Real-time detection refers to the capability of the security system to detect and possibly block or quarantine malicious activity as it happens.
Immediate event processing (within milliseconds).
Focused on prevention and active defense.
Based on API hooking, behavioral signatures, heuristics, and kernel callbacks.
Often tightly integrated with OS mechanisms like ETW (Event Tracing for Windows), kernel filters, or userland API interception.
A call to CreateRemoteThread or NtWriteVirtualMemory.
Memory sections marked as RWX (Read-Write-Execute).
DLL side-loading or image tampering.
Untrusted execution from suspicious directories (e.g., temp folders).
Evasive actions must happen before detection triggers.
Use of delayed execution, process injection after sleep, or syscall-level abuse can help.
Goal: avoid triggering hooks or sensors entirely.
Last updated 8 months ago