Protecting Against Fileless Malware Threats

ThreatLocker® RingFencing™ protects businesses against fileless malware by controlling what applications and code hijacked processes can run.

Fileless Malware is a type of malware that only exists in memory. It does not run from the computer's hard drive like most types of malware.

Malware embedded in a Microsoft Office document that downloads and executes a file, then removes itself, is often considered as fileless. However, this is not technically accurate, and this type of malware is dealt with differently from true fileless malware (see our Macro Viruses and Malware section). True fileless malware does not save any files to the hard drive and is often very difficult to detect by an antivirus.

Fileless malware can operate using several methods. The most common method is when the application that opens a document is able to download and run a script using a built-in windows application such as Rundll32. The script is loaded into memory using RunDll32 and continues to run unbeknownst to the user.

A less common method in fileless malware operation is active when a vulnerability is exploited in an application, such as a PDF reader. A script attaches itself to that process and can be used to copy or CryptoLocker your data. This method is more relevant for computers that are not patched.

ThreatLocker Application Control, in combination with our RingFencing™ technology, is able to control fileless malware by monitoring application behavior and stopping it from stepping outside its normal boundaries. If an application attempts to perform actions that fall outside of acceptable behavior, ThreatLocker® Application Control blocks the action, stopping the threat in its tracks. In addition, even if the application is vulnerable, ThreatLocker is able to RingFence™ the application, so the amount of damage caused by fileless malware or a rogue application is massively reduced.

For a demo of how we stop fileless threats or more information on ThreatLocker® Application Control, please schedule a free, no-obligation web demonstration.

A user opens a Microsoft Office document that contains a fileless malware script from the internet. The malware is then loaded into memory, which encrypts the business's data.
ThreatLocker® prevents applications from launching fileless malware by blocking access to components required to load the malware into memory.
An unpatched version of Adobe Reader allows malware to run and encrypt files on your network.
ThreatLocker® RingFencing™ leverages ThreatLocker® Storage Control to control what documents can be accessed by specific applications. If an application is hijacked or goes rogue, the damage is limited to specific file types for that application and can automatically be shut down if it modifies unnecessary files in a period.