A server administrator is investigating anomalous activity on multiple web servers. Analysis of system logs reveals that malicious, unsigned PowerShell scripts are being executed directly in memory, a technique characteristic of fileless malware. The currently installed anti-malware solution, which is configured for signature-based detection, has not raised any alerts. To mitigate this specific type of threat across the server fleet, which of the following host security methods should the administrator implement?
Increase the frequency of full disk scans using the signature-based anti-malware.
Implement a host-based firewall rule to block the PowerShell executable.
Deploy a network intrusion detection system (NIDS) to monitor traffic to and from the servers.
Enable behavioral-based detection and memory scanning in the host security software.
The correct answer is to enable behavioral-based detection and memory scanning. Fileless malware, as described in the scenario, operates directly in a computer's memory (RAM) and leverages legitimate system tools like PowerShell to execute malicious commands. This technique allows it to evade traditional antivirus solutions that primarily scan files on disk for known malware signatures.
Behavioral-based detection monitors processes for suspicious actions and patterns, such as a web server process spawning a PowerShell script that attempts to connect to an external address. Memory scanning directly inspects the system's RAM for traces of unpacked or decrypted malicious code that would not be visible on the disk. Combining these two features is the most effective host-based method for identifying and blocking fileless attacks.
Increasing the frequency of signature-based scans is ineffective because the malware does not have a file signature on the disk to be detected. A NIDS is a network security device, not a host security method, and while it might detect suspicious network traffic, it cannot prevent the malware from executing on the server itself. Blocking the PowerShell executable entirely is an overly restrictive measure that would likely break legitimate administrative scripts and automated tasks, causing operational disruptions.