Why Antivirus Isn't Enough
Traditional antivirus (AV) works by scanning files for signatures — patterns that match known malware. When malware first emerged, this was highly effective: virus signatures were shared among AV vendors, and signature updates kept defenses current. But the threat landscape has shifted dramatically:
Modern attacks use fileless malware that executes entirely in memory and never writes a file to disk — bypassing file-based AV scanning entirely. Attackers use living-off-the-land (LOTL) techniques that abuse legitimate system tools like PowerShell, WMI, and certutil rather than dropping custom malware. Polymorphic and metamorphic malware changes its signature with each infection. Against these techniques, signature-based AV generates no alerts — there's nothing matching the signature database.
EDR was developed specifically to address this gap. Where AV looks at files, EDR watches behavior.
How EDR Works
EDR consists of a lightweight agent installed on every endpoint (workstations, servers, laptops) that continuously records activity and streams telemetry to a central management platform. Unlike AV, which scans for bad things, EDR records everything and then hunts for suspicious patterns in that data.
| EDR Component | What It Does |
|---|---|
| Endpoint Agent | Installed on each device — monitors and records all activity in real time. Minimal performance impact is a key design goal. Communicates with cloud or on-premise management platform. |
| Telemetry Collection | Records process creation/termination, parent-child process relationships, file system changes, registry modifications, network connections, user login events, memory operations, and DLL loading. |
| Detection Engine | Analyzes telemetry using behavioral rules (ATT&CK technique detection), machine learning models, IOC matching, and custom hunting queries to identify suspicious or malicious activity. |
| Response Capabilities | Allows analysts to remotely isolate a host from the network, kill processes, delete files, collect forensic artifacts, capture memory dumps, and run live queries — without touching the machine physically. |
| Threat Hunting Interface | Query interface (often SQL-like) that lets analysts search across all endpoint telemetry — e.g., "show me all processes that ran PowerShell and made outbound network connections in the past 30 days." |
EDR vs Antivirus — Side by Side
| Capability | Traditional Antivirus | EDR |
|---|---|---|
| Detection Method | Signature matching (known malware patterns) | Behavioral analysis + signatures + ML + IOC matching |
| Fileless Malware | ❌ Blind to file-less attacks | ✅ Detects suspicious memory behavior and process chains |
| LOTL Attacks | ❌ PowerShell abuse appears legitimate | ✅ Detects abnormal use of legitimate tools via behavior |
| Telemetry / Visibility | Limited — only file scan results and quarantine actions | Rich — process trees, network connections, file changes, registry |
| Response Actions | Quarantine file, delete malware | Isolate host, kill process, collect forensics, run queries |
| Threat Hunting | ❌ No hunting capability | ✅ Full query interface over historical telemetry |
| Incident Investigation | Very limited — no context | Full attack chain reconstruction with process trees and timelines |
| Examples | Windows Defender (basic), McAfee, Symantec Endpoint | CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint |
What EDR Telemetry Reveals
The power of EDR lies in its telemetry richness. Here are key data points that EDR captures that AV never could:
winword.exe spawn cmd.exe which spawns powershell.exe is immediately suspicious — a classic macro malware indicator.notepad.exe making a DNS query is extremely suspicious — no legitimate use case exists.HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Malware writes here to survive reboots — EDR catches the write event.Host isolation: Completely cuts the endpoint from the network — blocks all inbound and outbound traffic except communication to the EDR management platform. Used when a host is confirmed compromised and you need to prevent lateral movement or data exfiltration. The machine stays on and the analyst can still investigate it remotely via the EDR agent.
Process kill: Terminates a specific malicious process without isolating the whole machine. Used for less severe cases where you want to stop the malicious activity without taking down the host entirely.
XDR — Extended Detection and Response
XDR extends the EDR model beyond the endpoint to correlate telemetry across multiple security layers: endpoint, network, email, cloud workloads, and identity systems. Instead of investigating alerts in separate tools (EDR for endpoint, email gateway for phishing, CASB for cloud), XDR aggregates all telemetry into a single platform with unified detection and response.
EDR: Endpoint Detection and Response — focused on endpoints only. Agent-based. Investigation and response at the endpoint layer.
XDR: Extended Detection and Response — EDR + network + email + cloud + identity. Broader visibility, fewer blind spots, unified investigation console.
