What is the Best Analytic Technique to Detect Malware?

Blog Post created by user.v1YcBgOpe0 Employee on Feb 26, 2018

Matthew Gardiner is a Senior Product Marketing Manager at Mimecast, currently focused on email security, phishing, malware, and cloud security.


It is no secret that malware delivered via email remains a primary vehicle for malware delivery. Email is so convenient and effective from the attackers' point of view. Sometimes the malicious payload is directly attached to the email, at other times the file attached is only a dropper, and in other scenarios the malware file is linked directly from a URL or pulled down through the execution of an Office macro. The key question is no matter how a piece of malware is delivered in an email-borne attack, how best to automatically determine if the file is clean or dirty? This is no academic issue for Mimecast as we inspect hundreds of millions of these files a month on behalf of our customers. We are constantly looking for better and faster ways!


Which approach is best for detecting email-borne malware:  signature-based, static file analysis, or behavioral sandboxing? Of course the answer is Yes! There is no one technique that is perfect. Malware writers are too smart for that! Signature-based solutions rely on file hashing to quickly detect known-bad files - but aren't great for unknown-bad files - whereas static file analysis inspects the file itself without executing or opening it - it is very fast and has excellent efficacy - and behavioral sandboxing actually executes the file and monitors what, if any, malicious activity takes place after that - a pretty definitive approach - but more resource and time intensive.


The best approach for detecting malicious files is to use all of these techniques in a smart way to detect and then block delivery of malicious files that try and enter your organization via email. And this is exactly what the Mimecast Attachment Protect service does. We recently significantly strengthened our static file analysis capabilities to make Attachment Protect both faster and better at processing email-borne files for malware. This is live with all Attachment Protect customers now! Check out the details in this Services Update.