Antivirus/Antimalware
Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:
Signature-Based Detection:
- Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats.
- Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.
Heuristic-Based Detection:
- Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature.
- Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.
Behavioral Detection (Behavior Prevention):
- Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges.
- Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.
Real-Time Scanning:
- Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed.
- Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.
Cloud-Assisted Threat Intelligence:
- Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats.
- Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.
Tools for Implementation:
- Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems.
- Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates.
- Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Common tools for detecting Linux rootkits include: rkhunter [1], chrootkit [2], although rootkits may be designed to evade certain detection tools. |
| Enterprise | T1059 | Command and Scripting Interpreter |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| .001 | PowerShell |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| .005 | Visual Basic |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| .006 | Python |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1564 | Hide Artifacts |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3] |
|
| .012 | File/Path Exclusions |
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[3] |
||
| Enterprise | T1036 | Masquerading |
Anti-virus can be used to automatically quarantine suspicious files. |
|
| .008 | Masquerade File Type |
Anti-virus can be used to automatically quarantine suspicious files. |
||
| Enterprise | T1027 | Obfuscated Files or Information |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [4] |
|
| .002 | Software Packing |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
||
| .009 | Embedded Payloads |
Anti-virus can be used to automatically detect and quarantine suspicious files. |
||
| .010 | Command Obfuscation |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. |
||
| .012 | LNK Icon Smuggling |
Use signatures or heuristics to detect malicious LNK and subsequently downloaded files. |
||
| .013 | Encrypted/Encoded File |
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
||
| .014 | Polymorphic Code |
Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods. |
||
| .015 | Compression |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives. |
||
| .016 | Junk Code Insertion |
Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.[5] |
||
| Enterprise | T1566 | Phishing |
Anti-virus can automatically quarantine suspicious files. |
|
| .001 | Spearphishing Attachment |
Anti-virus can also automatically quarantine suspicious files. |
||
| .003 | Spearphishing via Service |
Anti-virus can also automatically quarantine suspicious files. |
||
| Enterprise | T1080 | Taint Shared Content |
Anti-virus can be used to automatically quarantine suspicious files.[6] |
|
| Enterprise | T1221 | Template Injection |
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[7] |
|
References
- Rootkit Hunter Project. (2018, February 20). The Rootkit Hunter project. Retrieved April 9, 2018.
- Murilo, N., Steding-Jessen, K. (2017, August 23). Chkrootkit. Retrieved April 9, 2018.
- Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.
- Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.
- ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025.
- Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
- Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.