You can use EDR solutions to track, monitor, and analyze data on endpoints to enhance the fortification of your environment. Generally, EDR tools do not replace traditional tools like antivirus and firewalls; they work beside them to provide enhanced security capabilities. It is becoming the preferred technology for enterprises to provide better security for their networks when compared with the traditional antivirus.
EDR solutions have many capabilities and advantages which are not offered by traditional antivirus programs. It comes loaded with different analytical tools that run in the background to ensure the monitoring and reporting of threats. However, all EDR solutions do not perform the same range of functions. Their scope and nature of activities differ depending on the type of EDR solutions that you choose.
Traditional antivirus programs are more simplistic and limited in scope compared to the modern EDR systems. Antivirus is generally a single program which serves basic purposes like scanning, detecting and removing viruses and different types of malware.
Antiviruses are more of a decentralized security system that falls short of providing adequate security to the ever-expanding digital networks. The IT network and perimeter of enterprises have witnessed even faster growth due to the mobile revolution.
Search for a product comparison in Endpoint Detection and Response (EDR)
Antivirus uses traditional method of database signature. It combines malware information such as hashes of the file, name, certain code signature in the virus functionality. It is static.
EDR uses different method such as dynamic behaviour of the virus / malware. It scans the processes and methods a file is interacting with the OS. They will have baseline to see if a behaviour is malicious or not.
Functionality range
Antivirus simply detect and delete the virus. It didn't see the behaviour of the virus/ malware. If it is in the virus signature database, it will be able to clean/remove/quarantine the endpoint.
EDR does much more, it could remediate the actions of the virus/malware because it monitors the endpoint processes and behaviours. Certain techniques could be reversed while not all.
AV is using a negative security model approach. EDR is using a positive security model approach. So unless you cannot tune your security policies to be really strict - to gain an advantage of the positive security model, you might want to still resort to the negative security model approach.
Can EDR replace Antivirus?
Depends. Several EDR vendors incorporate AV detection methods and still combining the use of a static database of virus signature with the modern behaviour detection. So if you are using the EDR which can provide AV functionality - yes you are good to go. Generally, you could choose those vendors who were initially AV vendors and later on evolve their products to become EDR.
Other EDR specifically only function as threat hunting or digital forensic tools, they do complete behaviour monitoring of the systems and will not have AV detection methods. This will be problematic for some users although not all because the EDR will provide much more noise and you will have to really tune the policy so that it will behave according to your organization needs. These types of vendors are not particularly AV vendors, but rather different cybersecurity vendors which complement their capabilities with the EDR proposition.
Works at a tech services company with 11-50 employees
Real User
Jul 15, 2021
Some products incorporate AV into the EDR as the basic element.
Considering the budget, some users might choose the AV. EDR is much more powerful than AV when you need forensics. The traditional AV is signature-based and heuristic. EDR leverages more, e.g. Deep Learning, Behavioral Analysis, ...
IT Security Coordinator at a healthcare company with 10,001+ employees
Real User
May 27, 2020
So this is what WIKI says about EDR.
EDR systems detect all endpoint threats and provide real-time response to the identified threats. ... EDR systems also collect high-quality forensic data which is needed for incident response and investigations. Overall, EDR security systems are much better equipped at handling cyber threats than traditional antivirus.
But INHO, it depends. It depends on the products you are looking at, it depends on the cost, it depends on what you are trying to cover or prevent from happening and it depends on the tools' capabilities. Some tools are better than others. Some a/v is better then EDR, Some EDR is better than a/v. It's a very active space with a HUGE amount of contenders all vying for your security dollars. You just have to ask them the right questions and bounce their answers against their competitors, your bosses, and your friends opinions to get out of it what you need, for the least cost and most coverage. Do some POCs, RFIs to see what fits for you and your environment and needs first before you decide. Then spend the next 3 yrs extracting every bit of juice out of the tool you can to make it purr like a kitten.
If you don't need it and you can get by on defender as a 80% solution then go with defender. If you need carbon black and mcafee do that. It comes down to your needs and what's good enough for you.
EDR can replace antivirus, if you get the right EDR solution. A solution that comprises EPP and EDR into one is a replacement for traditional antivirus. EPP provides all the protection you would get from antivirus and more. Happy to discuss further if you have anymore questions
IT Project Manager at a tech services company with 51-200 employees
User
May 26, 2020
Hello EDR can replace a normal AntiVirus and can offer even more, as they can effictively can respond to an attack, isolate the end device or restore destroyed data. After that you can analyse the attack. We're using SentinelOne for us and our customers and are more than happy, as we're protected against new and old ransomware
It can detect ransomware attacks, malware, rogue programs, and viruses, as well as automatically isolate any infected system from your network. It can also detect unknown infections by detecting activities consistent with viruses or encryption. And, in the event anything did get through, you can roll back your infected system for up to 72 hours.
