This site uses cookies to enhance your experience.  By continuing to visit this website, you consent to the use of these cookies. Click here to learn more about our privacy policy.

Signature Based Detection vs. AI: Powerful Detection and Adaptable Solutions

85% of business networks have suffered a bot infection. 89% of these same networks have identified serious network vulnerabilities and 90% have suffered attacks within their DMZ Zone. We all know the statistics, but what do we do now?

Traditional approaches to malware detection are just what they sound like – traditional. In the world of malware detection nothing stays current for long. Signature based detection is effective, fast and industry-tested, but requires daily upkeep of a huge database of known malware samples, often hundreds of megabytes, and daily endpoint updates. This is unreliable detection without the manpower to maintain the database. YARA Engines have also been proven to be quite good at detecting known malware families, but has difficulty detecting unknown malware. Sandboxing is another tried and true method of protection, but more recently developed malware is able to detect a sandbox environment and avoid setting off the alarms.

Las Vegas, Nevada played host to DEF CON 2019 this past Friday, where Mac Security Researcher Patrick Wardle demonstrated how inadequate signature-based anti-malware protection for Macs is by repurposing existing Mac malware live on stage. In one example Wardle used FruitFly malware to demonstrate how the simplest adjustments can sail past what is, arguably, a quite sophisticated signature-based anti-malware tools like XProject, macOS certificate-checking, and MRT among other anti-virus products. “Oftentimes you just need to switch a few bytes, change the command line arguments and now – ‘power to the people’ – we have the ability to take these very sophisticated threats and redeploy them for our own surreptitious processes,” Wardle said. “If we examine the embedded MRT FruitFly signature, we can see it’s detecting FruitFly based on both the path of the malware and its launch agent. This means as long as we change the path, or the name of the agent, MRT can’t detect it.”

So where does that leave us?

Companies like Sangfor Technologies fill this detection gap with their Next Generation Application Firewall (NGAF) products and solutions like Engine Zero. Engine Zero is an AI powered malware detection engine using machine learning, threat intelligence, sandboxing and botnet detection to detect and protect against new malware. Adaptability is a major issue with signature-based detection. Engine Zero uses AI to detect previously unknown malware and files away this data for later – eventually teaching itself to detect unknown malware and ransomware. Engine Zero recently went head to head with other leading solutions, leading the way in 60,000 recent ransomware sample tests. In addition, customers using Sangfor NGAF are able to use Engine Zero to detect ransomware at line rate.

Why Sangfor?
Founded in 2000 and a publicly traded company as of 2018 (SANGFOR STOCK CODE: 300454 (CH)) Sangfor Technologies is the global leading vendor of IT infrastructure solutions specializing in Network Security and Cloud Computing. Visit us at and get in touch with Sangfor Technologies today to see what we can do to custom build IT solutions to keep you and your data secure and available.