Zero-day threats are attacks that use an unknown exploit/attack for which no patch or antivirus definition file exists as yet, and they are a major concern for administrators. So what can an administrator do to prevent zero-day attacks from affecting systems under his/her control?
There is no method of detection for zero-day exploits that is 100% reliable however there are two things that could greatly help an administrator, if the standard precautionary measures designed to prevent infection were to fail.
The first is patch management. The effect of this method will be somewhat limited since the attack would still be unknown and no patch would be available to address the exploit. However, if all systems are up-to-date, the scope of attack might be limited and the attacker can only cause minimal damage while further threats are contained.
Furthermore, with a robust patch management and vulnerability scanning system in place the administrator will receive notification as soon as the attack is made public and security companies implement vulnerability checks for it.
These two important software solutions allow the administrator to take proactive action until a patch for that exploit is released. The administrator will also be notified when the patch for the zero-day attack is made public thus minimizing the window of opportunity for an attack to take place.
The second option is to use a good antivirus solution. A zero-day attack does not become public knowledge for a period of time and during that period the antivirus program will not detect any file containing this specific vulnerability by using standard pattern analysis techniques.
However, effective antivirus solutions do not rely solely on antivirus definitions to detect threats. A good antivirus also uses a technique called heuristics analysis. This technique does not only look for certain patterns in a file, but it will also analyse what the file actually does during its normal execution.
Depending on the file’s behaviour, the AV product may then classify the file as a virus if suspicious behaviour is detected. This technique can help to detect a zero-day threat even though no one knows of the vulnerability’s existence.
While antivirus solutions that use heuristic analyses can be a great weapon against Zero-day malware there is no guarantee that the malware behaviour will always be classified as malicious. However when AV is coupled with a strong patch management strategy, the administrator has a much stronger defense against infection by zero-day threats.