ELI5: What is Fileless Malware Detection?
Some bad programs never save themselves as a file — they hide in your computer’s memory like a ghost. Detecting them means looking for ghostly footprints instead of physical evidence.
Definition
Fileless malware detection is a capability of modern EDR solutions that identifies malicious activity occurring entirely in memory without any malicious files being written to disk. Fileless attacks abuse legitimate system tools (PowerShell, WMI, mshta) and inject malicious code directly into running processes, making them invisible to traditional signature-based antivirus that only scans files on disk.
Key Details
- Fileless malware lives in RAM, Windows registry, or abuses built-in tools — leaves no disk artifacts for traditional AV to detect
- Detection requires behavioral analysis: monitoring script execution, memory injection, and process behavior
- Common fileless techniques: PowerShell encoded commands, Process Hollowing, DLL injection, living-off-the-land (LotL)
- EDR memory scanning and script block logging (PowerShell) are key detection mechanisms
- Log all PowerShell execution, including encoded commands, to SIEM for detection correlation
Connections
- Parent: edr-xdr — fileless malware detection is a key advanced capability of EDR platforms
- See also: behavioral-analysis