SI-3(7) — Nonsignature-based Detection

Use behavior-based detection (not just signature-based) to catch new, unknown malware that does not match existing signatures.

Example 1: Enable Microsoft Defender's cloud-delivered protection and "Block at First Sight" feature. These use machine learning and behavioral analysis in the Microsoft cloud to detect new threats that do not have signatures yet. Suspicious files are analyzed in real time.

Example 2: Deploy an EDR solution (CrowdStrike Falcon, Microsoft Defender for Endpoint) that monitors process behavior — unusual parent-child process relationships, suspicious file modifications, and anomalous network connections — rather than just matching file signatures.