What are the differences between EDR vs. antivirus? Does your company need one of these solutions or both? These are common questions we receive quite frequently. You will see in this article there is no one-size-fits-all solution. It will depend on your industry, company size, device usage and more.
Recently, we’ve been having this conversation with clients after reviewing their firewall settings. A typical firewall review is 10+ pages where we audit the security settings and provide recommendations on what to fix. Your firewall should be scanning unencrypted and encrypted web traffic for malware. But sometimes configuring this via a firewall is a huge pain in the you-know-what. One way to compensate for this is by using an EDR product.
In addition, when working remotely, you may not be accessing the internet via your company firewall, which means it may not matter if your firewall is scanning unencrypted and encrypted web traffic for malware. Your individual device needs to do that, no matter how you’re accessing the internet.
So let's explore the common question about EDR vs. Antivirus.
Let’s start with the basics here - what is antivirus? You probably know or at least think you know what it means. Antivirus is a software that is designed to detect and destroy computer viruses.
These days, there's no difference between "anti-virus" and "anti-malware." Virus is a type of malware. It's an old term from back when a company called Malwarebytes was trying to explain how they were different from antivirus tools.
All the basic products cover viruses and malware now, though.
There are many Windows antivirus options to choose from. Free Windows Defender is a good, basic antivirus / antimalware tool. You can't go wrong with either. There are plenty of options for Mac users too (avoid Kaspersky though).
But here's the problem with just antivirus. Hackers are creating 450,000 new pieces of malware every DAY (source). Antivirus only works if someone else has already seen the infection, reported it, and the system was updated. That’s where EDR comes in.
You’ve probably heard of antivirus, but you may not have heard of EDR. EDR is Endpoint Detection and Response.
EDR detects and investigates suspicious events and can provide real-time responses to any identified threats. EDR is also helpful in that it provides more data to get to the bottom of the attack.
Hackers aren't using viruses as much anymore. They commonly use "live off the land" attacks. They just use tools already installed on your computer to basically do whatever they want (steal passwords, monitor your keyboard, etc.).
Here's a scary stat that underscores this point -- 75% of Q1 malware was undetectable!
Think of it this way -- antivirus looks for virus files. EDR looks for the behaviors that hackers do.
There's a sharp difference in how helpful these tools are if you ever did have a breach. Looking in Webroot (or any basic antivirus), here’s what we typically see:
Whereas with an EDR tool, like Sentinel One pictured below, it keeps a log of everything that the computer has done that might be risky -- you can see that it's monitoring a lot more activity, but also really helps us if we need to piece together what happened that led to a breach. Antivirus has literally none of this info.
Instead of looking at EDR vs. antivirus, you need to think of them as a total package. Some companies (namely Bitdefender and Sophos) are building some pretty good EDR functions into their tools. And some of the EDR vendors claim you don't need your antivirus anymore. And all of the vendors coin their own nonsense phrases to describe what they're doing in a way that people can't casually understand.
But the truth is that your business needs both an EDR and antivirus product installed on company devices. Antivirus has its place – it can detect and remove known viruses. EDR provides more thorough monitoring and protection.
25 years ago, Symantec was one of the first companies to develop commercial antivirus – but in 2014 said that antivirus is ‘dead’ and ‘necessary but insufficient’. Antivirus has its place, but you also need more protection. So don't think of it as EDR vs. antivirus, think of it as EDR and antivirus.
There are so many antivirus programs to choose from. If you’re a Windows user, we agree with Tom’s Guide that Windows Defender Antivirus is a great, free program that is built right into Windows 10 and 11.
Look at the rest of that article, though – depending on your needs, you may want something like Norton360, which includes a password manager, VPN and more.
If you’re looking at EDR, it would be best to start with asking your IT firm for recommendations. For our clients, we typically recommend Sentinel One, but there are others to choose from. Gartner has a list of EDRs that include ratings and comparison articles. If you’re looking for an EDR for your home devices, you may be out of luck. Most of these products are not available as home licenses.
If you’re wondering if you should stop paying for McAfee, we don’t really have an answer for you. There is no one-size-fits-all when it comes to antivirus or EDR recommendations. But overall we could recommend the following:
Home devices need antivirus, even if it's just the free Windows Defender.
Company devices need antivirus and EDR protection. Malware and cyberattacks are constantly evolving, and it’s important to have layered protection from both types of programs.
There are plenty of Virtual CISOs who are happy to be ‘on call’ and act as consultants. Not us. We give more than advice – we roll up our sleeves and help you fix things. If you’re looking for antivirus, we’ll give you honest advice and make sure the programs we recommend are actually a good fit. Not all of our clients use the same technology tools because no two businesses are the same. Contact us if you’re interested in learning more.