The first computer virus, as we think of them today, is considered to be Creeper from 1971, targeting mainframes. It was met with the first antivirus software (AV) created called Reaper. Interestingly, Reaper was actually a computer worm meant to remove Creeper. 

Let’s fast forward to 1994, when AV-Test reported that there were 28,613 unique malware samples in their database, affirming that computer viruses were going to be an ongoing problem. With malware emerging as a threat, many commercial antivirus products we are familiar with today were brought to market in the 1990s.

How does antivirus work?

At its most basic, traditional AV used what is called “signature-based detection” to detect and block viruses and malware from executing on endpoints.

While modern endpoint security of NGAV and EDR is very effective at stopping threats, no vendor or technique is 100 percent effective.

When a new piece of malware or a virus is found, endpoint security vendors develop a signature that is added to the vendor’s database of signatures, installed on all computers running their software. The signatures allow the AV software to scan files in order to recognize (hopefully) all malware/viruses and block them from executing.

Attackers became wise to the process of signature updates. In order to evade AV scans that would block malware, the attackers behind the malware adjusted malicious files slightly so they didn’t match the exact AV database signature, thus yielding infections.  

The endpoint security industry sought to combat this with heuristic, or generic, detections. Slightly updated malware would share portions of code with older variants, making it possible to detect the overlapping code between the malware with heuristics.

Antivirus effectiveness

Despite heuristics, the antivirus protection we relied on for years was losing effectiveness in stopping malware. In 2014, merely confirming what most security practitioners already knew, a survey measured the effectiveness of anti-virus software. It ultimately concluded that “no single AV vendor can detect most malware most of the time,” further stating, “on Day 0, only 51% of AV scanners detected new malware samples.”

Becoming EPP

Given the need for greater endpoint protection, vendors rounded out their offerings to include additional functionality like personal firewalls, host intrusion prevention, data loss prevention (DLP) or host encryption. With these new capabilities added to antivirus, endpoint security suites became known as endpoint protection platforms (EPP). While useful, this added capability did not materially improve malware detection rates, still the primary function of endpoint security.

The evolution of endpoint security

Fortunately, we’ve seen rapid development in the endpoint security space over the past five years with the rise of next-generation antivirus (NGAV), endpoint detection and response (EDR) and endpoint segmentation tools. This is welcome, given that fileless attacks and self-propagating ransomware are common – and require more sophisticated tools to fight them.

These tools call on capabilities, often cloud-delivered, that are now table stakes in endpoint security. One key technique is sandbox malware analysis to execute potential malware in a virtual environment, to determine if a file is malicious or not.

More broadly, CrowdStrike defines NGAV as:

...a combination of artificial intelligence, behavioral detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented.

Machine learning used to detect threats consists of algorithms that identify malware prior to execution with real-time evaluation of millions of file characteristics to determine if a file is malicious. Exploit mitigation helps prevent malware-less attacks targeting vulnerabilities. 

Indicators of Attacks or Compromise are another technique often used today. They examine behaviors of both legitimate system activity and suspicious activities to detect series of events that indicate malware infection attempts or malicious activity. 

Tools like EDR complement NGAV to offer deep endpoint visibility to detect any malicious files or processes and immediately contain them. Not only will EDR monitor files to track where they go and what they do, it also looks at endpoint activity to alert on anything consistent with malware or ransomware like changes to processes, DLLs and registry settings and network activity.  

Response capabilities include retrospectively removing files or isolating endpoints to prevent threats from inflicting further harm. EDR’s deep endpoint visibility also enables threat hunting to proactively search for indicators of attack or compromise and the ability to carry out detailed forensics. 

What tools are most relied on today? Recent research indicates EDR is the most common at 73%, but respondents also acknowledge they have antivirus capabilities to block all known malicious files. The fact that the majority of respondents have EDR capabilities is likely because vendors they rely on for antivirus have added some EDR capabilities.

Still not 100%

Endpoint segmentation is another endpoint security tool used to prevent the spread of ransomware and malware.

While modern endpoint security of NGAV and EDR is very effective at stopping threats, no vendor or technique is 100 percent effective. Recent survey research shows that 56% of respondents feel that their endpoint security tools miss between 1 and 10% of malware.

For this reason, endpoint segmentation is deployed alongside NGAV and EDR to add Zero Trust to endpoints. It blocks all endpoint-to-endpoint communications that are not expressly permitted vastly reducing the attack surface that threats like ransomware take advantage of to reduce the risk of enterprise-wide ransomware and malware attacks.

Watch short video how Illumio Edge addresses Endpoint Security: