10 Malware Detection Techniques

What Is Malware Detection?

Cybercriminals use and develop malware (malicious software) to infiltrate target computer systems and achieve their objectives. Malware is offensive in nature and can cause destruction, disruption and numerous other effects to computer systems to achieve criminal goals.

Conversely, malware detection is a set of defensive techniques and technologies required to identify, block and prevent the harmful effects of malware. This protective practice consists of a wide body of tactics, amplified by various tools based on the type of malware that infected the device.

10 Malware Detection Techniques

An effective security practice uses a combination of expertise and technology to detect and prevent malware. Tried and proven techniques include:

1. Signature-based detection

Signature-based detection uses known digital indicators of malware to identify suspicious behavior. Lists of indicators of compromise (IOCs), often maintained in a database, can be used to identify a breach. While IOCs can be effective in identifying malicious activity, they are reactive in nature. As a result, CrowdStrike uses indicators of attack (IOA) to proactively identify in-process cyberattacks.

2. Static file analysis

Examining a file’s code, without running it, to identify signs of malicious intent. File names, hashes, strings such as IP addresses, and file header data can all be evaluated to determine whether a file is malicious. While static file analysis is a good starting point, proficient security teams use additional techniques to detect advanced malware that can go unidentified during static analysis.

3. Dynamic malware analysis

Dynamic malware analysis executes suspected malicious code in a safe environment called a sandbox. This closed system enables security professionals to watch and study the malware in action without the risk of letting it infect their system or escape into the enterprise network.

4. Dynamic monitoring of mass file operations

Observing mass file operations such as rename or delete commands to identify signs of tampering or corruption. Dynamic monitoring often uses a file integrity monitoring tool to track and analyze the integrity of file systems through both reactive forensic auditing and proactive rules-based monitoring.

5. File extensions blocklist/blocklisting

File extensions are letters occurring after a period in a file name, indicating the format of the file. This classification can be used by criminals to package malware for delivery. As a result, a common security method is to list known malicious file extension types in a “blocklist” to prevent unsuspecting users from downloading or using the dangerous file.

6. Application allowlist/allowlisting

The opposite of a blocklist/blocklisting, where an organization authorizes a system to use applications on an approved list. Allowlisting can be very effective in preventing nefarious applications through rigid parameters. However, it can be difficult to manage and reduce an organization’s operational speed and flexibility.

7. Malware honeypot/honeypot files

A malware honeypot mimics a software application or an application programming interface (API) to draw out malware attacks in a controlled, non-threatening environment. Similarly, a honeypot file is a decoy file to draw and detect attackers. In doing so, security teams can analyze the attack techniques and develop or enhance antimalware solutions to address these specific vulnerabilities, threats or actors.

8. Checksumming/cyclic redundancy check (CRC)

A calculation on a collection of data, such as a file, to confirm its integrity. One of the most common checksums used is a CRC, which involves analysis of both value and position of a group of data. Checksumming can be effective for identifying corruption in data but is not foolproof for determining tampering.

9. File entropy/measuring changes of a files’ data

As threat intelligence and cybersecurity evolves, adversaries increasingly create dynamic malware executables to avoid detection. This results in modified files that have high entropy levels. As a result, a file’s data change measured through entropy can identify potential malware.

10. Machine learning behavioral analysis

Machine learning (ML) is a subset of artificial intelligence (AI), and refers to the process of teaching algorithms to learn patterns from existing data to predict answers on new data. This technology can analyze file behavior, identify patterns and use these insights to improve detection of novel and unidentified malware.

Prevent and Detect Malware with CrowdStrike

CrowdStrike Falcon® Prevent next-generation antivirus provides comprehensive protection from malware that’s simple to operate. Key attributes include:

State-of-the-art prevention

Combines innovative AI/ML technology with intelligence to rapidly identify and prevent malware.

Visibility

Presents attacks visually in an easy-to-understand process tree enriched with contextual and threat data.

Simple, fast and lightweight

Fully operational in seconds, no reboot required. Minimal CPU overhead does not impact system performance and end-user productivity.