Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:

Signature-Based Detection:

  • Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats.
  • Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.

Heuristic-Based Detection:

  • Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature.
  • Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.

Behavioral Detection (Behavior Prevention):

  • Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges.
  • Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.

Real-Time Scanning:

  • Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed.
  • Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.

Cloud-Assisted Threat Intelligence:

  • Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats.
  • Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.

Tools for Implementation:

  • Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems.
  • Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates.
  • Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.
ID: M1049
Version: 1.2
Created: 11 June 2019
Last Modified: 10 December 2024

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 .006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools.

Enterprise T1059 Command and Scripting Interpreter

Anti-virus can be used to automatically quarantine suspicious files.

.001 PowerShell

Anti-virus can be used to automatically quarantine suspicious files.

.005 Visual Basic

Anti-virus can be used to automatically quarantine suspicious files.

.006 Python

Anti-virus can be used to automatically quarantine suspicious files.

Enterprise T1564 Hide Artifacts

Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3]

.012 File/Path Exclusions

Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3]

Enterprise T1036 Masquerading

Anti-virus can be used to automatically quarantine suspicious files.

.008 Masquerade File Type

Anti-virus can be used to automatically quarantine suspicious files.

Enterprise T1027 Obfuscated Files or Information

Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [4]

.002 Software Packing

Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.

.009 Embedded Payloads

Anti-virus can be used to automatically detect and quarantine suspicious files.

.010 Command Obfuscation

Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.

.012 LNK Icon Smuggling

Use signatures or heuristics to detect malicious LNK and subsequently downloaded files.

.013 Encrypted/Encoded File

Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation.

.014 Polymorphic Code

Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods.

.015 Compression

Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives.

.016 Junk Code Insertion

Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.[5]

Enterprise T1566 Phishing

Anti-virus can automatically quarantine suspicious files.

.001 Spearphishing Attachment

Anti-virus can also automatically quarantine suspicious files.

.003 Spearphishing via Service

Anti-virus can also automatically quarantine suspicious files.

Enterprise T1080 Taint Shared Content

Anti-virus can be used to automatically quarantine suspicious files.[6]

Enterprise T1221 Template Injection

Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[7]

References