Out of six typical malicious actions, three of them are run or execution based. Lets dive deeper into those protection techniques.
These are the typical "run" based actions that most malware might use, keep in mind there are three other actions that are not run based:
1) Run malware
2) Run application macros (typically MS Office)
Most endpoint solutions focus on protecting against item 1. There are different techniques out there including:
- Signature based
- Machine learning
- Big data analytics
- Crowd sourcing approaches
- Virtual sandboxing detonation techniques
- Evasion detection
- Other black magic or proprietary techniques
No single approach has or will continue to have 100% coverage. Most of them have some merit and many will make outlandish claims, but this is a game of cat and mouse and each technique has at least one achilles heal. Keep in mind that several still have sacrificial lambs that are needed for detection before protecting the rest of the herd.
There is a long list of products in this space and protection coverage in this area is probably the strongest, but it's not 100% effective. Coverage varies by operating system and as always you cannot protect a device where the EDR solution isn't installed. If you have a mixed environment where 100% endpoint protect isn't possible, you need to include strong network based protections and should regardless, just in case. Endpoint alone is inadequate.