The main focus of anti-virus and anti-malware technology has always been to stop malicious code from executing on a device, thus preventing compromise.
The main areas of technological evolution involve how malware is detected and what parts of devices malicious software can access. We currently have a handful of approaches.
1. Block the bad
This is the traditional AV approach of matching malware signatures against code executing on the device. The problem is scale — there is so much bad stuff that you cannot possibly expect an endpoint to recognize every attack since the beginning of time.
2. Improve heuristics
It is impossible to block all malware because it changes constantly, so you need to focus on what malware does, to the device or within the application. By improving recognition of attack patterns and blocking activity that makes no sense for a particular application, you can greatly improve your ability to protect devices from attack.
Of course, you need to know what the application should be doing at a very granular level so you can identify patterns that aren’t “authorized application behavior” and likely indicate malware.
An emerging technique for protecting endpoints is to run vulnerable applications — including browsers, Java, and Adobe Reader — in a restricted sandbox to isolate them from the rest of the device in case they execute malicious code.
This assumes applications will be successfully compromised, but impedes attackers’ ability to take over or steal anything from the device. An alternative is to descend into the innards of the operating system and isolate actual processes. This emerging technology is promising for making the base operating system resilient to attack.
4. Allow the good
Finally let’s cover default deny, which defines a set of authorized code that can execute on devices and blocks everything else. This provides true device lockdown because no code (either malicious or legitimate) can execute unless authorized. This approach underlies application control technology.
As you see, there are a number of ways to prevent compromise. The most appropriate approach depends on the specific situation.