endpoint software up to date
- Introduce strong password enforcement or multi-factor authentication
- Introduce a behavior detection tool that can detect threats in real time
- Implement remote browser separation (Web separation) for all Web browsing