Signature-based AV: compares files against a database of hashes/patterns of known malware. Fast but incomplete: only detects variants of previously seen malware.
← Back to glossary Defensive technology
Antivirus
Antivirus (AV) is software that detects and removes malware, viruses, trojans and potentially unwanted programs from endpoints. It implements signature analysis (comparison against a database of known malware) and heuristic/behavioral detection (analyzes suspicious patterns even if malware is unknown). However, traditional antivirus has critical limitations: it is reactive (detects what is already known), has false positive rates, and does not detect fileless attacks or sophisticated evasion techniques. Modern CISOs must complement AV with EDR (Endpoint Detection and Response) for visibility and incident response.
What is antivirus
Antivirus (AV) is software that detects and removes malware, viruses, trojans and potentially unwanted programs from endpoints. It implements signature analysis (comparison against a database of known malware) and heuristic/behavioral detection (analyzes suspicious patterns even if malware is unknown). However, traditional antivirus has critical limitations: it is reactive (detects what is already known), has false positive rates, and does not detect fileless attacks or sophisticated evasion techniques. Modern CISOs must complement AV with EDR (Endpoint Detection and Response) for visibility and incident response.
Why it matters
Although antivirus alone is insufficient, it is a mandatory base defensive layer: it reduces risk from automatic/mass malware. Combined with robust EDR it provides layers: AV stops known malware before it executes; EDR monitors behavior and enables rapid response. However, APTs and advanced attackers evade AV through: polymorphism (malware changes structure), obfuscation (encrypted code), fileless techniques (attack only in memory), exploitation of zero-day vulnerabilities. This is why EDR is essential: it correlates process logs, network connections, and registry changes to detect suspicious activity independent of AV signature. Regulations mandate AV on endpoints: ISO 27001, NIS2, DORA require protection against malware on end devices.
Key points
Heuristic detection: analyzes behavior (access to sensitive files, registry changes, network connections) without requiring a signature. Reduces false negatives but increases false positives.
EDR (Endpoint Detection Response): continuous monitoring of endpoint behavior, historical analysis, and remote response. Essential in modern defense strategy.
AV + EDR: complementary layers. AV = prevention of known malware; EDR = visibility and incident response, even to non-malware attacks.
Example: AV limitations without EDR
A company has only traditional antivirus. An attacker launches polymorphic malware that changes its signature every 30 minutes to evade AV. Although AV is updated, malware is not in the database. Access is gained to the endpoint without alerts. With EDR implemented, immediate detection: EDR notices unusual process executing connections to malicious external IP, suspicious registry changes, and payload download. Real-time alert enables response: endpoint isolation, forensic analysis, and hunting on other systems. Without EDR, the attacker would have remained undetected for days or weeks.
Common mistakes
- Assuming AV alone is sufficient; modern malware evades signatures. Complementing with EDR is mandatory.
- Disabling AV on servers because it consumes resources; even though EDR is primary, AV is an additional low-cost defensive layer.
- Not updating AV definitions; if the signature engine is months outdated, new malware types are not detected.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between antivirus and EDR
AV detects malware based on signatures/heuristics and removes it. EDR monitors behavior in real-time, enables remote response (isolation, kill process, forensic analysis), and correlates events across multiple endpoints. AV is prevention; EDR is detection and response. Both are necessary in modern strategy.
Why do fileless attacks evade antivirus
Fileless executes code only in RAM without writing to disk, so AV does not see the executable malware file. Techniques: malicious PowerShell, process injection, in-memory exploitation. EDR detects behavioral changes (legitimate process with anomalous behavior, unexpected connections).
What AV should I install on enterprise endpoints
It depends on infrastructure. Microsoft Defender (included in Windows) is a solid base; it has improved significantly. Enterprise tools like CrowdStrike, SentinelOne, Carbon Black combine AV + EDR. Evaluation through pentesting reveals which tool is most effective against your target threats.