For years, the way that traditional antivirus, anti-malware, and other security products worked was to look for a threat signature on an email file attachment or other system file by checking that file against a list of known threats.
Where does this list come from?
As new types of viruses, malware, and other threats are discovered, software vendors of these signature-based antivirus/anti-malware tools will create an update to detect and stop them and add them to their database of known threats.
Whenever your security tool encounters a file that it needs to evaluate, like an email file attachment, the tool checks it against that threat database list. If it’s there, it is stopped. If it’s not there, it’s allowed to be opened and executed.
While this system may have been okay for catching most threats for a while, hackers have long caught up with the system and created multiple workarounds, making it ineffective.
Approximately 1 in every 99 emails in a phishing attempt.
Workarounds that are designed to get past the signature-based way of doing things are:
- Using URLs to malicious sites instead of file attachments
- Using “fileless” attacks on Windows PowerShell
- Continuous creation of Zero-Day malware, so new that it’s not yet been catalogued
- Sending malicious commands to trusted programs
- Hiding malicious code in MS Office documents
Because the threat landscape has so completely changed over the last 10-15 years, signature-based antivirus/anti-malware products are no longer the best protection you can get and can actually leave you vulnerable to a security breach of your network.
For the best network support and security, you need next generation behavior-based protection products, and we highly recommend them to all of our clients.
How Do Behavior-Based Antivirus/Anti-Malware Products Work?
How do you catch a new ransomware strain that is not in any known threat database or isn’t using a malicious file attachment? The answer is to do things like look for suspicious behavior, use application whitelisting, and employ sandboxing techniques.
In a study, it was found that 25% of phishing email made it past Microsoft Exchange Online Protection. Many of them were using URLs to dangerous sites or spoofed sign-in forms, rather than a file attachment.
We work with products like SentinelOne and Huntress, which are next generation security products designed to protect against even the most sophisticated threats. They employ a number of safeguards that don’t require a threat to already be known in order to be stopped.
Suspicious Behavior Monitoring
One way to catch a virus or other type of malware is to observe application and system behavior. Behavior monitoring systems in next-gen security products continue to learn through artificial intelligence and machine learning so they know what types of suspicious activities may indicate an unwanted entity in your system.
For example, if a malicious command is sent to the WindowsPowershell (a legitimate program in Windows 10) and is causing it to change multiple access permissions at once, a next-gen security tool will be alerted because that sudden change isn’t normal. The tool will then go into action to stop the threat and alert the user or admin so they can take action.
This is how these tools can catch zero-day threats and fileless attacks, because they’re not looking for a malicious code or command, they’re looking for the behavior that it causes.
When you blacklist an application, you tell your operating system that it is not allowed to run. The catch here is that if you don’t know of a new threat coming, you can’t know to blacklist it.
What whitelisting does is take a different approach. Instead of blocking certain programs, you allow certain programs. A whitelisted program is trusted and allowed to execute. But everything else that is not whitelisted can’t.
This allows a next-gen security software to block unknown threats, because if they’re not on the whitelist, they’ll automatically be blocked, and the user notified of their presence and attempt to execute.
There are certain malicious programs that are “sleepers.” They’re designed to look innocent when first introduced to your system and not do anything suspicious until they get past your defenses. Then they execute their malicious commands.
What sandboxing does is take all files that might come in via your email, for example, and put them in an environment that simulates your computer. This “sandbox” gives them a place they can play safely, away from your main vital computer systems.
Sandboxing is designed to trick the file into thinking it’s safely past your defenses and inside your operating system so it will reveal its true intent. Once it starts showing signs of malicious behavior, it’s caught and dealt with.
Do You Have the Right Network Security Apps?
Texas I.T. Pros can do a full assessment of the security apps you’re currently using at your Wise or Denton County business and let you know if you need an upgrade to next-generation tools that will keep you properly protected from malicious threats.
Contact us today to schedule an I.T. security consultation! Call 940-239-6500 or reach out online.