2 strategies for blocking zero-day malware

In light of recent research highlighting the fact that traditional antivirus products fail to block zero-day malware, it’s important to know there are two other strategies you can use to protect your organization against it.

As the folks over at DarkReading.com recently pointed out, zero-day malware is growing exponentially — automated construction kits make it easier than ever to produce thousands of variants with the press of a button.

To complicate things even further, many attackers are developing “one-time-use” malware, so by the time the antivirus software vendors add a newly discovered signature to their database, the malware’s already been abandoned.

In fact, a recent study confirmed the dismal performance of traditional antivirus products against zero-day malware. Security firm Imperva sponsored a study that ran 82 new malware samples through an online malware-checking system that tests the files against 40 antivirus software products, and none of the programs identified the new samples as malware.

Alternatives to signature-based malware detection

Because it’s easy to vary the signature of malware, and it takes a long time to get it included in antivirus software databases, the industry has started moving away from signature-based detection toward behavior-based detection.

It’s possible to detect zero-day malware when it’s identified by its activities on the network instead of its appearance because malware follows typical patterns of suspicious behavior.

Experts recommend IT managers look for antivirus software that emphasizes behavior over signatures. Emsisoft, Triumfant and Damballa are three such products.

The other strategy experts recommend is to use application whitelisting. Application whitelisting involves creating a list of approved software that’s authorized to run on the network and access resources when necessary. If you restrict what programs are allowed to run on the network, you can prevent the zero-day malware from executing in the first place.