This blog post was written by Raja Patel.
At some point as a child, a parent likely told you, “actions speak louder than words.” It’s a good life lesson—and it can hold just as true when fighting malware.
Cybercriminals have become extremely skilled at disguising the true nature of malware attacks. The best way to protect your users is to employ a layered approach that includes both pre- and post-execution analysis. You can learn a lot by evaluating what an unknown file “says” it is. But sometimes, the only way to stop advanced malware is to observe what it does once it crosses your threshold.
Journey through the Anti-Malware Funnel
To understand how pre- and post-execution anti-malware tools work together, imagine you’re running a grocery store and you have a problem with shoplifters. The thieves look just like other customers. How do you tell the good shoppers from the bad? Organizations are tasked with solving a similar problem in protecting against malware disguised to look like harmless application traffic.
Legacy signature-based antivirus plays an early role, filtering out large numbers of known attacks. Going to our grocery store analogy, this is like denying entry to all shoppers who’ve been caught before, who have their picture hanging on the wall of the manager’s office. It’s an important security measure, but it won’t stop thieves you’ve never seen before or those in disguise who no longer look the same.
At the next level of the funnel, McAfee Real Protect pre-execution scanning applies sophisticated statistical analysis and machine learning techniques to unknown “greyware” files. These scans compare static code attributes (source code language or complier used, linked DLLs, and other static features) against known threats, without signatures. Returning to our analogy, this is comparable to, say, facial recognition software that catches anyone entering the store with a criminal record of shoplifting, even if they’ve never been there before.
Static scanning catches a huge amount of malware, even if it’s well disguised. But as we know, cybercriminals don’t just give up when new defenses emerge. They develop new techniques (like packing, polymorphism, and metamorphism) to slip past them. (In our analogy, these would be the savviest shoplifters who, for example, dress up like a vendor making deliveries, or get someone with a clean record to shoplift for them.) To stop threats like these, you sometimes have to go deeper: watching what the greyware actually does.
Analyzing Malware Actions
McAfee offers two post-execution tools to catch the most cleverly disguised malware—the kind that makes it past even advanced pre-execution scanning. These are:
- Real Protect Dynamic: This layer uses machine learning to analyze the file’s actual behavior as it executes. If the file attempts to do things that malware often does, such as create child processes, drop or alter files, or reach out to known bad networks, Real Protect can convict it as malicious in seconds.
- Dynamic Application Containment: While other parts of the anti-malware funnel attempt to analyze and understand greyware, this layer takes a “contain first, limit the impact approach.” Based on the context and reputation of the greyware, Dynamic Application Containment (DAC) makes a determination to limit or eliminate its ability to make malicious changes on the endpoint. The threshold for triggering DAC is fully configurable. Once DAC is triggered, McAfee Endpoint Security uses Arbitrary Access Control (AAC) technology to isolate the execution profile of a process. It then detects any potentially malicious behavior, such as access violations, memory scanning, signs of persistence, proxy attacks on legitimate applications, etc. If the parent process violates any of the containment rules, DAC as a protective component blocks and/or reports on the actions that the malware had attempted to perform, preventing a “patient-zero” infection. The entire analysis is performed without having to configure any blacklists or whitelists, and without having to detonate the file in an execution sandbox.
In our hypothetical grocery store, post-execution tools are the equivalent of having a surveillance team watching every inch of the premises and stepping in the moment someone tries to steal or demonstrates a sufficient level of suspicious behavior to summon the attention of store security. You’re not necessarily preventing every shoplifter from entering the store, but you’re ensuring that they can’t do much damage once inside.
If it sounds like there’s a tradeoff here, there is. Pre-execution scanning can prevent most malware from ever executing on endpoints—but it may miss some advanced attacks. Post-execution tools stop malicious behavior before it causes significant damage—but the file does execute on the system before they take action.
Neither method, on its own, will stop every attack or peel away every obfuscation technique. But working together as part of a multi-layered defense strategy, they provide powerful protection against the most sophisticated malware threats.
Like our hypothetical store, preventing threats is no longer about posting pictures and hoping someone spots a thief, it’s about ensuring that the tools to spot the would-be criminals you have yet to identify are in place. The good news is that with McAfee endpoint defenses, it’s possible to see more, stop more and do less thanks to tightly integrated defenses with a single management console.