EDR vs AntiVirus

Endpoint Detection and Response (EDR) is a security solution that combines real-time continuous monitoring and collection of data from endpoints to detect and respond to threats. It has the ability to detect signature-less threats and attacks, which traditional antivirus software may not be able to do. EDR solutions are better at detecting both known and unknown threats than antivirus solutions, as they don’t rely on signatures. Additionally, EDR provides visibility into the activities of users, processes, applications, files, networks, and devices. Antivirus solutions are typically easier to use and in some cases can have a lower impact on system resources than EDR solutions, but they can only protect against known malware threats. Some organizations use both EDR and antivirus but modern EDR solutions are designed to replace Antivirus solutions and using both can cause issues with efficacy and reliability.

How Does Traditional AntiVirus Work?

Antivirus software began with a simple idea: look for the virus and remove it from the system.  Antivirus creators used mathematical files to create unique hash values for each identified virus and then make a list of malicious files.

The antivirus software then scans data and uses the same algorithm to create hash values to compare against that malware list.  When a malicious file is identified, it is deleted from the system.

Flaws in Traditional Antivirus

Traditional AntiVirus is cheap, and can even come built into the operating system.  Unfortunately, the protection offered by antivirus continues to decline in effectiveness- particularly for attractive targets such as businesses.

As the technology ages, significant flaws in the antivirus technology become magnified and even become burdensome for enterprises.  The flaws can be classified into: 

  • Declining Detection
  • Bloatware
  • Extending Detection Time
  • Limited Options

Declining Detection

To avoid detection by antivirus software, attackers often create different variants of their software so that the hash value of the virus files continuously changes.  Additionally, new malware and new types of attacks continue to increase in number and variety.

Once a new virus or a new variant is released, antivirus cannot detect it until the antivirus company adds the virus to the malware list.  Until added to the list, the malware remains undetectable by traditional antivirus.

Antivirus does not provide any defense against attacks that don’t use malware.  Many ransomware attackers and advanced persistent threat (APT) attacks use non-malicious software that will never be added to antivirus lists and will never be detected by antivirus.

Bloatware

Between the ever-increasing amount of data, the ever-expanding hard drive sizes, and the proliferation of malware, antivirus software becomes bloated and an operational liability.  Because of the way antivirus works, it can only be helped so much by the cloud and local computing power increases.

To start, in attempts to catch the ever-increasing list of malware, antivirus software continuously adds to their malware list. This means that for every file hashed, there is an ever-lengthening list of malicious hash values against which that file must be compared.

Of course, the number of files we save on our larger and larger hard drives also continues to grow rapidly which means we have an ever-increasing number of files which we need to compare against that ever-increasing list!  Often this leads to performance-crushing computer speeds as the antivirus dominates the computer resources while performing a virus scan.

Some companies move these comparisons off of the host computer and into the cloud to gain speed advantages.  Unfortunately, any speed improvements in this category do not offset the other antivirus flaws.

Extending Detection Time

Antivirus protection suffers two significant time lag issues.  First, antivirus only can scan for known viruses, so any new malware or malware variant enjoys a period of invisibility from antivirus scans until the malicious code’s hash value becomes added to the master list and that revised master list is pushed out to customers.

Second, scans are periodic, not continuous.  Many organizations, seeking to avoid the complaints of employees during scans, may only scan for viruses a couple of times a day.

While these time delays may seem small, today’s attackers use the viruses to upload different malicious packages and to establish a persistent presence on a victim’s computer.  Each moment of delay can allow an attacker to establish an effective beachhead before the antivirus catches up to the initial attack.

Attackers even monitor this delay to maximize the effectiveness of their malware.  Malware creators have been detected uploading their own malicious software to Google’s VirusTotal website to check how many antivirus companies have detected that file and how much the file needs to be monitored to avoid detection!

Limited Options

Once an antivirus detects malware, it generally only has three options: quarantine, ignore, or delete.  While these options may provide resolution directly for that specific virus, it does not address any associated issues.

For example, if a computer was infected with a Remote Access Trojan (RAT) malware loader, it might be able to delete that virus, but it may be unable to identify other viruses loaded by the RAT or to address other actions performed by a hacker that compromised the endpoint.

