Antivirus vs. EDR: and why it matters now.
Traditional antivirus is signature matching. EDR is behaviour analysis. The attacks that succeed in 2025 do not put a known-bad file on disk — which means AV cannot see them. Here is the difference, in plain English.
Every IT vendor uses both terms. Most customers do not know the difference. Here is the plain version.
Traditional antivirus
Antivirus matches files against a list of known-bad signatures. When a new threat appears, it gets analysed, a signature is published, your AV updates, then it can detect that specific threat. The model worked beautifully in 2005, when malware was a file you double-clicked.
Two problems in 2025:
- Modern attacks do not write a file. Living-off-the-land techniques abuse legitimate Windows tools (PowerShell, WMI, RDP) — which AV will not block because they are not malicious.
- Identity-based attacks have no malware. The Sophos 2025 Active Adversary Report found 56% of intrusions involved attackers logging in with valid credentials. There is no file for AV to scan.
Endpoint Detection & Response
EDR watches behaviour, not files. Some examples of what it flags:
- PowerShell launching from Word — almost always malicious.
- A user account suddenly enumerating Active Directory at 2 AM.
- An executable encrypting hundreds of files in seconds — triggers the ransomware behavioural rule.
- Credential-dumping tools (Mimikatz, etc.) reading LSASS memory.
EDR also gives an investigator the full process tree after a detection — what spawned what, what files were touched, what network connections opened. AV gives "blocked Trojan.Generic." EDR gives the full attack story.
Why this matters in 2025
Per Sophos' 2025 Active Adversary Report (analysing 400+ MDR and IR cases from 2024):
- 56% of attacks used valid credentials to log in — bypassing AV entirely.
- 41% of root causes were compromised credentials (the #1 cause for the second year running).
- 84% of cases involved RDP — a legitimate Microsoft tool that AV does not block.
- Median dwell time was 2 days — meaning behavioural detection at machine speed is critical.
None of those would be detected by signature-based AV.
What 4UIT deploys
Sophos Intercept X on every customer endpoint by default. It includes traditional AV plus behavioural EDR, exploit prevention, and CryptoGuard ransomware rollback. For most environments, we layer Sophos MDR on top — the 24/7 SOC service that watches the EDR alerts and responds. More on our EDR/XDR offering or take a brief.
Source: Sophos 2025 Active Adversary Report.
// Frequently asked questions
Is antivirus dead?
Not entirely — signature-based detection still catches commodity malware. But it is no longer sufficient on its own. Modern EDR products include the AV layer plus behavioural analysis, exploit prevention, and rollback capabilities. You should be running EDR; the AV is included.
What is EDR?
Endpoint Detection & Response. Software that runs on every laptop and server, watches process behaviour in real time, blocks suspicious activity, and gives investigators a full timeline of what happened on the device. Examples: Sophos Intercept X, CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint.
Will Microsoft Defender alone protect me?
Microsoft Defender Antivirus (built into Windows) and Defender for Endpoint (the licensed EDR product, included with M365 E5 and Business Premium) are credible products. Defender for Endpoint is real EDR. Plain Defender Antivirus on its own is not.
How much does EDR cost for a small business?
We don't post rate cards publicly. EDR licensing is one input; the others are endpoint count, server count, telemetry sources in scope, and whether 24/7 MDR is layered on top. Email hello@4uit.ca for a real quote against your environment.
Do I need EDR if I have a firewall?
Yes. The firewall guards the network perimeter; EDR guards the endpoint after the perimeter is crossed (or bypassed by a phishing click, a USB stick, or a remote employee on hotel WiFi). They are complementary.