As hackers get more sophisticated, endpoint protection (EP) systems have grown more sophisticated. While no one claims to catch everything, endpoint protection matures each year. Let's see what modern EP products have to do these days.
The term "machine learning", like so many buzzwords in the tech industry, has multiple meanings. In simple terms, it means deriving conclusions from observed data — minimal human intervention. In other words, it can figure out if a piece of code is malicious, even if it hasn't seen that code before. To do this, it must constantly observe data from disparate sources, determine if statistical sampling is applicable, update and revise its calculations, and even decide whether to detonate suspicious files in a sandbox. Some products even include a miniature "sandbox" on the endpoint.
Static and dynamic code analysis
Endpoint protection systems must evaluate code – no matter where it resides — to determine if it is malicious. They perform this tricky task in real time, using static code analysis — pre-execution — and dynamic analysis — observation of code behavior during execution in a sandbox.