M1049: Antivirus/Antimalware
Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:
Signature-Based Detection:
- Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.
Heuristic-Based Detection:
- Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.
Behavioral Detection (Behavior Prevention):
- Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.
Real-Time Scanning:
- Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.
Cloud-Assisted Threat Intelligence:
- Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.
**Tools for Implementation**:
- Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.
Analyst context for executives and security teams
Antivirus/Antimalware is a baseline mitigation that helps reduce the chance that malicious files, scripts, attachments, and suspicious runtime behaviors become business-impacting incidents. Its decision value is not simply “is AV installed,” but whether it is centrally managed, updated, active across the device estate, and capable of handling evasion patterns such as obfuscation, packing, embedded payloads, masqueraded file types, and phishing-delivered malware.
Executive priority
Treat this as a control assurance issue: leaders should ask for evidence of deployment coverage, automated updates, policy enforcement, alert handling, quarantine/remediation outcomes, and exceptions. Because this mitigation maps to initial access, execution, lateral movement, persistence/privilege escalation, and stealth-related ATT&CK techniques, weak coverage can affect incident containment speed, audit readiness, and resilience against malware and ransomware-like behavior described in the ATT&CK mitigation text.
Technical view
SOC, detection, and IR teams should validate that signature-based, heuristic, behavioral, real-time scanning, and cloud-assisted threat intelligence capabilities are enabled where applicable and managed centrally. Relationship context shows this mitigation is relevant to techniques involving obfuscated files or information, software packing, embedded payloads, command obfuscation, masquerading, command/script interpreters, tainted shared content, template injection, kernel modules/extensions, hidden artifacts, AV exclusion abuse, and phishing attachments or services. Testing should focus on whether the tool records enough detail to support triage of file hashes, command lines, process behavior, script execution, attachment handling, quarantine actions, and policy/exclusion changes.
Likely telemetry
- Antivirus/antimalware detection alerts and quarantine/remediation events
- Endpoint file scan results, file hashes, file paths, and file type metadata
- Process execution and command-line context associated with detections
- Script/interpreter activity relevant to PowerShell, Visual Basic, Python, and command execution relationships
- Attachment and downloaded-file scanning events where collected
Detection direction
- Confirm visibility before relying on the control: agent health, update status, real-time scanning, and central policy enforcement are often as important as alert logic.
- Tune for relationship-driven evasion themes: obfuscation, packed software, embedded payloads, encoded/encrypted files, command obfuscation, masqueraded file types, and suspicious scripts may require behavioral or heuristic detections rather than signatures alone.
- Review exclusions as detection blind spots, especially because ATT&CK explicitly relates this mitigation to File/Path Exclusions.
- Correlate AV events with process, command-line, script, email/download, and shared-content activity to distinguish benign administrative or developer activity from suspicious execution chains.
- Track false positives from legitimate packed software, administrative scripts, installers, and compressed archives, but require documented risk acceptance for broad exclusions or disabled scanning.
Mitigation priorities
- Deploy antivirus/antimalware across all applicable devices and systems, with centralized management for visibility and policy control.
- Enable automated updates for signatures, heuristics, behavioral rules, and cloud-assisted threat intelligence where supported.
- Keep real-time scanning enabled for files as they are accessed, downloaded, or executed.
- Use behavioral analysis capabilities to complement signatures, especially for obfuscation, packing, polymorphic code, suspicious script execution, and ransomware-like mass file activity.
- Restrict and routinely review AV exclusions, including file/path exclusions, to avoid creating predictable safe locations for adversary artifacts.
Analyst notes and limits
This mitigation is broad and should be assessed as a managed security control, not a single detection. The ATT&CK relationships show relevance across multiple techniques and platforms, but the mitigation object itself does not specify platforms or tactics. Local asset inventory, endpoint coverage data, policy configuration, and alert pipelines are required to determine real-world defensive value.
Official detection guidance is not provided for this mitigation, and the supplied object does not specify platforms or tactics for M1049 itself. This take relies on the official description and the provided mitigates relationships only; it does not assert active exploitation, adversary attribution, or guaranteed detection coverage.
Antivirus/Antimalware
Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:
Signature-Based Detection:
- Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.
Heuristic-Based Detection:
- Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.
Behavioral Detection (Behavior Prevention):
- Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.
Real-Time Scanning:
- Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.
Cloud-Assisted Threat Intelligence:
- Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.
**Tools for Implementation**:
- Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.015 | Compression Sub-technique | Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives. |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Anti-virus can be used to automatically quarantine suspicious files. |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | Anti-virus can be used to automatically quarantine suspicious files. |
| Enterprise | T1221 | Template Injection | Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.CitationAnomali Template Injection MAR 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Anti-virus can also automatically quarantine suspicious files. |
| Enterprise | T1027.014 | Polymorphic Code Sub-technique | Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods. |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | Anti-virus can be used to automatically detect and quarantine suspicious files. |
| Enterprise | T1564.012 | File/Path Exclusions Sub-technique | Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.CitationMicrosoft File Folder Exclusions |
| Enterprise | T1027.012 | LNK Icon Smuggling Sub-technique | Use signatures or heuristics to detect malicious LNK and subsequently downloaded files. |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Anti-virus can also automatically quarantine suspicious files. |
| Enterprise | T1059.006 | Python Sub-technique | Anti-virus can be used to automatically quarantine suspicious files. |
| Enterprise | T1059.001 | PowerShell Sub-technique | Anti-virus can be used to automatically quarantine suspicious files. |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
| Enterprise | T1059 | Command and Scripting Interpreter | Anti-virus can be used to automatically quarantine suspicious files. |
| Enterprise | T1547.006 | Kernel Modules and Extensions Sub-technique | Common tools for detecting Linux rootkits include: rkhunter CitationSourceForge rkhunter, chrootkit CitationChkrootkit Main, although rootkits may be designed to evade certain detection tools. |
| Enterprise | T1080 | Taint Shared Content | Anti-virus can be used to automatically quarantine suspicious files.CitationMandiant Cloudy Logs 2023 |
| Enterprise | T1564 | Hide Artifacts | Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.CitationMicrosoft File Folder Exclusions |
| Enterprise | T1027.002 | Software Packing Sub-technique | Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.CitationReasonLabs |
| Enterprise | T1036 | Masquerading | Anti-virus can be used to automatically quarantine suspicious files. |
| Enterprise | T1566 | Phishing | Anti-virus can automatically quarantine suspicious files. |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. |
| Enterprise | T1027 | Obfuscated Files or Information | Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. CitationMicrosoft AMSI June 2015 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 1515de16e0a2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1049Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.