What is the difference between EDR and traditional signature-based antivirus?
Short answer
Traditional antivirus matches files against signatures of known malware and blocks or quarantines them — great for known threats, weak against novel or fileless attacks. EDR continuously records endpoint behavior (processes, network, registry, memory), uses behavioral analytics to detect suspicious activity, and lets responders investigate, hunt, and remotely contain or roll back. AV is prevention by signature; EDR adds visibility, detection, and response.
This is a fundamentals check: can you explain why the industry moved from "scan files for known-bad" to endpoint detection and response? The difference is not just better signatures — it is a shift from pure prevention to visibility plus response.
Traditional antivirus
Classic AV works mainly by signatures: it hashes or pattern-matches files against a database of known malware and blocks, quarantines, or deletes matches, often supplemented by simple heuristics. It is fast, cheap, and effective against known, file-based threats. Its weaknesses are well understood: it is blind to zero-day malware with no signature, easily evaded by recompiling or packing to change the hash, and largely helpless against fileless and living-off-the-land attacks that abuse legitimate tools like PowerShell, where there is no malicious file to scan.
EDR
EDR assumes prevention will sometimes fail. Its agent continuously records endpoint activity — process trees, command lines, network connections, registry and file changes, memory activity — and ships it to a central platform. There it applies behavioral analytics and IOAs to spot suspicious behavior rather than known files. Crucially, it gives responders the "R": investigation (timeline, root-cause across the fleet), threat hunting, and response actions like isolating a host, killing a process, or rolling back changes — remotely and at scale.
Why this matters
Most EDRs include AV-style prevention too, so it is not strictly either/or; the point is the added detection and response layer over raw signatures. Mentioning that XDR extends this telemetry beyond the endpoint (email, identity, network, cloud) earns bonus points. Interviewers want to hear "signatures alone miss novel and fileless attacks, so we add behavioral visibility and the ability to respond."
Likely follow-ups
- Why does signature-based AV struggle with fileless or living-off-the-land attacks?
- What telemetry does an EDR collect that AV does not?
- Where does XDR extend beyond endpoint EDR?