Skip to main content

Table 2 Comparison between file-based malware and fileless malware

From: An emerging threat Fileless malware: a survey and research challenges

TechniquesTraditional file-based malwareFileless malware
Source codeYesNo
Malicious fileYesNo
Malicious processYesNo
(Uses trusted OS processes)
ComplexityModerateVery high
Detection complexityModerateVery high
PersistenceMediumLow
File Types• Executable files
• Script embedded in a format that executes scripts (PDF, Word, Excel etc.,)
• JavaScrpt
• WMI
• PowerShell
• Flash
• WScript/ CScript
TargetsExecutable file with single targeted OS/ patch level combinationCan target many different OS/ path level combinations
Obfuscation methods• Encrypt file
• Archive file
• Executable file disguised as another type of file
• Executable file embedded in another file
• Encoding
• Escaped ASCII/ Unicode values
• String splitting
• Encryption
• Randomization
• Data obfuscation
• Logic structure obfuscation
• White space
Anti-virus detectionPossible with known signatureNot possible
Sandboxes detectionPhysically availability of fileNot possible
Behavior-based heuristics and unsupervised machine learningFile-based malware shows abnormal behavior in the system after compromising the targeted host. Hence, these systems are designed to detect such behavior.Fileless attacks are designed to behave like a benign process in the system, so they may not alarm as an anomaly. Hence, very difficult to detect.