I've read about malware that attempts to avoid automated analysis by antivirus programs by waiting to run malicious...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
code until user input (the mouse) is active. Could you provide some info on these malware evasion techniques? Should I be concerned that my antivirus product isn't picking up on such threats?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
As the war against malware continues to evolve, malware developers are increasingly using professional software development methods and continue adding in new evasion techniques to prevent their malware from being detected. Malware writers have included antivirtual machine detection in their tool chests since at least 2006 to prevent researchers from analyzing their malware and developing signatures for detection and prevention. Automated anti-malware tools also use virtual machines for analysis to block the malware. Some malware is now checking for mouse activity to prevent analysis. As an example of why such techniques could be valuable to attackers, malware could check to confirm it can reach the command-and-control infrastructure prior to activation.
Endpoint anti-malware tools do not necessarily need to detect if there is mouse activity while checking for malware, but the researchers at the anti-malware vendors need to be able to analyze the malware to develop signatures or methods to detect the malware. Once a signature or detection method is created, it can be used to prevent malware from potentially executing on the endpoint before checking for mouse activity. If the anti-malware research teams are not picking up on these threats, enterprises should be concerned because that would call the endpoint security tool into question if it can't adapt to detect new attacks. Enterprises may want to investigate alternative anti-malware products or other endpoint security tools (e.g., whitelisting) that could detect or prevent malicious code from running on an endpoint.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.