To detect malware, defenders need a strategy and tools that can recognize it, even if it has been disguised! In the past, defenders have identified malware by it’s unique filehash signature (typically an MD5, SHA1, or SHA256 checksum). Colloquially you can think of a malware’s filehash signature like a fingerprint — it’s a unique identifier derived from the entire contents of a file, that reveals the malware’s true malicious nature. A downside of filehash based malware detection is that attackers can easily disguise their malware by adding blank lines or comments to their code so new variants have a totally new filehash, rendering detection with old filehash useless!
More advanced detection methods do not calculate a single signature from the entire file (something that is too easily changed), instead they use multiple signatures each of (Read more…)
*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Julian Wayte. Read the original post at: https://www.uptycs.com/blog/resource-smart-yara-scans-saving-cpu-and-time-with-osquery