In a continuous effort to evade detection, cybercriminals are embracing fileless or near-fileless attacks involving script-based and memory-based attack techniques. Cybercriminal script authors leverage browser-side scripts to execute malicious actions, including download of binaries, download of Windows PowerShell scripts, and redirection of traffic. By bypassing file IO, these attacks become nearly invisible to many client-based security products.

This report includes results from an NSS Labs investigation on the average performance of 10 next generation firewalls (NGFWs) in detecting a malicious script sample that was obfuscated using fifteen different tools and four web traffic encoding mechanisms. False positive rates for benign scripts that were obfuscated using the same tools are also examined.

Results from this investigation highlight areas that NGFW product management teams should focus on to improve the security effectiveness of their products and reduce operational costs for their enterprise customers.