Sorry guys you're faster than I am on replies :) I read that Webroot article, thanks for sharing. It was informative. To date, it has always been my understanding that a signature is a hash, and that hash is based on the bits in a given file. Change even one bit, compute the hash, and you have a new signature. If that's correct, then polymorphic malware, could it not simply keep a nearly identical file, but have say, an 8 byte hex field at the end of the code that increments a new digit every now and then, which in effect makes it a zero-day malware? If it's that easy, I would imagine it would be so easy to bypass signature-based protection in terms of file-based threats anyway. IPS is another issue, as I imagine there are only so many ways you can slide down a TCP connection with malformed packets or whatever else.
So please correct me if I'm mistaken about how the virus signatures work, I honestly thought it was as simple as single bit or bype changes resulting in new hashes. And following with that logic, one then wonders why anybody would bother encrypting malware payload unless it's to hedge against deeper scanning techniques.
So my original question still maybe stands, how does malware bypass the likes of SEP entirely, not through the front door where it is scrutinized by SEP but makes it through due to limitations of signatures or behavior scanning, but rather makes it through the back door by cleverly avoiding being scanned at all (either in transit, or, later, at rest on the file system). I always assumed holes in the OS itself allowed for this.