Can EDR replace antivirus?

blog + security solutions Z. Oualid todayAugust 8, 2021

Background
share close

The internet is full of threats that are discovered each day and for years antivirus vendors were struggling to find and remove those threats before they hit their client’s machines. Unfortunately, the number of those threats is growing very fast, and this strategy has become inefficient. Therefore, Can an EDR replace the antivirus and its old strategy?

EDR will definitely replace the old antivirus. The new capabilities offered by the EDR solutions to stop unknown threats by analyzing their behavior is what companies need.

In this blog post, I am going to analyze the main differences between EDR and traditional antivirus to see what makes them better. So if you are interested just keep reading.

Why EDR will replace antivirus?

Detection scope

If you have just started in the domain of cybersecurity It might be hard to differentiate an EDR from an antivirus as many traditional antivirus vendors start to implements the EDR techniques to detect malware. However, you should know that in the traditional antivirus, the detection scope was limited to the computer of the end-user, with no view on email or other components.

Unfortunately, the new generation of malware, start to use even more advanced techniques and tunnels to infiltrate computers. Most modern malware uses emails and malicious macros to spread across the network. In addition, even more, the malware starts to avoid the creation of files in the victim machine, which made their detection even harder.

The EDR technology, got a wider view on the endpoint, by getting access to processes, emails, navigation and more, to identify malware. This view, give the EDR access to more information that can be correlated to identify unknown attacks and stop them before they get deeper into the network.

Detection techniques (behavior analysis)

To detect malware, traditional antivirus uses what we call signature-based detection techniques. The main idea behind this technique is to find some common elements in the malware file or structure to identify it whenever it goes.

For example, the first and obvious element that is used as a signature is the virus file hash itself. Which seems to be very logical as the first sign. However, this technique remains ineffective as a simple change in the file bits will change the whole hash and signature.

After this, traditional antivirus has evolved to use code blocks as signatures. In this technique, tools and experts knowledge are used to identify malicious static code components in the malware source code. For many years, this technique was very effective, and has a lot of malware has been identified as some malicious source code exploit and payloads do not change. Unfortunately, some security experts have discovered a new technique to bypass this by what we call polymorphic code.

Polymorphic codes are a type of code that keeps the same algorithm even if the code instructions change.

In addition, all those signatures required that the antivirus company discover the malware and create their signature before their clients get infected. This requirement has made this technique inefficient regarding the growing number of malware on the internet.

Recently a new technique was discovered and implemented in the EDR technology that solves this issue by implementing what we call behavior analysis. This technique has been made possible due to the detection scope of the EDR technology that gives a much better view of the machine parts.

Response techniques

Responding to a malware attack by traditional antivirus was focusing on putting the malware file in quarantine. At that moment this technique was somehow effective when dealing with already identified malware with known signature. However, with the rise of unknown attacks, more response capabilities were needed, especially when a security operation center is in the game.

EDR solutions offer more than just detecting and putting a malicious file in quarantine, and here is a list of what it can do to respond to a malware attack:

  • Isolating the whole machine
  • Analyzing the file in a sandbox system
  • Analyzing statically the source code of the malware
  • Give more detailed information to be used in Forensics investigation
  • Generate alerts for the security operation center

Forensics capabilities

I guess the most important aspect and functionality that an EDR technology offer is the Forensics capacities. A data breach is and will continue to be the nightmare of all companies that’s something we all agree about. In addition, not knowing what data and when did that happens to make that nightmare even worst.

With traditional antivirus, searching the network to see what devices have been infected by malware would require manual actions performed by the Experts. In addition, moving in site to investigate the events on local machines will be required to perform those manual actions. Unfortunately, all those actions would take a lot of time to be done and usually with less efficiency.

Forensics capabilities, are for me the most important tools of the EDR technology. Performing investigation each time a suspicious activity happens is the daily work of a security operation center and it is usually performed using SIEM technology. However, this technology does not give the level of the details offered by an EDR and with the forensics tools, it gets even better.

Here is a list of some forensics capabilities that

  • Process execution three exploration
  • Remotely dumping running process
  • Remotely extract hard disk structures to look at individual files
  • Rapid triage and review of the whole company network

Is Windows Defender an EDR?

Microsoft Defender for Endpoint is a full solution that contains many technologies including an EDR. According to the Gartner ranking, this solution is today the best EDR solution in the market.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *