"fileless malware isn't particularly hard for newer security tools to catch"
Microsoft and other vendors have had to rely on their heuristic detection tools. In particular, AV tools need to be closely monitoring the use of WMIC command-line code and applying rules when loading DLL files - such as checking the age of a file and flagging or blocking newly-created DLLs from running. When you know what you are looking for, Lelli explains, fileless malware isn't particularly hard for newer security tools to catch.
Nor is it hard for (some) older security tools to detect. Agnitum's Outpost monitored DLL's and other system objects. At times it could be a pain with all its Allow/Block/Terminate popups, particularly when installing applications for which there wasn't a pre-existing ruleset. But when running a browser and loading a webpage results in the same warning, more often than not, you could generally regard what was being downloaded as dangerous.
Biting the hand that feeds IT
