4 Proven Ways to Stop Malware in Its Tracks

Magnifying glass enlarging malware in computer machine codeThe main focus of anti-virus and anti-malware technology has always been to stop malicious code from executing on a device, thus preventing compromise.

The main areas of technological evolution involve how malware is detected and what parts of devices malicious software can access. We currently have a handful of approaches.

1. Block the bad

This is the traditional AV approach of matching malware signatures against code executing on the device. The problem is scale — there is so much bad stuff that you cannot possibly expect an endpoint to recognize every attack since the beginning of time.

2. Improve heuristics

It is impossible to block all malware because it changes constantly, so you need to focus on what malware does, to the device or within the application. By improving recognition of attack patterns and blocking activity that makes no sense for a particular application, you can greatly improve your ability to protect devices from attack.

Of course, you need to know what the application should be doing at a very granular level so you can identify patterns that aren’t “authorized application behavior” and likely indicate malware.

3. Isolation

An emerging technique for protecting endpoints is to run vulnerable applications — including browsers, Java, and Adobe Reader — in a restricted sandbox to isolate them from the rest of the device in case they execute malicious code.

This assumes applications will be successfully compromised, but impedes attackers’ ability to take over or steal anything from the device. An alternative is to descend into the innards of the operating system and isolate actual processes. This emerging technology is promising for making the base operating system resilient to attack.The Guest 2014 streaming

4. Allow the good 

Finally let’s cover default deny, which defines a set of authorized code that can execute on devices and blocks everything else. This provides true device lockdown because no code (either malicious or legitimate) can execute unless authorized. This approach underlies application control technology.

As you see, there are a number of ways to prevent compromise. The most appropriate approach depends on the specific situation.

SANS_BlogCTA_Banner

On March 14, 2016,  LANDESK acquired AppSense, the leading provider of secure user environment management solutions. Check the AppSense section of the blog for all of our AppSense-related content.