Why Antivirus Isn't Enough
Traditional antivirus (AV) works by scanning files for signatures — patterns that match known malware. When malware first emerged, this was highly effective: virus signatures were shared among AV vendors, and signature updates kept defenses current. But the threat landscape has shifted dramatically:
Modern attacks use fileless malware that executes entirely in memory and never writes a file to disk — bypassing file-based AV scanning entirely. Attackers use living-off-the-land (LOTL) techniques that abuse legitimate system tools like PowerShell, WMI, and certutil rather than dropping custom malware. Polymorphic and metamorphic malware changes its signature with each infection. Against these techniques, signature-based AV generates no alerts — there's nothing matching the signature database.
EDR was developed specifically to address this gap. Where AV looks at files, EDR watches behavior.
How EDR Works
EDR consists of a lightweight agent installed on every endpoint (workstations, servers, laptops) that continuously records activity and streams telemetry to a central management platform. Unlike AV, which scans for bad things, EDR records everything and then hunts for suspicious patterns in that data.
| EDR Component | What It Does |
|---|---|
| Endpoint Agent | Installed on each device — monitors and records all activity in real time. Minimal performance impact is a key design goal. Communicates with cloud or on-premise management platform. |
| Telemetry Collection | Records process creation/termination, parent-child process relationships, file system changes, registry modifications, network connections, user login events, memory operations, and DLL loading. |
| Detection Engine | Analyzes telemetry using behavioral rules (ATT&CK technique detection), machine learning models, IOC matching, and custom hunting queries to identify suspicious or malicious activity. |
| Response Capabilities | Allows analysts to remotely isolate a host from the network, kill processes, delete files, collect forensic artifacts, capture memory dumps, and run live queries — without touching the machine physically. |
| Threat Hunting Interface | Query interface (often SQL-like) that lets analysts search across all endpoint telemetry — e.g., "show me all processes that ran PowerShell and made outbound network connections in the past 30 days." |
EDR vs Antivirus — Side by Side
| Capability | Traditional Antivirus | EDR |
|---|---|---|
| Detection Method | Signature matching (known malware patterns) | Behavioral analysis + signatures + ML + IOC matching |
| Fileless Malware | ❌ Blind to file-less attacks | ✅ Detects suspicious memory behavior and process chains |
| LOTL Attacks | ❌ PowerShell abuse appears legitimate | ✅ Detects abnormal use of legitimate tools via behavior |
| Telemetry / Visibility | Limited — only file scan results and quarantine actions | Rich — process trees, network connections, file changes, registry |
| Response Actions | Quarantine file, delete malware | Isolate host, kill process, collect forensics, run queries |
| Threat Hunting | ❌ No hunting capability | ✅ Full query interface over historical telemetry |
| Incident Investigation | Very limited — no context | Full attack chain reconstruction with process trees and timelines |
| Examples | Windows Defender (basic), McAfee, Symantec Endpoint | CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint |
What EDR Telemetry Reveals
The power of EDR lies in its telemetry richness. Here are key data points that EDR captures that AV never could:
winword.exe spawn cmd.exe which spawns powershell.exe is immediately suspicious — a classic macro malware indicator.notepad.exe making a DNS query is extremely suspicious — no legitimate use case exists.HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Malware writes here to survive reboots — EDR catches the write event.Host isolation: Completely cuts the endpoint from the network — blocks all inbound and outbound traffic except communication to the EDR management platform. Used when a host is confirmed compromised and you need to prevent lateral movement or data exfiltration. The machine stays on and the analyst can still investigate it remotely via the EDR agent.
Process kill: Terminates a specific malicious process without isolating the whole machine. Used for less severe cases where you want to stop the malicious activity without taking down the host entirely.
XDR — Extended Detection and Response
XDR extends the EDR model beyond the endpoint to correlate telemetry across multiple security layers: endpoint, network, email, cloud workloads, and identity systems. Instead of investigating alerts in separate tools (EDR for endpoint, email gateway for phishing, CASB for cloud), XDR aggregates all telemetry into a single platform with unified detection and response.
EDR: Endpoint Detection and Response — focused on endpoints only. Agent-based. Investigation and response at the endpoint layer.
XDR: Extended Detection and Response — EDR + network + email + cloud + identity. Broader visibility, fewer blind spots, unified investigation console.
MDR: Managed Detection and Response — EDR or XDR technology + human SOC analysts provided as a service. You get 24/7 monitoring and response without staffing your own SOC. Think of it as EDR-as-a-Service with human oversight.
Next-Gen Antivirus (NGAV)
You'll also see the term NGAV (Next-Generation Antivirus) on the exam and in vendor marketing. NGAV replaces signature-based scanning with machine learning and behavioral detection — it detects malicious behavior rather than matching known signatures. Many vendors bundle NGAV and EDR together in a single agent, which is why the terms are sometimes used interchangeably, but they're distinct:
NGAV = detection capability (is this bad?). EDR = detection + investigation telemetry + response actions. An endpoint with NGAV but no EDR can block threats but can't help you understand the full scope of a compromise or hunt for threats that slipped through.