In the face of the famous Advanced Persistent Threati(TM), many large organizations complemented their attack landscape with so-called advanced malware detection solutions. Those solutions extend typical signature-based malware detection mechanisms with behavior-based analysis methods, detecting malicious actions in the execution trace of samples. Execution traces are created using mechanisms like emulation, hooking, or introspection and analyzed using heuristic approaches.
Since many environments rely on this technology, we will describe the capabilities and limits when it comes to APT detection and mitigation for two major products. Their capabilities were analyzed in several customer projects as for the effectivity against recent attacks, which were developed based on the analysis of recent incidents.
We will provide an overview which attack scenarios and primitives will be detected (and also how to bypass certain restrictions).