Signature based detection methods are struggling to keep up with polymorphic malware.
Our recent webinar showcased the example of a server infected as a result of a botnet and effectively owned by a cybercriminal, which was dishing out malware. (Real life examples could include an innocuous website that people go to on a regular basis to download files and data, eg streaming video or audio or maybe just downloading driver files.)
The unsuspecting victim goes to the web server that's been affected with malware and requests a file. The file may look like the file they've requested but it's also been infected and it appears identical, with the exception of the last couple of characters.
The web server is dishing out unique malware every time a request is made.
Traditional endpoint security detects and blocks bad code, so the original copy of file.exe, which was spotted as being malicious, would be updated by virus definition to that endpoint security.
However if the user was to make the same request to the same server again, they would receive what looks to be the same file. However it is in fact unique, and so would not be spotted by traditional endpoint security, as there would not be an ID file which would preventing the file from coming down.