Fileless Malware, The Archilles Hill Of Traditional Antivirus Software
A typical antivirus products and End Point services today generally speaking comes with two ways of detecting malware:
- Signature-based
- Heuristics
The signature-based antivirus has evolved since the days of the earliest MS-DOS malware, but still follows the tried-and-tested formula of using sample part of the malware code in order to identify malware infection in the computer. MSAV, the built-in antivirus of MS-DOS 6.0 followed that formula the same way that the latest Microsoft-created antimalware for Windows, Defender is today.
Heuristics requires intensive antimalware processes to be installed deep into Windows operating system, installing hooks into its functionalities in order to “monitor” the activities of the computer in a granular level to detect “suspicious behaviors” similar to what a malware does. More potent than signature-based antimalware method, but highly prone to false positives.
However, even with the combined strength of signature-checking and heuristics, they have a hard time detecting one-type of malware, the type that does not use a file stored on the storage device for it to operate: fileless malware. McAfee, a mainstream antimalware vendor has emphasized how hard to find malware that resides in memory only, no file on the disk hosting it. With this, it is fairly difficult to monitor the operations of the malware.
“Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove,” explained McAfee representative.
The problem is these fileless viruses use regular Windows APIs in order to perform the actual operations like deleting a file instead of the virus authors programming the functionality in the virus itself.
To protect against fileless malware, organizations need to adopt an approach to cybersecurity that combines user behavior, processes, and technology.
- Conduct user education not to execute suspicious link clicks and attachments
- Keep all endpoint software up to date
- Introduce strong password enforcement or multi-factor authentication
- Introduce a behavior detection tool that can detect threats in real time
- Implement remote browser separation (Web separation) for all Web browsing
If remote browser separation is introduced, it adds more layer of defense even if the user is attacked by a malware email campaign (or other fileless malware), the JavaScript downloaded from the malicious website will be on the remote server isolated from the endpoint as it runs on a disposable container. The virtual browser remotely renders web content and streams harmless web screens to endpoints. Active code and scripts never reach the endpoint, and the endpoint and internal network are secure. This will be new hope for countermeasures against fileless malware. Paired with user education, the computer infected by fileless malware will be quickly be removed from the network. This in order to take-out the possibility of it being continuously used for distributing more infection to the rest of the network. The end-users (employees in the enterprise environment) are the primary defense frontliners for cybersecurity, they require to have enough knowledge to determine if something wrong is already happening in their computers.
Related Resources:
Best free antivirus for android
What’s New With Separ Malware Family in 2019
0 Comments