However malware creators are countering this approach by adding additional capabilities to their code. They can design their malware to 'sleep' during sandbox checks to evade discovery or behave differently if it detects it is running within a virtual machine - something many IT departments use to host their sandboxes.
A smarter approach is therefore required, and this involves the use of an emulator. Emulator software simulates the functionality of another program or piece of hardware. When suspected malware is run within an emulator it can be tricked into thinking it's not in a sandbox but has, in fact, managed to infect a real system. It will then act normally and be detected by the security tools.
Unfortunately, malware writers continue to evolve their code and some have been able to evade even this emulation approach. Because operating system emulators cannot replicate every call in a real operating system, some malware can spot that things are missing and remain silent and undetectable.
The most effective approach is to undertake full system emulation where the emulator used also simulates physical hardware, including a computer's CPU and memory. This makes it particularly difficult for malware to detect the emulator and more likely that it will become active and be spotted.
Simple detection is not enough
However, while detection of malware is a vital step in ensuring system security, it is not the end of the process. IT teams need to receive clear, actionable information that will alert them to the presence of the problem before any damage occurs.
The teams need to be sent email alerts when harmful files are found and be given a clear indication of why the file is suspect
ed to avoid the alert being dismissed as a false positive.
Such tailored alerts can ensure that remedial action can be undertaken quickly, rather than the threat being lost in a sea of notifications and log files.
Advanced Malware Detection is key
Hacking techniques will continue to evolve and the threats being faced by organisations will become ever more complex. Clearly the security approaches that have been used in the past are no longer sufficient.
The signature-based malware detection that has been widely used in the past is no longer able to cope with the increasingly sophisticated pieces of malware being produced. Antivirus and intrusion prevention systems, while still vital, must be supplemented with new Advanced Persistent Threat detection tools that have four key characteristics:
- A sandbox capable of full system emulation and with the ability to analyse multiple file types
- An ability to extend beyond the sandbox and detect different forms of advanced malware
- Good visibility so IT teams receive clear, actionable alerts of all detected malware and explanations of why it has been identified
- The capability to proactively take action and block malicious code when it is detected.
Sign up for MIS Asia eNewsletters.