This Malware Defence is Becoming Easy to Bypass

Read More

Most cybersecurity protections in use today rely heavily on endpoint detection and response (EDR) software. In 2020, the market for EDR was estimated at US$ 1.76 billion. By 2026, it will likely grow to US$ 6.72 billion. However, EDR alone is not an adequate malware defence because it is reactive. During the time it takes an EDR tool to analyze malware, malicious actors would have already implemented it at the endpoint.

During a security event, the EDR software is used to query systems for artifacts, which are data points containing forensically valuable information. As part of a security orchestration strategy, EDR can carry out real-time monitoring by keeping track of events, creating timelines, producing warnings, and carrying out automatic reactions.

Though the EDR is crucial for investigating risks, too many businesses have made the error of using it as their primary line of defence against security lapses. Traditional anti-virus programs have evolved into EDR, whose primary use is to offer unified monitoring across numerous devices.

Why Are Malware Defences Like EDR Unreliable?

The fact that EDR is a reactive strategy is its own biggest flaw. Because traditional EDR technologies rely on behavioural analysis, in most cases, they raise the alert after the threat has already been implemented at the endpoint. With EDR, it is always a race against time to contain the damage instead of proactively hunting down and culling malicious payloads. Security teams intervene to remediate and clean up after the EDR blocks any activity or intent that it determines to be malicious.

The security operation center’s (SOC) productivity is crucial to safeguarding your business when qualified personnel is hard to come by. A typical EDR generates many false positives and alarms, which hinders the SOC team's ability to carry out critical proactive duties like patching and hardening systems.

With so much noise, serious threats might easily get lost, increasing the likelihood that threat actors will go undetected and have extended dwell periods. Hence, EDRs make for a poor malware defence tool.

Evolution in EDR evasion techniques

After using Cobalt strike for a long period, threat actors are switching to a new tool, Brute Ratel, with features geared to get around EDR solutions. Cybercriminals employ programs like Cobalt Strike or Brute Ratel to remotely communicate with their malware once they have gained a foothold in a network.

The evasion techniques are directed towards EDR using hooks. The first approach uses direct kernel system calls rather than the hook function. This hooking evasion is not trustworthy since, despite being effective against all three of the tested EDRs, it can raise suspicion in some EDRs.

The second method also worked against all three EDRs when it was included in a dynamic link library file. This method entails just using portions of intercepted functions to prevent intercepts from triggering. The malicious malware uses deceptive system calls to do this.

According to researchers, a squad of four people typically needs eight weeks to detect malware on a significant corporate network. EDR evasion is believed to demonstrate that elementary fabrication techniques may successfully circumvent this security mechanism. This means that the virus delivered this way does not require much additional labour.

Additionally, the addition of stronger EDRs on endpoints will be able to benefit from dynamic analysis inside of sandboxes. However, these can filter out malware before it reaches the endpoint, runs in the cloud, is attached to email gateways, or becomes web proxies.


The vast number of successful breaches and the new threats' rising sophistication have shown that a malware defence like EDR alone cannot thwart them. Existing EDR solutions for risk mitigation will be supplemented or replaced by a prevention-first approach to stopping threats. Organizations seeking to create a more robust system must contact security experts. At Packetlabs, we bare the hidden vulnerabilities and offer actionable advisories to improve the security posture of organizations. Contact us for more details on how we work and what we provide to bolster organizational threat response.

Featured Posts

See All

- Blog

London Drugs Gets Cracked By LockBit: Sensitive Employee Data Taken

In April 2024, London Drugs faced a ransomware crisis at the hands of LockBit hackers, resulting in theft of corporate files and employee records, and causing operational shutdowns across Canada.

- Blog

Q-Day And Harvest-Now-Decrypt-Later (HNDL) Attacks

Prime your knowledge about post-quantum encryption and risks it creates today via Harvest-Now-Decrypt-Later (HNDL) attacks.

- Blog

The Price vs. Cost of Dark Web Monitoring

Learn more about the price vs. cost of Dark Web Monitoring in 2024, as well as the launch of Packetlabs' Dark Web Investigators.