Birds on a Cable is officially moving to only providing EDR software for our clients, rather than offering traditional antivirus software. What does that mean for you, and what’s the difference?
What is an antivirus?
Traditional antivirus software works by scanning every file on your system and looking for specific fingerprints that it already knows about. These could be things such as a file hash (a unique number generated by doing math on the entire file in such a way any minor change radically changes the number) or looking for specific text in the program code itself. The AV scanner doesn’t know what those things do, only that they match a list it’s been provided of known bad things. If you’ve ever had a false positive, that’s why.
All it would take for malicious programmers to evade detection is to change their code just enough to appear different. This wouldn’t work forever, as the new versions would eventually be added to the list, but that means potentially thousands of computers could be infected in the meantime. Another trend becoming more common is that each computer infected (via a website/email/etc.) gets a randomized application created on the fly that is unique to each machine, meaning it’s nearly impossible to completely block with traditional AV techniques. AV can only stop a program from running and delete or quarantine the files (or do nothing). If an application is falsely identified as malicious, the user cannot run it unless the AV is told to allow it. Depending on what application, it can halt work or completely break the computer if it was a system file.
The number of new AV fingerprints has been growing rapidly for years and is well beyond the ability to have a human verify every entry, meaning both false positives and negatives are likely. It’s also important to note that antiviruses only work on files. It’s possible for a malicious webpage or PDF to trigger your computer to download something directly into your computer’s RAM without saving anything to the hard drive, meaning that an antivirus application would never even know something had happened.
Endpoint Detection and Response
Conversely, with EDR, the scanner looks at application behavior holistically. It has a list of known suspicious actions, which allow it to determine what an application is doing and classify whether it is malicious based on those behaviors. This means it can also still protect against novel viruses that wouldn’t be in an AV scanner’s database. Additionally, it can look if something is loading an application into RAM and check what that is doing as well. Because EDR can also see code in RAM, it can sandbox applications it’s suspicious of, watching what it’s doing, and killing them if they step into malicious territory.
Most EDR solutions these days also now employ machine learning, taking human reinforcement (when a something is confirmed to be malicious or not by an actual person) and using that to expand its knowledge base. This means that rather than having to rely on the reactive-only approach of checking every file against a list of known-bad things, it can proactively identify new threats based on known malicious behavior.