Why is Malware Able to Evade Detection?

In the context of cybersecurity, evasion is the practice of executing malicious code despite the presence of anti-malware controls. Such tactics don’t exploit fixable defects. Instead, they take advantage of the factors that prevent malware detection in the real world from achieving its full theoretical potential.

These evasion-enabling factors include the following:

• Pattern Detection: Antivirus tools, even those that employ the latest approaches, detect malware based on the similarity of the file or process with previously-seen malicious patterns, while accounting for false positives. Attackers tweak malicious software to deviate from such patterns.
• Endpoint Performance: Real-time anti-malware techniques have to balance the thoroughness of introspection with the need to avoid slowing down the endpoint’s performance. Attackers craft malware to operate in the blind spots that exist as the result of such compromises.
• Runtime Discrepancies: Malware analysis tools that thoroughly examine suspicious files out-of-band employ execution environments that differ from normal endpoints. Attackers look for such discrepancies to conceal the true nature of their malicious code from such tools.
• Humans’ Actions: End-users are often in a hurry, frequently multitask, and lack the deep understanding of risks that security professionals possess. Attackers use social engineering and other tactics to trick victims into infecting systems, overriding defensive measures.
• Powerful Features: The capabilities of today’s operating systems and applications are vast, offering built-in mechanisms to compromise the endpoint even without using traditional malware or exploits. Attackers abuse such features to bypass security controls.
• Open Channels: Even highly restrictive, isolated security measures need to accommodate business interactions, which require access to the data or applications that might aid adversaries. Attackers use such open channels to further their malicious objectives.
• Memory Mutability: System administration and security tools are weak at identifying and blocking malicious code that resides solely in memory of the endpoint. Attackers employ fileless techniques, compromising the endpoint by avoiding the file system.

These real-world factors give attackers many opportunities for crafting malicious software that infects endpoints despite the presence of modern endpoint security tools. Minerva’s Anti-Ransomware Platform interferes with attempts to take advantage of the limitations inherent to such tools, augmenting their protection to dramatically increase the ability to prevent infections. Reach out to us if you’d like to learn more about evasion tactics and approaches to stopping them.