IT Central Station is now PeerSpot: Here's why

What is the difference between EDR and traditional antivirus?

Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)

Can EDR replace antivirus, or are both needed?

PeerSpot user
1818 Answers

John Rendy - PeerSpot reviewer
Top 5LeaderboardConsultant

The differences are:

Detection methods standpoint

Antivirus uses traditional method of database signature. It combines malware information such as hashes of the file, name, certain code signature in the virus functionality. It is static. 

EDR uses different method such as dynamic behaviour of the virus / malware. It scans the processes and methods a file is interacting with the OS. They will have baseline to see if a behaviour is malicious or not.

Functionality range

Antivirus simply detect and delete the virus. It didn't see the behaviour of the virus/ malware. If it is in the virus signature database, it will be able to clean/remove/quarantine the endpoint.

EDR does much more, it could remediate the actions of the virus/malware because it monitors the endpoint processes and behaviours. Certain techniques could be reversed while not all.

AV is using a negative security model approach. EDR is using a positive security model approach. So unless you cannot tune your security policies to be really strict - to gain an advantage of the positive security model, you might want to still resort to the negative security model approach.

Can EDR replace Antivirus?

Depends. Several EDR vendors incorporate AV detection methods and still combining the use of a static database of virus signature with the modern behaviour detection. So if you are using the EDR which can provide AV functionality - yes you are good to go. Generally, you could choose those vendors who were initially AV vendors and later on evolve their products to become EDR.

Other EDR specifically only function as threat hunting or digital forensic tools, they do complete behaviour monitoring of the systems and will not have AV detection methods. This will be problematic for some users although not all because the EDR will provide much more noise and you will have to really tune the policy so that it will behave according to your organization needs. These types of vendors are not particularly AV vendors, but rather different cybersecurity vendors which complement their capabilities with the EDR proposition.

Alan - PeerSpot reviewer
Top 5Real User

Some products incorporate AV into the EDR as the basic element. 

Considering the budget, some users might choose the AV. EDR is much more powerful than AV when you need forensics. The traditional AV is signature-based and heuristic. EDR leverages more, e.g. Deep Learning, Behavioral Analysis, ...

Pete Maddox - PeerSpot reviewer

EDR goes far beyond traditional antivirus. 

It can detect ransomware attacks, malware, rogue programs, and viruses, as well as automatically isolate any infected system from your network. It can also detect unknown infections by detecting activities consistent with viruses or encryption. And, in the event anything did get through, you can roll back your infected system for up to 72 hours. 

If something got through and infected your network, the response is included, and their techs will come out at no additional charge to assist in restoring your network and data. Of course, even better than EDR or antivirus is a well-trained staff that knows not to click on links or open files in suspicious emails.

ABHILASH TH - PeerSpot reviewer
Top 5LeaderboardReseller

Next-Generation Antivirus (NGAV) uses a combination of artificial intelligence, behavioural detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented. NGAV is cloud-based, which allows it to be deployed in hours instead of months, and the burden of maintaining software, managing infrastructure, and updating signature databases is eliminated.

NGAV is the next step in endpoint protection, using a signature-less approach to deliver more complete and effective endpoint security than is possible with legacy AV.

Protects against the entire spectrum without requiring daily and cumbersome updates

Combines the best prevention technologies — machine learning, AI, indicators of attack (IOAs), exploit blocking and more — to stop ransomware and malware-free and fileless attacks

Covers the gaps left by legacy AV and fully protects endpoints online and offline

FULL ATTACK VISIBILITY Unravels an entire attack in one easy-to-grasp process tree enriched with contextual and threat intelligence data

Legacy AV

Legacy AV uses strings of characters called signatures that are associated with specific types of malware to detect and prevent further attacks of similar types. This approach is becoming obsolete as sophisticated attackers have found ways around legacy AV defenses, such as by leveraging fileless attacks that use macros, scripting engines, in-memory, execution, etc.,

Legacy AV leaves organizations locked into a reactive mode, only able to defend against known malware and viruses catalogued in the AV provider’s database. That approach was the best available in the past, but today, when unknown threats need to be addressed with the same rigour as known threats, it is sorely inadequate.

Basically, Legacy AV lacks-

Detection of Unknown Threats: Relies on signatures, which are hard to update and ineffective against file-less attacks

Impact on End Point: Scans and updates consume high percentages of resources and slow down endpoints

Deployment is complex

NGAV eliminates these shortcomings as the integration of more sophisticated prevention methods – such as machine learning, behavioural detection, and artificial intelligence – eliminates the sole reliance on signatures to detect malicious activity. NGAV protects against unknown threats as well as known threats, which is increasingly important as the use of fileless attacks rises among attackers. NGAV enables both types of threats to be exposed in near real-time, and is much more effective at helping organizations block these threats at a far greater speed than in the past.

