Recently highlighted in an article on CSO Online by Roger A. Grimes, Malware Dwell Time is an incredibly important way to measure your antivirus software’s effectiveness. Traditional antivirus software functions on a blacklist of known bad software to block and keep your devices secure. However, with the incredible speed that new malware is created today, the most important question is: how out of date is that blacklist?
What is Malware Dwell Time?
Dwell time is the amount of time that a piece of malware is allowed to dwell in your environment before your antivirus solution blocks it as bad. As Mr. Grimes describes in his article, Malware Dwell Time is an important factor to look at when evaluating antivirus software because the response time of traditional antivirus solutions is critical. If a brand new piece of malware is being seen for the first time by a traditional solution, it will typically be allowed to run at the start but monitored by the application. So the question becomes, how long is it taking for this malware to be recognized as bad and blocked to help keep you secure.
How could I capture Malware Dwell Time?
Here I’ll defer to Mr. Grimes, who goes into more detail in his article about a process that can be used to measure and report on Malware Dwell Time.
I know a way to hold your antivirus vendor accountable for detecting malware in your environment accurately and decreasing malware dwell time. You need to capture every newly executed program and process, related to files or fileless (e.g., registry, memory-based or PowerShell). Most computers already have a program that can do this built-in. Microsoft Windows has had the ability since the very beginning with its Windows Event Logging capability, but Microsoft’s application control programs like AppLocker are even better (less distracting noise). Apple and Linux distros vary as to their process tracking capabilities, but most can be configured to capture the necessary information. You can also download a commercial or open-source third-party application.
PC Matic’s Dwell Time
While Dwell Time is incredibly important for traditional antivirus software, PC Matic‘s whitelist based approach will constantly see Dwell Times of zero. The key to a default-deny approach is that anything unknown or new that we don’t know to be good is blocked from execution. We never let an unknown application run and monitor it for a period of time before trying to roll back malicious changes that it made. This is why our approach is so unique. Even the newest strains of ransomware or malware don’t require an all-hands-on-deck style response to update a blacklist so our customers stay safe, we’re going to block it by default and never let that malware dwell inside your system.
With PC Matic, we only allow applications to run if we already know that they’re good. Whitelisting is something you apply in so many other aspects of your life, and computer security is another great place to have it.
To learn more about PC Matic check out www.pcmatic.com.
