Cybersecurity Showdown: Antivirus vs. Endpoint Detection and Response (EDR)

Cybersecurity Showdown: Antivirus vs EDR

Executive Summary

  • Commercial antivirus software has been available since the 1980s, so is it really still up to the task of protecting your business against modern cyberthreats? Or is it time to look into something new with Endpoint Detection and Response (EDR) platforms?
  • Businesses today have far more choice when it comes to cybersecurity protection. In this showdown, we’ll compare two of the most popular: antivirus and EDR – and see which comes out on top.

Introduction

Did you know that the world’s first computer virus was created in 1971?

Known as the “Creeper” virus, it was eventually deleted by a program aptly named the “Reaper”. Little did anyone know that this brief exchange would set the stage for a world of cyberattacks so advanced they were unimaginable back then.

So, with antivirus getting a little long in the tooth, is it time for the new kid on the block – Endpoint Detection and Response – to take the title?

We thought it was time to find out.

Ready for a showdown? Ding, ding!

What is antivirus?

It may seem elementary, but to be sure we cover every base, let’s begin with a definition of modern antivirus software.

The most important thing to note here is that traditional antivirus depends on one thing: signatures. It’s not the only measure AV programs use for detection and elimination of threats, (e.g. heuristics and rootkits), but it’s certainly been the most predominant over the past two decades or more.

So, what are antivirus signatures?

They’re essentially descriptions of known viruses held on a database which is either downloaded locally or hosted in the cloud. The AV program scans the local computer for threats and, if it matches any of these signatures, it warns the user who can then quarantine or eliminate the threat (where possible).

Importantly, because of this signature-based approach, traditional AV programs are inherently retroactive.

What is Endpoint Detection and Response (EDR)?

We won’t go into great detail about EDR, mainly because we’ve already published a comprehensive Plain English guide on the subject, so let’s focus on the headlines.

Endpoint Detection and Response is essentially next-generation antivirus. It uses the very latest technologies, specifically machine learning and Artificial Intelligence, to detect viruses, malware, and potential cyberattacks in real time.

It protects your company’s endpoints (most commonly your desktop or laptop computers) by constantly monitoring for unusual behaviours. Crucially, it does this proactively, and does not rely on a database of existing definitions.

Simply put, this means EDR can potentially protect you from viruses on the very first day they’re let loose. Pretty nifty stuff.

Antivirus vs. EDR – a direct feature comparison

Now that we’ve set the stage a bit with the key players, let’s get down to brass tacks.

In this section, we’re going to take a look at some of the features UK businesses need most out of their cybersecurity software – and how each of our contenders handles it.

Round 1: Retroactive / proactive virus detection

  • Antivirus relies on an updated list of virus signatures which are populated by the antivirus vendor when a new virus is detected, then either downloaded or accessed via the cloud. Recently, attackers have managed to develop “metamorphic” viruses which can essentially cloak themselves, effectively avoiding signature-based detection.
  • EDR utilises machine learning algorithms to detect patterns of behaviour and file structures which may represent threats to the endpoint. In plain English, this means that EDR is capable of detecting a threat without the system having encountered it before. This proactive, independent approach to threat detection sets EDR apart against any antivirus measure that’s come before.

Round 2: Real-time monitoring of endpoints

  • Antivirus does offer some real-time protection, but again is limited by the existing virus signatures in its database. It works by scanning each file every time it is accessed and comparing it against the database. If malicious files are detected, they are immediately quarantined.
  • EDR does things a little differently, as real-time protection is built into the system by design. EDR platforms are powered by complex AI algorithms which analyse file behaviours to assess whether or not an attacker is attempting to breach the network or if a file is doing something it shouldn’t be. It does all this based on its “experience” alone – no need for pre-defined definitions.

Round 3: Remediation following a successful breach

  • Antivirus options for remediation are somewhat limited. Generally, antivirus systems will attempt to either quarantine or delete infected files as soon as they are detected. The downside here is that it’s uncommon for the original version of the file to be restored unless a recent backup has been made.
  • EDR systems have various options for remediating a successful cyberattack. In the first instance, the EDR platform will attempt to isolate the endpoint on the network so that the threat cannot spread. If this fails, some EDR platforms are able to roll back any changes made to system files – so it’ll be like the attack never happened.

Round 4: Protection against ransomware and zero-day attacks

  • Antivirus faces its biggest challenge from the most up-to-date cyberattacks, including ransomware and zero-day attacks. These types of attacks are either so new that the system doesn’t have a definition for them, or the attack uses “polymorphic” code in order to fool the system into registering the malicious files as safe.
  • EDR comes into its own when confronted with even the most modern cyberattacks. Due to the way it ‘learns’ about attack behaviours, EDR systems are actually able to detect cyberattacks on the first day they hit the internet – even if they’ve never been seen before. In the case of ransomware, the rollback feature of EDR platforms means that encrypted files can often be decrypted without having to shell out to the attackers.

Level-up your antivirus with SentinelOne and Get Support

Do we really need to tot up the totals?

There’s no question that this one’s a knockout for EDR.

Endpoint Detection and Response is easily the superior choice compared to traditional antivirus measures – especially for modern businesses. If you’re still relying on these outdated systems, (or even built-in tools like Windows Defender), you could be exposing your business, your staff, and your sensitive data to potential attackers.

To level-up your protection to meet the threats of today, the team at Get Support recommend SentinelOne, a cybersecurity platform powered by machine learning and advanced AI. You can learn more about exactly how SentinelOne could protect your business by reading our dedicated Product Spotlight article.

Don’t want to wait? To talk about how Get Support can provide exclusive access to SentinelOne for your business, just fill in the form below or call us now on 01865 59 4000.