If something got through and infected your network, the response is included, and their techs will come out at no additional charge to assist in restoring your network and data. Of course, even better than EDR or antivirus is a well-trained staff that knows not to click on links or open files in suspicious emails.
Next-Generation Antivirus (NGAV) uses a combination of artificial intelligence, behavioural detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented. NGAV is cloud-based, which allows it to be deployed in hours instead of months, and the burden of maintaining software, managing infrastructure, and updating signature databases is eliminated.
NGAV is the next step in endpoint protection, using a signature-less approach to deliver more complete and effective endpoint security than is possible with legacy AV.
Protects against the entire spectrum without requiring daily and cumbersome updates
Combines the best prevention technologies — machine learning, AI, indicators of attack (IOAs), exploit blocking and more — to stop ransomware and malware-free and fileless attacks
Covers the gaps left by legacy AV and fully protects endpoints online and offline
FULL ATTACK VISIBILITY Unravels an entire attack in one easy-to-grasp process tree enriched with contextual and threat intelligence data
Legacy AV
Legacy AV uses strings of characters called signatures that are associated with specific types of malware to detect and prevent further attacks of similar types. This approach is becoming obsolete as sophisticated attackers have found ways around legacy AV defenses, such as by leveraging fileless attacks that use macros, scripting engines, in-memory, execution, etc.,
Legacy AV leaves organizations locked into a reactive mode, only able to defend against known malware and viruses catalogued in the AV provider’s database. That approach was the best available in the past, but today, when unknown threats need to be addressed with the same rigour as known threats, it is sorely inadequate.
Basically, Legacy AV lacks-
Detection of Unknown Threats: Relies on signatures, which are hard to update and ineffective against file-less attacks
Impact on End Point: Scans and updates consume high percentages of resources and slow down endpoints
Deployment is complex
NGAV eliminates these shortcomings as the integration of more sophisticated prevention methods – such as machine learning, behavioural detection, and artificial intelligence – eliminates the sole reliance on signatures to detect malicious activity. NGAV protects against unknown threats as well as known threats, which is increasingly important as the use of fileless attacks rises among attackers. NGAV enables both types of threats to be exposed in near real-time, and is much more effective at helping organizations block these threats at a far greater speed than in the past.
NGAV solutions are designed to employ a single, lightweight agent that is unobtrusive in nature and has a minimal impact on the endpoint.
Reference: Our successful partnership engagement and experience with Crowdstrike
Project Manager at a outsourcing company with 1,001-5,000 employees
MSP
Top 5
Jul 14, 2021
Yes, EDR replaces traditional Antivirus, as it's one step up from traditional antivirus. It includes all the features of Antivirus as well as has advanced features.
Cibersecurity Pre-Sales at a tech services company with 10,001+ employees
Real User
May 27, 2020
EDR is an add-on for Endpoint Protection. EDR is for detecting post-intrusion threats or persistent advanced threats. EDR enables identification and prevention of reconnaissance attack, lateral movement, command and control channel and data filtering. EDR can also analyze user behavior against a baseline.
IT Security Architect at a computer software company with 51-200 employees
User
May 26, 2020
Yes, EDR will replace traditional A/V with most solutions. Make sure to validate with your vendor but the reputable ones certainly cover A/V. You do not need to have both as this is unnecessary overhead. Any (reputable) EDR will have known bad MD5 already included.
Client Executive at a computer software company with 1,001-5,000 employees
User
Jul 16, 2021
Anti-virus is a signature-based approach that first entered the market almost 39 years ago. Adversaries have learned to have continuous and persistent changes to their code to thwart these systems.
EDR is the next generation of these technologies that looks at behaviors and not signatures. Anti-virus is bad, EDR is good!
A very broad church. EDR has now moved on to XDR (Extended Detection and Response).
Detection is driven by legacy signature methods in most, if not all endpoint products. This is augmented with activity anomaly recognition etc. As with everything - it isn't what you have got, it is what you do with it,
If you have a Microsoft estate, feel free to contact me for sales-free advice.
IT Project Manager at a tech services company with 51-200 employees
User
May 28, 2020
There is never 100% security and I'm warning of using too much end-point-protection on the client, as each one has a little bad impact of performance.
And when using two they will slow down each one.
To replace an Anti-Virus just use a good EDR, which replaces the AV and which does even more.
Yes, it is a good level of protection to have EDR alone, but for better protection I recommend having the two solutions together but with different manufacturers between EDR and AV
EDR solutions provide advanced capabilities for detecting and responding to threats on endpoints. These tools enhance security teams' ability to detect, investigate, and remediate incidents.EDR solutions offer enhanced endpoint protection by integrating real-time monitoring and advanced analytics. Designed for modern security teams, they facilitate immediate threat detection and remediation, effectively mitigating risks. User feedback highlights their capability to analyze extensive data...
You can use EDR solutions to track, monitor, and analyze data on endpoints to enhance the fortification of your environment. Generally, EDR tools do not replace traditional tools like antivirus and firewalls; they work beside them to provide enhanced security capabilities. It is becoming the preferred technology for enterprises to provide better security for their networks when compared with the traditional antivirus.
EDR solutions have many capabilities and advantages which are not offered by traditional antivirus programs. It comes loaded with different analytical tools that run in the background to ensure the monitoring and reporting of threats. However, all EDR solutions do not perform the same range of functions. Their scope and nature of activities differ depending on the type of EDR solutions that you choose.
Traditional antivirus programs are more simplistic and limited in scope compared to the modern EDR systems. Antivirus is generally a single program which serves basic purposes like scanning, detecting and removing viruses and different types of malware.
Antiviruses are more of a decentralized security system that falls short of providing adequate security to the ever-expanding digital networks. The IT network and perimeter of enterprises have witnessed even faster growth due to the mobile revolution.
The differences are:
Detection methods standpoint
Antivirus uses traditional method of database signature. It combines malware information such as hashes of the file, name, certain code signature in the virus functionality. It is static.
EDR uses different method such as dynamic behaviour of the virus / malware. It scans the processes and methods a file is interacting with the OS. They will have baseline to see if a behaviour is malicious or not.
Functionality range
Antivirus simply detect and delete the virus. It didn't see the behaviour of the virus/ malware. If it is in the virus signature database, it will be able to clean/remove/quarantine the endpoint.
EDR does much more, it could remediate the actions of the virus/malware because it monitors the endpoint processes and behaviours. Certain techniques could be reversed while not all.
AV is using a negative security model approach. EDR is using a positive security model approach. So unless you cannot tune your security policies to be really strict - to gain an advantage of the positive security model, you might want to still resort to the negative security model approach.
Can EDR replace Antivirus?
Depends. Several EDR vendors incorporate AV detection methods and still combining the use of a static database of virus signature with the modern behaviour detection. So if you are using the EDR which can provide AV functionality - yes you are good to go. Generally, you could choose those vendors who were initially AV vendors and later on evolve their products to become EDR.
Other EDR specifically only function as threat hunting or digital forensic tools, they do complete behaviour monitoring of the systems and will not have AV detection methods. This will be problematic for some users although not all because the EDR will provide much more noise and you will have to really tune the policy so that it will behave according to your organization needs. These types of vendors are not particularly AV vendors, but rather different cybersecurity vendors which complement their capabilities with the EDR proposition.
Some products incorporate AV into the EDR as the basic element.
Considering the budget, some users might choose the AV. EDR is much more powerful than AV when you need forensics. The traditional AV is signature-based and heuristic. EDR leverages more, e.g. Deep Learning, Behavioral Analysis, ...
So this is what WIKI says about EDR.
EDR systems detect all endpoint threats and provide real-time response to the identified threats. ... EDR systems also collect high-quality forensic data which is needed for incident response and investigations. Overall, EDR security systems are much better equipped at handling cyber threats than traditional antivirus.
But INHO, it depends. It depends on the products you are looking at, it depends on the cost, it depends on what you are trying to cover or prevent from happening and it depends on the tools' capabilities. Some tools are better than others. Some a/v is better then EDR, Some EDR is better than a/v. It's a very active space with a HUGE amount of contenders all vying for your security dollars. You just have to ask them the right questions and bounce their answers against their competitors, your bosses, and your friends opinions to get out of it what you need, for the least cost and most coverage. Do some POCs, RFIs to see what fits for you and your environment and needs first before you decide. Then spend the next 3 yrs extracting every bit of juice out of the tool you can to make it purr like a kitten.
If you don't need it and you can get by on defender as a 80% solution then go with defender. If you need carbon black and mcafee do that. It comes down to your needs and what's good enough for you.
EDR can replace antivirus, if you get the right EDR solution. A solution that comprises EPP and EDR into one is a replacement for traditional antivirus. EPP provides all the protection you would get from antivirus and more. Happy to discuss further if you have anymore questions
Hello EDR can replace a normal AntiVirus and can offer even more, as they can effictively can respond to an attack, isolate the end device or restore destroyed data. After that you can analyse the attack. We're using SentinelOne for us and our customers and are more than happy, as we're protected against new and old ransomware
EDR goes far beyond traditional antivirus.
