Skip to content

M1049 Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:

Signature-Based Detection:

  • Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats.
  • Use Case: When malware like “Emotet” is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.

Heuristic-Based Detection:

  • Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature.
  • Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.

Behavioral Detection (Behavior Prevention):

  • Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges.
  • Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.

Real-Time Scanning:

  • Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed.
  • Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.

Cloud-Assisted Threat Intelligence:

  • Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats.
  • Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.

Tools for Implementation:

  • Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems.
  • Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates.
  • Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.
Item Value
ID M1049
Version 1.2
Created 11 June 2019
Last Modified 10 December 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.006 Kernel Modules and Extensions Common tools for detecting Linux rootkits include: rkhunter 3, chrootkit 4, although rootkits may be designed to evade certain detection tools.
enterprise T1059 Command and Scripting Interpreter Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1059.001 PowerShell Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1059.005 Visual Basic Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1059.006 Python Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1564 Hide Artifacts Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.2
enterprise T1564.012 File/Path Exclusions Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.2
enterprise T1036 Masquerading Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1036.008 Masquerade File Type Anti-virus can be used to automatically quarantine suspicious files.
enterprise T1027 Obfuscated Files or Information Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. 7
enterprise T1027.002 Software Packing Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.
enterprise T1027.009 Embedded Payloads Anti-virus can be used to automatically detect and quarantine suspicious files.
enterprise T1027.010 Command Obfuscation Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.
enterprise T1027.012 LNK Icon Smuggling Use signatures or heuristics to detect malicious LNK and subsequently downloaded files.
enterprise T1027.013 Encrypted/Encoded File Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation.
enterprise T1027.014 Polymorphic Code Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods.
enterprise T1027.015 Compression Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives.
enterprise T1027.016 Junk Code Insertion Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.6
enterprise T1566 Phishing Anti-virus can automatically quarantine suspicious files.
enterprise T1566.001 Spearphishing Attachment Anti-virus can also automatically quarantine suspicious files.
enterprise T1566.003 Spearphishing via Service Anti-virus can also automatically quarantine suspicious files.
enterprise T1080 Taint Shared Content Anti-virus can be used to automatically quarantine suspicious files.5
enterprise T1221 Template Injection Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.1

References

  1. Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018. 

  2. Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024. 

  3. Rootkit Hunter Project. (2018, February 20). The Rootkit Hunter project. Retrieved April 9, 2018. 

  4. Murilo, N., Steding-Jessen, K. (2017, August 23). Chkrootkit. Retrieved April 9, 2018. 

  5. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023. 

  6. ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025. 

  7. Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.