MDR: Managed Detection and Response — EDR or XDR technology + human SOC analysts provided as a service. You get 24/7 monitoring and response without staffing your own SOC. Think of it as EDR-as-a-Service with human oversight.
Next-Gen Antivirus (NGAV)
You'll also see the term NGAV (Next-Generation Antivirus) on the exam and in vendor marketing. NGAV replaces signature-based scanning with machine learning and behavioral detection — it detects malicious behavior rather than matching known signatures. Many vendors bundle NGAV and EDR together in a single agent, which is why the terms are sometimes used interchangeably, but they're distinct:
NGAV = detection capability (is this bad?). EDR = detection + investigation telemetry + response actions. An endpoint with NGAV but no EDR can block threats but can't help you understand the full scope of a compromise or hunt for threats that slipped through.
Exam Scenarios
The EDR Market and Common Platforms
While the exam doesn't test specific vendor products, understanding the landscape of EDR solutions helps contextualize the concepts and prepares candidates for real-world conversations where these terms appear.
The EDR market has consolidated significantly. CrowdStrike Falcon pioneered cloud-native EDR and remains a market leader — its agent is lightweight, and all telemetry processing and threat intelligence runs in the cloud. Microsoft Defender for Endpoint is built into Windows 10/11 and is included with Microsoft 365 E5 licensing, making it the default choice for many Microsoft-centric organizations. It integrates natively with Azure AD, Intune, and Microsoft Sentinel (SIEM). SentinelOne emphasizes autonomous response — its AI can autonomously detect, contain, and remediate threats without human intervention. Palo Alto Networks Cortex XDR combines endpoint telemetry with network and cloud telemetry in a single analysis platform, exemplifying the XDR trend.
For exam relevance: you may encounter scenario questions referencing "EDR telemetry," "EDR isolation," "managed EDR service," or "EDR with automated response." The specific vendor doesn't matter for the exam, but understanding what EDR can do (continuous telemetry, behavioral detection, interactive response, host isolation) versus what it cannot do (prevent all attacks, replace network security, operate without skilled analysts for complex investigations) helps with scenario analysis.
EDR vs HIDS vs Traditional Antivirus
The exam distinguishes between these three related but distinct technologies, and scenario questions often ask which tool is appropriate for a given security objective.
Traditional antivirus (AV) uses signature-based detection — it maintains a database of known malware file hashes, byte patterns, and behavioral signatures. When a file is written or executed, AV scans it against the signature database. If there's a match, the file is quarantined or deleted. This works reliably against known, widely-distributed malware (commodity ransomware, email attachment threats) but is completely blind to novel or custom malware (zero-days, custom implants used by advanced threat actors) that don't match any known signatures. AV also doesn't record detailed telemetry and provides no investigation capability beyond the alert itself.
HIDS (Host-based Intrusion Detection System) monitors system events — log files, registry changes, file integrity, and process activity — for signs of compromise. Classic HIDS tools like OSSEC or Tripwire focus on detecting changes to critical system files (integrity monitoring) and suspicious log patterns. HIDS is primarily detective (it generates alerts) but typically doesn't have automated response capability. Unlike EDR, HIDS collects less granular process-level telemetry and doesn't provide interactive investigation or response capabilities.
EDR combines continuous telemetry collection (all process events, network connections, file operations, registry changes), behavioral threat detection (including signature-free detection of anomalous behavior), interactive investigation capabilities (process trees, timeline analysis, file analysis), and active response actions (isolation, process killing, forensic collection). EDR is the most capable of the three but also the most resource-intensive and complex to operate. For exam scenarios: when the question asks about detecting fileless malware, investigating a breach, or remotely responding to an active incident, the answer is EDR. When the question asks about integrity monitoring of critical system files, HIDS may be the answer. When the question asks about blocking known malware at the file level, traditional AV addresses that.
EDR Response Actions
The "response" in EDR distinguishes it from traditional antivirus and HIDS (Host-based Intrusion Detection Systems). When a threat is detected or a security incident is confirmed, EDR platforms provide active response capabilities that can be executed remotely by a SOC analyst or triggered automatically by detection rules.
