Enterprise Signatureless Malware Detection

How ECAT Differs From Traditional Antivirus

To effectively detect malware, ECAT uses a completely different approach from traditional AV.

Why do antivirus scanners fail to detect advanced malware?

Traditional antivirus companies are using known virus signatures to identify malware. Although this technique worked well in the past, it has been overwhelmed by the growth of malware families. Just one AV vendor alone created more than 500,000 new signatures in 2010 and there is no end in sight for this trend. Creating signatures requires dedicated highly skilled personnel that can’t keep up with the flood of new threats. The process is reactive, not proactive in identifying threats. They must focus on the most widely distributed malware and put aside those with low distribution rates, such as APT-related malware. As soon as a signature is deployed to block a known malware, the malware author starts bypassing it by doing minor modifications to its code and testing it against the low-cost (usually free for 30 days) and publicly available products that detect it.

How is ECAT Different?

Instead of spending precious time analyzing malware samples to create signatures, our team works on automating the detection of anomalies within the applications and memory. In a typical enterprise environment, there are only a few thousands executables that typically get loaded in memory among which only a few generate anomalies. Legitimate anomalies are mostly created by security products and sandboxing technologies built in to browsers and file viewers. These products are limited in number, and easy to obtain and analyze so we have incorporated them in a “known anomalies database”. Anomalies outside these are automatically flagged and reported to the ECAT console operator who can then respond quickly.

To see ECAT in action side by side with AV, read our blog post. Then watch the video of ECAT scanning a machine declared clean after a scan by a leading AV engine while infected with a Zeus variant. You can also download the ECAT datasheet, download the whitepaper or contact us for a demo.