How to Stop Fileless Malware

In 2017, SonicWall Capture Labs discovered 56 million new forms of malware from across the globe. Threat actors are constantly creating updates to known versions of malware to get past defenses that rely on identifying malware (i.e., signatures). The forms of security that stop malware and ransomware based on signatures are only effective if they can identify the strain.

Since malware authors don’t want to continually update their code and have attacks in flight fail, they often resort to creating fileless malware as a highly effective alternative.

What is fileless malware?

Fileless malware has been around for some time, but has dramatically increased in popularity the last few years. These malware leverage on-system tools such as PowerShell, macros (like in Microsoft Word and Excel), Windows Management Instrumentation or other on-system scripting functionality to propagate, execute and perform whatever tasks it was developed to perform.

The problem for the business

One of the reasons fileless malware is so powerful is that security products cannot just block the systems or software that these are utilizing. For example, if a security admin blocked PowerShell, many IT maintenance tasks would be terminated. This makes it impossible for signature-based security solutions to detect or prevent it because the low footprint and the absence of files to scan.

How can SonicWall stop fileless malware?

The key is not to look at the file but, instead, look at how it behaves when it runs on the endpoint. This is effective because although there is a large and increasing number of malware variants, they operate in very similar ways. This is similar to how we educate our children to avoid people based on behavior instead of showing them a list of mug shots every time they leave home.

SonicWall Capture Client, powered by SentinelOne, is a next-generation antivirus endpoint protection platform that uses multiple engines, including static and behavioral AI, to stop malware before, during and even after execution. It also offers the ability to roll back an endpoint to a state before the malware got on to or activated on the system.

In the face of fileless malware, the full behavioral monitoring approach is amazing at detecting and preventing this type of attack because it is agnostic to the attack vector.

How does it work?

SonicWall actively monitors all activities on the agent side at the kernel level to differentiate between malicious and benign activities. Once Capture Client detects malicious activity, it can effectively mitigate an attack and, if needed, roll back any damage, allowing the user to work on a clean device.

Conclusion

Ultimately, adversaries will always take the shortest path to compromise endpoints to ensure the highest return with the least amount of effort. Fileless malware is quickly becoming one of the most popular ways to do so. It is not enough to just block essential operations like PowerShell.

You need anti-virus software that fully monitors the behavior of a system to prevent attacks utilizing exploits, macro documents, exploit kits, PowerShell, PowerSploit and zero-days vulnerabilities locally and without dependence to network connectivity.

To learn more, download the in-depth data sheet, “SonicWall Capture Client powered by SentinelOne.”

SonicWall Staff