Using URLs to malicious sites instead of file attachments
Using “fileless” attacks on Windows PowerShell
Continuous creation of Zero-Day malware, so new that it’s not yet been catalogued
Sending malicious commands to trusted programs
Hiding malicious code in MS Office documents Because the threat landscape has so completely changed over the last 10-15 years, signature-based antivirus/anti-malware products are no longer the best protection you can get and can actually leave you vulnerable to a security breach of your network. For the best network support and security, you need next generation behavior-based protection products, and we highly recommend them to all of our clients.
top of page
How Do Behavior-Based Antivirus/Anti-Malware Products Work?
How do you catch a new ransomware strain that is not in any known threat database or isn’t using a malicious file attachment? The answer is to do things like look for suspicious behavior, use application whitelisting, and employ sandboxing techniques.
In a study, it was found that 25% of phishing email made it past Microsoft Exchange Online Protection. Many of them were using URLs to dangerous sites or spoofed sign-in forms, rather than a file attachment.
We work with products like SentinelOne and Huntress, which are next generation security products designed to protect against even the most sophisticated threats. They employ a number of safeguards that don’t require a threat to already be known in order to be stopped.
Suspicious Behavior Monitoring
One way to catch a virus or other type of malware is to observe application and system behavior. Behavior monitoring systems in next-gen security products continue to learn through artificial intelligence and machine learning so they know what types of suspicious activities may indicate an unwanted entity in your system.
For example, if a malicious command is sent to the WindowsPowershell (a legitimate program in Windows 10) and is causing it to change multiple access permissions at once, a next-gen security tool will be alerted because that sudden change isn’t normal. The tool will then go into action to stop the threat and alert the user or admin so they can take action.
This is how these tools can catch zero-day threats and fileless attacks, because they’re not looking for a malicious code or command, they’re looking for the behavior that it causes.
When you blacklist an application, you tell your operating system that it is not allowed to run. The catch here is that if you don’t know of a new threat coming, you can’t know to blacklist it.
What whitelisting does is take a different approach. Instead of blocking certain programs, you allow certain programs. A whitelisted program is trusted and allowed to execute. But everything else that is not whitelisted can’t.
This allows a next-gen security software to block unknown threats, because if they’re not on the whitelist, they’ll automatically be blocked, and the user notified of their presence and attempt to execute.
There are certain malicious programs that are “sleepers.” They’re designed to look innocent when first introduced to your system and not do anything suspicious until they get past your defenses. Then they execute their malicious commands.
What sandboxing does is take all files that might come in via your email, for example, and put them in an environment that simulates your computer. This “sandbox” gives them a place they can play safely, away from your main vital computer systems.
Sandboxing is designed to trick the file into thinking it’s safely past your defenses and inside your operating system so it will reveal its true intent. Once it starts showing signs of malicious behavior, it’s caught and dealt with.
bottom of page