After successful delivery, most malware will invoke one or more malicious actions in order to gain a foothold.
Keep in mind we're talking about just the compromise endpoint phase of an attack and after successful delivery.
At this point, sophisticated malware will most likely use multiple attempts and techniques to further proliferate the malware within a network via lateral movement and then attempt one or more of these malicious actions:
1) Run malware
2) Run application macros (most often MS Office)
3) Run scripts
4) Exploit good/approved applications
5) Exploit the operating system
6) Escalate privileges
Keep in mind that malware is now running loose within the network. There is a possibility to detect it, potentially to protect against additional new hostage endpoints, but now there are only a couple options left:
- Detection (which isn't protection per se)
- Quarantine steps for the endpoint
- Protection from further infections
While a single product selection and method might provide some coverage and protection on a given endpoint, it's unlikely to provide full coverage. For instance, escalate privileges is usually a totally different threat to protect against than running something be it malware, macros or scripts.
Vulnerability scanning and patching can help minimize exploits, but even a well run patching program won't provide protection against the other actions and won't protect against malware that is already in place.
A systems approach with blended solutions is required to provide the possibility of full protection. Even then, it requires full situational awareness of everything within the network that few companies have deployed well.
Some companies have chosen multiple endpoint products and while that may add some protection (at a cost), that alone will not provide full coverage against all the six malicious actions and no singular product provides 100% coverage for all six. It's best to focus on having something for all six areas and then strengthening some areas as threats evolve.