How To Recognize Malware

Signature-based Detection

Signature-based detection uses known digital indicators of malware to identify suspicious behavior. Lists of indicators of compromise (IOCs) can be used to identify a breach. While IOCs can be effective in identifying malicious activity, they are reactive in nature.

Static file Analysis

Examining a file’s code, without running it, to identify signs of malicious intent. File names, hashes, strings such as IP addresses, and file header data can all be evaluated to determine whether a file is malicious.

Dynamic Malware Analysis

Dynamic malware analysis executes suspected malicious code in a safe sandbox environment. This closed system enables security professionals to watch and study the malware in action without the risk of letting it infect their system or escape into the enterprise network.

Dynamic Monitoring of Mass File Operations

Observing mass file operations such as rename or delete commands to identify signs of tampering or corruption. Dynamic monitoring often uses a file integrity monitoring tool to track and analyze the integrity of file systems through both reactive forensic auditing and proactive rules-based monitoring.

File Extensions Blocklist

File extensions are letters occurring after a period in a file name, indicating the format of the file. This classification can be used by criminals to package malware for delivery. As a result, a common security method is to list known malicious file extension types in a “blocklist” to prevent unsuspecting users from downloading or using the dangerous file.

Application Allowlist

The opposite of blocklist/blocklisting, where an organization authorizes a system to use applications on an approved list. Allowlisting can be very effective in preventing nefarious applications through rigid parameters. However, managing and reducing an organization’s operational speed and flexibility can be difficult.

Malware Honeypot

A malware honeypot mimics a software application or an application programming interface (API) to draw out malware attacks in a controlled, non-threatening environment. Similarly, a honeypot file is a decoy file to draw and detect attackers. In doing so, security teams can analyze the attack techniques and develop or enhance antimalware solutions to address these specific vulnerabilities, threats, or actors.

Cyclic Redundancy Check (CRC)

A calculation on a collection of data, such as a file, to confirm its integrity. One of the most common checksums used is a CRC, which involves analysis of both the value and position of a group of data. Checksumming can be effective for identifying corruption in data but is not foolproof for determining tampering.

File Entropy

As threat intelligence and cybersecurity evolve, adversaries increasingly create dynamic malware executables to avoid detection. This results in modified files that have high entropy levels. As a result, a file’s data change measured through entropy can identify potential malware.

Machine Learning Analysis

Machine learning (ML) is a subset of artificial intelligence (AI) and refers to the process of teaching algorithms to learn patterns from existing data to predict answers to new data. This technology can analyze file behavior, identify patterns, and use these insights to improve the detection of novel and unidentified malware.