Signature-based AV compares files against a database of hashes and patterns of known malware. It is fast and cheap, but it only spots variants that have been seen before, which is why it needs constant updates and cannot solve the unknown-malware problem on its own.
← Back to glossary Defensive technology
Antivirus
Antivirus (AV) is software that detects and removes malware, viruses, trojans and potentially unwanted programs from endpoints. It combines two main engines: signature analysis (matching against databases of known malware) and heuristic or behaviour-based detection, which looks for suspicious patterns even when the sample is not yet catalogued. Traditional antivirus has important limitations: it is fundamentally reactive, lives with false positives and does not reliably catch fileless attacks, polymorphic malware or advanced evasion techniques. For that reason, modern architectures pair it with <a href="/en/cybersecurity-glossary/edr/">EDR</a> (Endpoint Detection and Response) to gain continuous visibility and real <a href="/en/cybersecurity-glossary/incident-response/">incident response</a> capability.
What is antivirus
Antivirus (AV) is software that detects and removes malware, viruses, trojans and potentially unwanted programs from endpoints. It combines two main engines: signature analysis (matching against databases of known malware) and heuristic or behaviour-based detection, which looks for suspicious patterns even when the sample is not yet catalogued. Traditional antivirus has important limitations: it is fundamentally reactive, lives with false positives and does not reliably catch fileless attacks, polymorphic malware or advanced evasion techniques. For that reason, modern architectures pair it with EDR (Endpoint Detection and Response) to gain continuous visibility and real incident response capability.
Why it matters
Even though antivirus on its own is no longer enough, it is still a mandatory baseline layer: it automatically blocks most of the opportunistic and mass-distributed malware that arrives via email, browsing or removable media, and does so at very low cost. Combined with a mature EDR it forms a layered defence in which the AV stops what is already known before it can run and the EDR observes, correlates and responds whenever behaviour drifts from the baseline. Sophisticated attackers and APTs evade AV through polymorphism (constant changes to the binary structure), obfuscation and encryption of the payload, fileless techniques that only live in memory and exploitation of zero-day vulnerabilities. EDR closes that gap by correlating events on processes, network connections and registry changes, so detection no longer depends on having the exact signature. Frameworks such as ISO 27001, NIS2 and DORA take endpoint malware protection for granted as a minimum control, and industry reports (for example the Verizon DBIR and ENISA dashboards) consistently highlight the absence or poor maintenance of this control among the most common factors in the breaches they analyse.
Key points
Heuristic and behavioural detection analyses suspicious actions — access to sensitive files, mass registry changes, unusual network connections — without relying on a specific signature. It reduces false negatives at the cost of generating more false positives that need tuning.
EDR (Endpoint Detection and Response) brings what classic AV cannot: continuous monitoring of endpoint behaviour, investigable event history, remote response capability (isolation, process termination, forensic collection) and correlation with the SIEM.
Modern strategy combines AV and EDR as complementary layers: the AV prevents most known malware from running at all, while the EDR adds visibility and response to fileless attacks and post-exploitation activity that the AV will never see.
Keeping the engine and definitions up to date matters as much as the tool itself. An antivirus with outdated signatures or inherited exclusions that nobody reviews can give a false sense of security while letting through threats that have been catalogued for weeks.
Coverage must reach servers, workstations, corporate mobile devices and remote-work endpoints. Most of the visible breaches of recent years start on an unprotected endpoint or on one where the agent was disabled for 'performance', not in a well-defended server room.
Example: the limits of antivirus without EDR
A mid-to-large organisation runs only traditional antivirus on its endpoints and trusts daily updates to be enough. An attacker deploys polymorphic malware that regenerates its signature every few minutes; although the AV is up to date, that specific sample never appears in the database, the binary arrives through a targeted phishing campaign and achieves persistence on a workstation without raising any alerts. Within hours the attacker is already moving laterally and harvesting credentials while the AV console keeps reporting a 'healthy' estate.
After the incident the company rolls EDR out to every critical endpoint and, when the deployment is done with solid playbooks, detection time collapses to minutes: the EDR spots a legitimate process behaving anomalously, with connections to unknown external infrastructure and suspicious registry changes, fires the alert and makes it possible to isolate the machine, kill the process, open a corporate IoC and sweep the rest of the estate looking for the same activity. What used to go unnoticed for days is now contained before it has any business impact.
Common mistakes
- Assuming antivirus alone is enough. Modern malware evades signatures systematically, and an AV-only strategy leaves the organisation blind to fileless attacks and post-exploitation activity.
- Disabling antivirus on servers 'because it consumes resources'. Even when EDR is the primary control, the AV is still a very low-cost additional layer that stops commodity malware before the EDR has to step in.
- Not updating definitions or the engine itself. An AV with signatures from several weeks ago lets through threats that are already catalogued and turns the tool into an empty compliance checkbox.
- Keeping inherited exclusion lists without reviewing them. The paths and processes someone excluded years ago to solve a specific incident often become the blind spot an attacker uses to run their binaries.
- Not covering every relevant endpoint. Leaving specific servers, remote-work laptops or corporate mobile devices out of the programme breaks the whole strategy, because the attacker only needs one unprotected foothold to get in.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between antivirus and EDR?
An antivirus detects malware by matching files against known signatures and applying heuristic rules, and it responds by blocking or removing the binary. An EDR monitors endpoint behaviour in real time, keeps an investigable history, enables remote response (isolation, process termination, forensic collection) and correlates events across many machines. AV is prevention; EDR is detection and response. A modern strategy needs both.
Why do fileless attacks evade antivirus?
Fileless attacks run code directly in memory without ever writing a binary to disk, so the antivirus — which inspects files — has nothing to work with. Typical techniques include malicious PowerShell, process injection and in-memory exploitation. EDR can detect them because it watches behaviour: a legitimate process with anomalous patterns, unexpected connections or privilege escalation without justification becomes a signal even when there is no file to sign.
What antivirus should be deployed on enterprise endpoints?
The right choice depends on the estate (operating system, user profile, workload type) and on the maturity of the security programme. In corporate environments the standard approach is to rely on next-generation antivirus solutions that already integrate an AV engine and EDR capabilities into a single managed agent. What matters more than the specific brand is making sure coverage is complete (servers, workstations, laptops, mobile devices), definitions update automatically and telemetry reaches a SOC able to investigate and respond to the alerts.