Therefore, it may come as a surprise that we are still able to find simple malware samples (which did not employ any special 0-day vulnerability) that bypass most of the security mechanisms in some of the most prominent AV software. There is a gap between AVs` sophisticated mechanisms and their ability to detect advanced targeted attacks. The reason lies in the automatic decision making process which is overly tolerant due to the fear of false positives.
There are solutions to this problem, but none of them is sufficient. Cloud Reputation attempts to solve this problem, but fails to deal with new or tailored attacks. Integrating human analysis is another option, although it is a very expensive and quite an impractical one.
Consequently, there is a need for a different approach. Persistent logging and long term analysis are necessary to increase the ratio between true detections and false positives. For example, examining actions of a process through time might unveil its hostile intentions. Observing similar but unique behaviors across different neighboring computers may reveal malicious goals. In order to successfully combat the unforeseen, centralized logging and continuous analysis is crucial.