The New Antivirus Is Not Your Grandpas

  • June 23, 2020

The King is dead, long live the King (It is time for EDR to replace antivirus)

I know I am starting to sound like a broken record, but once again your antivirus is an example of a tool that has changed significantly over the years.

In the old days, a couple years ago or perhaps still today, your antivirus worked like this:  The software program would install on your PC many signatures, which are considered the fingerprints of viruses. The software would then compare the files that you access with the list of fingerprints and see if any of those files matched the signatures, or fingerprints, of known viruses. When there was a match, the file would either be deleted or quarantined and you would be notified. This system worked, but there were a couple of challenges:

  • It only worked with known viruses. A zero day threat, one that had just been created, would not yet have a signature available and as a result it would not be flagged, leaving you vulnerable to these attacks.
  • As signatures increased, your PC ran more and more slowly as the antivirus software compared the incoming files to the every growing list of signatures.
  • Notifying you was not enough. If it told the end-user they might have a problem and they decided that it wasn’t an issue or significant, they could continue on connected to your network while the virus/ransomware/key logger did significant damage. Case in point is all the ransomware contracted in the past few years. Do you think those PCs where the infection started had antivirus? Very likely. Did it prevent the ransomware? NO!

As a result of these challenges, new and improved products have been developed, with the title of Endpoint Detection & Response (EDR). EDR does the same tasks as your old signature based system but in a much more efficient way. By using tools such as Artificial Intelligence (AI), EDR will analyze the endpoint documents by not comparing them to the known database of problems, but by analyzing it for abnormalities or inconsistencies. For example, if the spreadsheet you are receiving has an executable file in it, the EDR will flag it as suspicious (that is the detection) and notify you, (which is the response). But that’s not all. While your old tool would notify you of a problem, a current EDR product will take action and segregate the problematic endpoint from your network, keeping it from allowing that infection to spread throughout your network. This is the beautiful point that will protect your network and minimize your risk of allowing a cyber-attack, which we all have, to turn into a catastrophe for your network.

You might say, wow, that sounds great, I can eliminate all of the other security tools I have and by just implementing EDR on my network, I am safe! Well, not so fast. EDR is a very good tool that will help protect your network. However, it is not perfect and cannot be depended on as the silver bullet that solves all of your problems. Each company that develops security tools has strengths and weaknesses. As a result, Buchertech utilizes tools from many different vendors. So, if your employees are properly trained on avoiding phishing attacks, hopefully that link will never be clicked and the problem will never even attack your network. But, if they do click the link, your Fortinet firewall is there to block it. If it doesn’t catch the attack, your EDR will help protect you. And, if all of these tools fail, your offsite image backup is available to restore you to a pre-infection date. This is what we call your stack, or layers of defense, to protect your network and your data from problems. By doing so we can help you keep doing what you do, and allow you to succeed despite the cyber-attacks all around us!