What is a Payload-Based Signature?

2 min. read


Payload-based signatures detect patterns in the content of the file rather than attributes, such as a hash, allowing them to identify and block altered malware.


Security tools often utilize signatures based on easily changed variables like hash, file name or URLs to identify and prevent known malware from infecting systems. With this type of signature, identifying threats requires essentially a one-to-one match against the specific variables the signature is looking for.

While once an effective means for identifying malware, it is now a feeble practice, as attackers have adopted more sophisticated means of evading detection. Malware authors can now easily create thousands of variants of existing malware, containing only slight changes, in order to get around signature matching. As legacy signatures require a static one-to-one match for each unique file, these slight changes allow malware to go undetected.

As attackers have evolved, so have protections, and organizations should consider utilizing security protections that leverage payload-based signatures, which detect patterns in the actual content of the file rather than a simple attribute like hash. If a piece of known malware has been altered in any way, resulting in an entirely new hash or other small change, payload-based signatures would still be able to identify and block what would otherwise have been treated as a new unknown threat.

While payload-based signatures require more evidence and larger sets of data to produce, security teams ultimately have fewer signatures to author and deploy, as each signature is more effective at blocking variants and polymorphic malware and provides a wider net of protection. With payload-based signatures, one signature can block tens of thousands of variants from the same malware family. The result is a one-to-many malware detection, with significantly quicker and more successful prevention.

The Palo Alto Networks Next-Generation Security Platform leverages the Threat Intelligence Cloud, including the detection of unknown threats via WildFire, as well as enforcement from the Threat Prevention subscription, to automatically distribute payload-based signatures across the organization. The platform can uniquely prevent multiple variants of malware, as well as command-and-control traffic, with the high fidelity of its proprietary, signature-based format.