What is Endpoint Detection and Response (EDR)

The next generation of endpoint protection addresses antivirus weaknesses.  Endpoint Detection and Response (EDR) proactively watches for signs of attack and can directly take action to contain and remediate against attacks.  

EDR software provides high value through strong protection against malicious activities, low impact on computer operations, and expanded options for incident detection and response.  EDR software can also be combined with managed services and managed security operations to provide even more value.

How does EDR Work?

EDR can use the antivirus feature of a virus list, but traditional antivirus is only one feature of an EDR solution.  EDR expands upon antivirus capabilities by continuously scanning files and endpoint behavior and storing results in a centralized database.

EDR not only detects known viruses as soon as they land on the endpoint, the EDR can detect malicious behavior to detect new viruses and hacking in progress.  The EDR can then execute predetermined incident response tasks such as file deletion or endpoint quarantine to limit the damage done in an attack.

How Does EDR Improve Security Over Antivirus

EDR capabilities directly address the flaws of antivirus solutions to drive value and improve security capabilities:

  • Declining Detection ⇒ Improving Detection
  • Bloatware ⇒ Operationally Efficient
  • Extending Detection Time ⇒ Reduced Detection Time
  • Limited Options ⇒ Expanded Options

Improving Detection

EDR solutions monitor for behavior.  This means that if software acts like a virus, it will be treated like a virus.  EDR solutions do not need to wait for a virus to be defined, so they catch malware and attacks much earlier than traditional antivirus.

Antivirus solutions either see the virus, or they don’t.  EDR solutions that see hints of malicious behavior track potential threats for possible further action and send alerts to security teams to provide the option for further investigation.

EDRs inherently detect more endpoint threats and their capabilities will only increase with the leverage of artificial intelligence (AI) and machine learning (ML).  AI and ML help the EDR solution to further improve detection of new threats..

Operationally Efficient

EDR uses a light software program, called an agent, that lives in the memory of the computer.  This agent continuously scans changes on the endpoint which not only provide real-time response to malware, the scans take less time and computing resources than the periodic antivirus scan.  

EDRs generally also employ the cloud to improve speed, offload some processing from the endpoint, and to provide continuous updates to the agent.  Combining the continuous scanning, light endpoint agent and cloud resources delivers an endpoint protection solution that users won’t notice because it never slows them down.

Reduced Detection Time

As attackers become more aggressive and more automated, speed of detection increases in importance.  The longer it takes to detect an attacker, the more entrenched they will become, the more damage attacks will do to the organization, and the more expensive it will be to respond to the attack.

EDRs do not need to wait for a virus list or wait for a scan.  The continuous scanning evaluates files, processes, and behavior without delay and can directly take action to cut off malicious behavior, isolate the endpoint, or alert security teams.

Expanded Options

EDRs can delete viruses like an antivirus solution and further expand response options to report anomalies, isolate compromised devices from the network, or even provide remote access to security investigators.  EDRs also offer expanded security tools for firewalls, whitelisting, and expansive monitoring.

EDR delivers improved incident response through much more detailed information than an antivirus solution.  EDRs provide full attack visibility with context and history for every alert to help security analysts explore the source of the malware and determine the full context and scope of an attack.

EDRs integrate with many other security tools to further improve security profiles.  EDRs send alerts for SOC/SIEM review, investigation and response for malware, malicious behavior, and potential attacks that need investigation.

Managed EDR

Managed antivirus (MAV) like Managed CrowdStrike by Clearnetwork can do no more than provide a first line of defense for the endpoint.  Unfortunately, that first line of defense continues to crumble in effectiveness and risks driving up future costs for incident response and recovery from cybersecurity attacks.

Managed EDR can provide a full suite of protection extending beyond the endpoint to a comprehensive managed incident response capability.  Managed EDR not only improves the first line of defense, but also enables more sophisticated attacks to be detected, investigated, and stopped.

Managed EDR not only stops more of today’s attacks, but also lowers the risks and costs of dealing with the investigation and recovery from future attacks.

Final Thoughts

Antivirus products provided cutting-edge security before the rise of the internet.  To properly manage risks in today’s connected world requires the more advanced security provided by EDR.

The ‘low cost’ options of obsolete technology only risk much higher costs in the future.  These risks should not be tolerated by any mature organization.