Malware is (potentially) well written software, indistinguishable from any other piece of code, until if performs a malicious act.
All malware starts its life by being unidentified as malware (i.e. unknown), and only gets classed as malware once it has performed a malicious act and has been identified. Which is (by definition), too late.
What is the malware problem?
Allowing files with an unknown security profile to run on a system with unfettered, uncontrolled access.
If a file has already been identified as malware it will be black-listed by the multitude of available scanners, and blocked and erased at every opportunity, providing easily 95%+ protection against “known” malware. The more advanced detection systems will be able to identify known malware even when it’s disguised, but the key is detection systems rely on already knowing a file is bad.
But a file that is not already known as malware, should not automatically be considered good, until such time as its intent can be proven to be good now and through any future event. Not a simple undertaking, but one that demands the highest levels of careful evaluation by both automated systems and humans, to ensure that the unknown file isn’t going to perform a malicious act when some future event takes place. Once this validation has been undertaken a verdict can be issued, either identifying the file as good or as bad, and future copies of this exact file can then be treated appropriately.
While the unknown file is being evaluated (ideally in a cloud based environment, to minimize any system performance consumption) the original unknown file copy can be executed in a controlled virtualized environment to both allow normal use/access to continue, and at the same time ensure that no malicious act can actually impact the host machine.
The virtualized environment “contains” the execution of the unknown file, limiting its ability to access system resources to only those that are safe. Any writes to the hard disk, COM interface or registry are diverted to their virtual equivalents, ensuring that no data can be changed in the physical environment or send out of the virtual environment. In this way, any potentially malicious action can be averted.
The copy of the file being evaluated in the cloud environment is also subjected to human review to ensure that malicious activity designed to be hidden from event the most advanced AI evaluation can be identified. Once a verdict from this evaluation has been found, it is used to update black and white lists to ensure that other copies of this same file can be quickly filtered out in future detections, minimizing the resource requirement on the cloud and host environments.
Using this mix of detection and virtualized containment based prevention from infection provides the highest levels of security with the minimal user interaction. Even when users are coerced to engage with malware through social engineering techniques this model will still stop infections.
Even in the most rigorously managed secure environments each end-point will receive at least one unknown file approximately once every three weeks. And when you consider that data we have collected from billions of unknown files indicates that approximately 10% of unknown files contain some level of malware, the risk can be simply calculated for any size environment.
For example; if you manage just 1000 endpoints, you can expect to have over 30 of these to be infected with some form of malware each month. While not all malware is serious (adding menus to web-browsers and monitoring access to specific websites), some clearly are (key-loggers, worms, ransomware, viruses etc.), and the chance are that with just 1000 active endpoints you will be hurt by at least one serious malware infection every few weeks, if you rely on detection of “known” malware only.
Every day new malware is issued by those with malevolent intensions, specifically because they recognize the strategic weakness in the purely detection based security systems.
Detection alone cannot protect you from all malware, just known malware. You need detection along with prevention of infection to be as secure as possible.