Cybersecurity tools and techniques are critical to business continuity and digital security. Antivirus and Endpoint Detection and Response (EDR) systems are prominent tools that cybersecurity experts leverage to protect the industrial digital infrastructure. This article will provide a quick walkthrough of what EDR and antivirus tools do. It will also highlight some differences between EDR and antivirus and how cybercriminals can use EDR and antivirus against companies and users.
EDR and antivirus
Before understanding the difference between EDR and antivirus, let us get an overview of both solutions.
What is Endpoint Detection and Response (EDR)?
Endpoint Detection and Response (EDR) is a security solution that helps enterprises protect endpoint solutions. It uses a layered and integrated approach with real-time and continuous monitoring. EDR also leverages endpoint data analytics that operates on rule-based automated responses. Enterprises use EDRs to provide rapid cyber investigation and improve threat visibility. It also helps in automating remediation and contextualized threat detection. According to a research report, the Endpoint Detection and Response (EDR) market will reach a US$ 5,871.6 million valuation by 2025.
What is Antivirus?
Antiviruses are utility software that protects a system or multiple systems/computers from computer viruses, worms, or Trojans. They protect computers by scanning, detecting, removing, or quarantining infected files or malicious programs. Modern antivirus runs in the background to continuously check files and external drives for malicious codes. Many antiviruses have additional features like website blocking, averting hostile code execution, and blocking attachments having malicious signatures.
Differences between EDR and antivirus tools
Enterprises use both these tools to enhance the security of the digital infrastructure. Here are some notable differences between EDR and antivirus tools.
New research demonstrates that EDR and Antivirus Can Be Weaponized Against Users
So far, we have discussed the difference between EDR and antivirus software. This section will discuss how attackers can weaponize these solutions against businesses and users.
SafeBreach Lab researchers have disclosed high and severe security vulnerabilities in endpoint detection and response (EDR) and antivirus (AV) solutions. In a nutshell, researchers claimed that attackers use the vulnerabilities to mislead these security products into deleting legitimate files and directories on networks or PCs. Through this approach, the machine will become inoperable.
In this vulnerability technique, the attack takes advantage of the junction point (also known as the soft link). Here, a directory serves as an alias to another directory on the computer. These Wiper exploits in well-known security solutions pose a severe threat to the enterprise. SafeBreach Labs researcher Or Yair said, "Such wiper runs with the permissions of an unprivileged user yet can wipe almost any file, including system files, and make a computer completely unbootable. It does all that without implementing code that touches the target files, making it fully undetectable."
Again, researchers tested and found 6 of 11 security products vulnerable to such wiper exploits. Hence, researchers are encouraging the security solution vendors to release security patches to fix the vulnerability. Three prevalent vulnerabilities associated with top vendors are:
CVE-2022-45797 (score: 7.1) - Trend Micro Apex One
CVE-2022-4173 (score: 8.8) - AVG and Avast
CVE-2022-37971 (score: 7.1) - Microsoft Defender
See more about why companies need EDR and NDR for complete network protection.
Endpoint Detection and Response (EDR) and antivirus solutions are two integral technologies for enterprises to protect their computing infrastructure. However, attackers can weaponize these solutions against the users. Hence, security solution vendors must patch the vulnerabilities to mitigate the risks associated with EDR and Antivirus tools.