What is EDR?

Just like every snowflake is uniquely-shaped, and every one of us have a fingerprint unlike anyone else, viruses have a signature that is unique unto them. And just like detectives have access to fingerprint records, so too does anti virus (AV) software have access to a database of these virus signatures.

AV software, and its methods of defense, however, are decades old. Hackers and their options for intrusion, on the other hand, grow more advanced by the day. That is why many businesses are beginning to use endpoint detection response (EDR) software.


Essentially, AV software protects your computer or server against intrusion by matching files against these virus signatures — and for known viruses this works great. A malicious file with a known signature will never be able to penetrate your environment’s defenses.

AV software, however, is a little old-fashioned when it comes to preventing new viruses. Just like a crime in the physical world, a virus intrusion will create a crime scene in the virtual space that makes up your business’ environment. AV software teams, after being alerted to the intrusion, will analyze this cyber crime scene, sifting through the code of the virus.

Once the virus is understood, a virus signature will be created. This signature is then distributed to all computers with that AV software currently installed. Once a virus signature is known, it is very difficult for that virus to infiltrate a system without the AV software stopping the virus in its tracks.


EDR software takes the methods of AV software, and builds upon them. First, lets go over the technical definition of EDR:

“EDR leverages AI and machine learning to automate the steps and investigative process [of virus intrusion defense]. These capabilities can learn an organization’s baseline behaviors and even use this information along with variety of other intelligence sources to interpret findings.”

-Jake Wagner, Collabrance

So, what does that mean? Essentially, EDR software is an intelligent program capable of pattern recognition. By analyzing your business’ environment, it is able to distinguish what constitutes for “normal” file interactions on your network, by analyzing the millions and millions of file interactions that happen on your network every day.

Because your EDR software knows what a normal file looks like, it has the ability to stop suspicious files before they penetrate your network. Rather than relying on a database of past viruses, EDR notices a file outside of the parameters it is used to seeing, and then simultaneously quarantines that file, and alerts the system administrator of the possible threat.

After the file is safely separated from the network, the system administrator can look at this suspicious file, and either delete the malicious virus, or allow the benign file to enter.


As the tactics and viruses hackers use every day advance, the defenses of AV software are quickly becoming woefully inept at handling the scope of virtual threats present.

Not only are more and more viruses being created, but the nature of viruses is changing as well — hackers are now concocting viruses that have the ability to change their signature, enhancing their ability to infect networks, even after being detected. This new technology essentially cripples the ability for regular AV software to protect against viruses, and soon, EDR will become the industry standard.

If you want to make sure your business has the increased effectiveness of EDR software, speak with your MITS provider.

Jeff Blount
Jeff Blount is a vCIO for Cobb Technologies with over 14 years of experience in the tech industry, and before Cobb, worked in AEC and eCommerce. With Cobb since 2011, Jeff helps our Managed IT partners manage and grow their digital systems. When not finding solutions for SMB and enterprise level businesses, Jeff can be found out on the soccer field with his family.