They used to do a lot of fancy things, back in the days, including running bits of suspicious executables in heavily sandboxed interpreters to spot behavioral patterns.
I'm guessing those kind of approaches have largely gone away, being replaced with signatures that are hopefully fuzzier than a wholesale cryptographic hash, but still essentially only catching things after the fact, which works well with subscription business models.
I'm guessing those kind of approaches have largely gone away, being replaced with signatures that are hopefully fuzzier than a wholesale cryptographic hash, but still essentially only catching things after the fact, which works well with subscription business models.