Host isolation (also called network isolation or network quarantine) is the most critical response action. With a single click or API call, the EDR agent severs all network connections from the affected host — blocking inbound and outbound traffic to prevent lateral movement and C2 communication. Critically, the EDR agent maintains a persistent connection to the management platform even in isolation mode, allowing analysts to continue investigating, running queries, and executing response actions on the isolated host. When the investigation is complete and remediation is confirmed, isolation is lifted with equal ease.
Process termination allows the analyst to kill specific malicious processes identified during investigation. If the EDR has detected a PowerShell process downloading and executing a payload, the analyst can terminate that process from the management console without needing physical access to the machine. Combined with host isolation, this stops an active attack immediately while preserving the system state for forensic investigation.
File quarantine and deletion enables removal of identified malicious files. The EDR quarantines (moves to a protected storage area) rather than immediately deleting, preserving the ability to restore the file if it was a false positive. Quarantined files can be submitted to sandbox analysis or shared with threat intelligence platforms for analysis.
Forensic evidence collection allows SOC analysts to remotely collect volatile evidence from a running system: memory dumps, process lists, network connection tables, registry exports, and file artifacts. This is critical for incident response because volatile data (what's in memory, what processes are running) disappears when a system is rebooted. EDR enables collection of this evidence from hundreds of machines simultaneously — something that would take a physical incident response team weeks to accomplish manually.
Threat Hunting with EDR
Threat hunting is the proactive practice of searching through endpoint telemetry to find threats that have evaded automated detection. Unlike alert-driven incident response (reacting when the EDR raises an alert), threat hunting assumes that sophisticated attackers may already be present on the network and actively looks for signs of their activity — often before any alert is generated.
EDR's persistent telemetry is what makes threat hunting possible. A threat hunter might start with a hypothesis based on threat intelligence — for example, "APT groups targeting our industry are known to use WMI (Windows Management Instrumentation) for lateral movement." They would then query the EDR's historical data for unusual WMI activity across all endpoints: WMI processes spawning unusual child processes, WMI subscriptions that survive reboots, or WMI connections between workstations (which shouldn't normally communicate via WMI). This kind of investigation is impossible without the endpoint telemetry that EDR provides.
Common threat hunting queries performed through EDR platforms include looking for unusual parent-child process relationships (legitimate software has predictable process trees — deviations are suspicious), processes connecting to external IPs that don't match known application behavior, scheduled tasks or services created recently that don't correspond to authorized software deployments, and credential dumping activity (processes accessing LSASS memory, which is where Windows stores credential hashes).
EDR and MITRE ATT&CK
The MITRE ATT&CK framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of attacker behavior. It's organized into a matrix of 14 tactic categories (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, etc.) with hundreds of specific techniques and sub-techniques under each.
Modern EDR platforms map their detections to MITRE ATT&CK technique IDs, giving analysts a common language to describe what they're seeing and look up known adversary groups that use the same techniques. When an EDR alert says "T1059.001 PowerShell," the analyst immediately knows this is a PowerShell execution technique, can look up which threat groups commonly use it, and understands what defenses are applicable. For the Security+ exam, you don't need to memorize individual ATT&CK technique numbers, but you should know that MITRE ATT&CK is a framework describing adversary tactics and techniques, and that it is used to categorize and improve detection capabilities.
EDR Deployment Considerations
Deploying EDR across an enterprise requires careful planning. The EDR agent runs continuously on every managed endpoint, consuming CPU and memory — typically 1–5% CPU overhead during normal operation with spikes during active scans or response actions. This is acceptable for modern hardware but can be problematic on older or resource-constrained endpoints, which is why EDR vendors provide lightweight agents or exclusion capabilities for specific workloads.
EDR telemetry volumes are substantial — a large enterprise can generate terabytes of endpoint telemetry daily. Most EDR platforms store hot data locally and in cloud-based data lakes, with configurable retention periods (30–365 days is typical). Longer retention is better for forensic investigations (you may need to look back months to understand the full scope of a compromise) but increases storage costs. The decision on retention period is a balance between security requirements and budget.
Privacy considerations also apply to EDR. Because the agent records detailed behavior about everything happening on a device, EDR deployments on employee machines in some jurisdictions require disclosure to employees (and in some cases their consent), particularly for personal devices enrolled in bring-your-own-device (BYOD) programs. Many organizations use separate MDM (Mobile Device Management) solutions for personal devices rather than full EDR agents, precisely because of the privacy implications of detailed behavioral monitoring on personal equipment.