It can detect ransomware attacks, malware, rogue programs, and viruses, as well as automatically isolate any infected system from your network. It can also detect unknown infections by detecting activities consistent with viruses or encryption. And, in the event anything did get through, you can roll back your infected system for up to 72 hours.
If something got through and infected your network, the response is included, and their techs will come out at no additional charge to assist in restoring your network and data. Of course, even better than EDR or antivirus is a well-trained staff that knows not to click on links or open files in suspicious emails.
Next-Generation Antivirus (NGAV) uses a combination of artificial intelligence, behavioural detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented. NGAV is cloud-based, which allows it to be deployed in hours instead of months, and the burden of maintaining software, managing infrastructure, and updating signature databases is eliminated.
NGAV is the next step in endpoint protection, using a signature-less approach to deliver more complete and effective endpoint security than is possible with legacy AV.
Protects against the entire spectrum without requiring daily and cumbersome updates
Combines the best prevention technologies — machine learning, AI, indicators of attack (IOAs), exploit blocking and more — to stop ransomware and malware-free and fileless attacks
Covers the gaps left by legacy AV and fully protects endpoints online and offline
FULL ATTACK VISIBILITY Unravels an entire attack in one easy-to-grasp process tree enriched with contextual and threat intelligence data
Legacy AV
Legacy AV uses strings of characters called signatures that are associated with specific types of malware to detect and prevent further attacks of similar types. This approach is becoming obsolete as sophisticated attackers have found ways around legacy AV defenses, such as by leveraging fileless attacks that use macros, scripting engines, in-memory, execution, etc.,
Legacy AV leaves organizations locked into a reactive mode, only able to defend against known malware and viruses catalogued in the AV provider’s database. That approach was the best available in the past, but today, when unknown threats need to be addressed with the same rigour as known threats, it is sorely inadequate.
Basically, Legacy AV lacks-
Detection of Unknown Threats: Relies on signatures, which are hard to update and ineffective against file-less attacks
Impact on End Point: Scans and updates consume high percentages of resources and slow down endpoints
Deployment is complex
NGAV eliminates these shortcomings as the integration of more sophisticated prevention methods – such as machine learning, behavioural detection, and artificial intelligence – eliminates the sole reliance on signatures to detect malicious activity. NGAV protects against unknown threats as well as known threats, which is increasingly important as the use of fileless attacks rises among attackers. NGAV enables both types of threats to be exposed in near real-time, and is much more effective at helping organizations block these threats at a far greater speed than in the past.
NGAV solutions are designed to employ a single, lightweight agent that is unobtrusive in nature and has a minimal impact on the endpoint.
Reference: Our successful partnership engagement and experience with Crowdstrike
EDR is a more advanced program that collects data from the nodes and also does analysis and identifies where the threat is originating from.
Antivirus or AV is a single program that is used to scan files and OS for known threats like Trojan, worms, and Malware.
Yes, EDR replaces traditional Antivirus, as it's one step up from traditional antivirus. It includes all the features of Antivirus as well as has advanced features.
EDR is an add-on for Endpoint Protection. EDR is for detecting post-intrusion threats or persistent advanced threats. EDR enables identification and prevention of reconnaissance attack, lateral movement, command and control channel and data filtering. EDR can also analyze user behavior against a baseline.
Yes, EDR will replace traditional A/V with most solutions. Make sure to validate with your vendor but the reputable ones certainly cover A/V. You do not need to have both as this is unnecessary overhead. Any (reputable) EDR will have known bad MD5 already included.
Anti-virus is a signature-based approach that first entered the market almost 39 years ago. Adversaries have learned to have continuous and persistent changes to their code to thwart these systems.
EDR is the next generation of these technologies that looks at behaviors and not signatures. Anti-virus is bad, EDR is good!
EDR is modern technology. Hence it can detect and clear threats, so when using EDR you don't need to use antivirus.
When both are used they will slow the machine and sometimes cause technical issues.
A very broad church. EDR has now moved on to XDR (Extended Detection and Response).
Detection is driven by legacy signature methods in most, if not all endpoint products. This is augmented with activity anomaly recognition etc. As with everything - it isn't what you have got, it is what you do with it,
If you have a Microsoft estate, feel free to contact me for sales-free advice.
EDR simply put is a next gen antivirus with much more capability. Look at Cynet
There is never 100% security and I'm warning of using too much end-point-protection on the client, as each one has a little bad impact of performance.
And when using two they will slow down each one.
To replace an Anti-Virus just use a good EDR, which replaces the AV and which does even more.
Yes, it is a good level of protection to have EDR alone, but for better protection I recommend having the two solutions together but with different manufacturers between EDR and AV