NGAV solutions are designed to employ a single, lightweight agent that is unobtrusive in nature and has a minimal impact on the endpoint.

Reference: Our successful partnership engagement and experience with Crowdstrike

SAMUELMWANGI - PeerSpot reviewer
Top 5LeaderboardReal User

EDR is a more advanced program that collects data from the nodes and also does analysis and identifies where the threat is originating from.

Antivirus or AV is a single program that is used to scan files and OS for known threats like Trojan, worms, and Malware.

Mantu Shaw - PeerSpot reviewer
Top 5LeaderboardReal User

Yes, EDR replaces traditional Antivirus, as it's one step up from traditional antivirus. It includes all the features of Antivirus as well as has advanced features.

Russ Gallery - PeerSpot reviewer

Anti-virus is a signature-based approach that first entered the market almost 39 years ago. Adversaries have learned to have continuous and persistent changes to their code to thwart these systems.  

EDR is the next generation of these technologies that looks at behaviors and not signatures. Anti-virus is bad, EDR is good!

SAMUELMWANGI - PeerSpot reviewer
Top 5LeaderboardReal User

EDR is modern technology. Hence it can detect and clear threats, so when using EDR you don't need to use antivirus.

When both are used they will slow the machine and sometimes cause technical issues.

Kev Whelan - PeerSpot reviewer

A very broad church. EDR has now moved on to XDR (Extended Detection and Response). 

Detection is driven by legacy signature methods in most, if not all endpoint products. This is augmented with activity anomaly recognition etc. As with everything - it isn't what you have got, it is what you do with it, 

If you have a Microsoft estate, feel free to contact me for sales-free advice. 

reviewer1598412 - PeerSpot reviewer
Top 5LeaderboardReal User

EDR  simply put is a next gen antivirus with much more capability. Look at Cynet

ITSecuri7cfd - PeerSpot reviewer
Top 5Real User

So this is what WIKI says about EDR.
EDR systems detect all endpoint threats and provide real-time response to the identified threats. ... EDR systems also collect high-quality forensic data which is needed for incident response and investigations. Overall, EDR security systems are much better equipped at handling cyber threats than traditional antivirus.

But INHO, it depends. It depends on the products you are looking at, it depends on the cost, it depends on what you are trying to cover or prevent from happening and it depends on the tools' capabilities. Some tools are better than others. Some a/v is better then EDR, Some EDR is better than a/v. It's a very active space with a HUGE amount of contenders all vying for your security dollars. You just have to ask them the right questions and bounce their answers against their competitors, your bosses, and your friends opinions to get out of it what you need, for the least cost and most coverage. Do some POCs, RFIs to see what fits for you and your environment and needs first before you decide. Then spend the next 3 yrs extracting every bit of juice out of the tool you can to make it purr like a kitten.

If you don't need it and you can get by on defender as a 80% solution then go with defender. If you need carbon black and mcafee do that. It comes down to your needs and what's good enough for you.

Nikki Webb - PeerSpot reviewer
Top 20Real User

EDR can replace antivirus, if you get the right EDR solution. A solution that comprises EPP and EDR into one is a replacement for traditional antivirus. EPP provides all the protection you would get from antivirus and more. Happy to discuss further if you have anymore questions

Matthias De Toffol - PeerSpot reviewer

Hello EDR can replace a normal AntiVirus and can offer even more, as they can effictively can respond to an attack, isolate the end device or restore destroyed data. After that you can analyse the attack. We're using SentinelOne for us and our customers and are more than happy, as we're protected against new and old ransomware

RicardoGranados - PeerSpot reviewer
Top 20Real User

EDR is an add-on for Endpoint Protection. EDR is for detecting post-intrusion threats or persistent advanced threats. EDR enables identification and prevention of reconnaissance attack, lateral movement, command and control channel and data filtering. EDR can also analyze user behavior against a baseline.

reviewer1272021 - PeerSpot reviewer

Yes, EDR will replace traditional A/V with most solutions. Make sure to validate with your vendor but the reputable ones certainly cover A/V. You do not need to have both as this is unnecessary overhead. Any (reputable) EDR will have known bad MD5 already included.

Matthias De Toffol - PeerSpot reviewer

There is never 100% security and I'm warning of using too much end-point-protection on the client, as each one has a little bad impact of performance.
And when using two they will slow down each one.
To replace an Anti-Virus just use a good EDR, which replaces the AV and which does even more.

Cesar Eterovich Rodrigues - PeerSpot reviewer
Real User

Yes, it is a good level of protection to have EDR alone, but for better protection I recommend having the two solutions together but with different manufacturers between EDR and AV

Buyer's Guide
EDR (Endpoint Detection and Response)
June 2022
Find out what your peers are saying about CrowdStrike, SentinelOne, Microsoft and others in EDR (Endpoint Detection and Response). Updated: June 2022.
611,060 professionals have used our research since 2012.