How to choose between traditional antivirus and endpoint detection and response (EDR)

06 October 2023

Iratxe Vazquez, senior product marketing manager, WatchGuard

Iratxe Vazquez, senior product marketing manager, WatchGuard

The wide range of devices and the need to access network resources from anywhere has blurred the traditional security perimeter and extended it beyond the office. As a result, endpoint security is now an essential pillar of any company’s cybersecurity strategy. Both antivirus (AV) and endpoint detection and response (EDR) solutions have been designed to secure devices, but they provide very different levels of protection.

The six main differences between AV and EDR
Traditional antivirus software is installed directly on a device or server to protect it from malicious programs. An EDR system is software that detects and halts cyberthreats, while providing visibility and control over devices on a network. There is some overlap between the functions of the two solutions, however they differ in the following ways:

  • Security approach: AV systems are reactive, so only acts when there is a threat. EDR solutions are proactive. So, as well as blocking access, as AV solutions do, they can also detect and stop threats that have somehow gained access to devices.
  • Scope of protection: traditional antivirus is a decentralised security system with limited scope and is simpler than detection and response solutions. EDR provides centralised security and continuously monitors threats at all endpoints of the network, delivering more comprehensive and holistic protection.
  • Detection method: AV systems are based on static threat signatures and patterns, so they only recognize known threats. EDR, is behaviour-based. It monitors and detects known or unknown threats in real time by identifying anomalous behaviour at network endpoints.
  • Automation and visibility: EDR constantly collects and analyses data. Thanks to artificial intelligence (AI) and automation, EDR converts that data into actionable intelligence and provides full visibility into devices within a corporate network. This means data patterns can be isolated quickly to provide security teams with fast and accurate assessments of any behaviour that indicates a potential threat. This cuts down detection time and reduces the need to rely on highly skilled security personnel. AV relies on the antivirus developers adding viruses or variants to the malware list every time a new one is identified. Otherwise, this any new malware will remain undetectable.
  • Response method: an AV solution acts when a threat has entered the system before it is able to perform malicious actions. This is usually by automatically preventing its execution, deleting the file and any traces it may have left on the way. EDR responds in an automated way with actions such as blocking execution and isolating endpoints to prevent malware from spreading. This provides time to investigate the potential threat, its impact and how to recover from it.
  • Response time: Avs response is immediate and automated, but detection capability is limited to known threats. EDR systems can detect sophisticated and unknown threats that otherwise would go under the radar. However, detection and response time depends on the automated detection, visibility and containment and remediation that the EDR system provides. Some delegate responsibility to analysts, for example, when classifying files that are executed and have performed suspicious actions. Ideally, an EDR solution should detect, investigate and take automated action as early as possible to reduce response time, but it should also have a tendency towards zero false positives.

Which is the best option?
Traditional antivirus detection can be ineffective in identifying and protecting against advanced malware and new variants. Today, malware writers use techniques such as fileless malware to evade detection by traditional antivirus solutions.

Effective detection will often require more information and context. An EDR solution can pinpoint attack and compromise behaviours and indicators successfully, and by automating response capabilities, security analysts can delegate response to the system or act more quickly, providing efficiency gains in dealing with potential security incidents.

However, antivirus software may still be the right solution for a company with a small budget and those without a security manager to configure and monitor the automated actions for the protection selected.

EDR is the better fit where the endpoint security solution needs to be monitored from a broader standpoint, protecting a larger number of devices exposed to advanced threats, such as remote workers.

If you do opt for an AV solution over EDR it is important to make sure that this solution is advanced or next generation, so it covers a greater number of advanced threats, including those using malware-less techniques.