Antivirus, EDR, and Vulnerability Scans

Endpoint and vulnerability controls help security teams identify problems before or during an attack. They do not all answer the same question. Antivirus often asks, "Is this file or behavior known to be malicious?" Endpoint detection and response asks, "What is happening on this endpoint, and can we investigate or contain it?" Vulnerability scanning asks, "What weaknesses exist that could be exploited?"

Antivirus Basics

Antivirus tools compare files, scripts, processes, and behaviors against known malicious indicators and suspicious patterns. Traditional antivirus relied heavily on signatures, while modern tools also use heuristics, reputation, cloud lookups, and behavior analysis. Antivirus can quarantine files, block execution, remove malware, or alert an administrator.

Antivirus is valuable but limited. It may miss new malware, living-off-the-land techniques, fileless activity, or attacks that use legitimate tools in abusive ways. It also depends on current definitions, healthy agents, and administrative controls that prevent users or attackers from disabling protection. In a scenario where a laptop has outdated antivirus definitions and keeps detecting the same threat after reboot, the next step may include isolation, full scan, update, investigation of persistence, and possible reimaging depending on evidence.

EDR Basics

Endpoint detection and response provides richer telemetry and response capability. EDR may record process trees, command lines, network connections, file writes, registry changes, user logons, script execution, and parent-child process relationships. It can help answer questions such as: Did Word launch PowerShell? Did a user account create a scheduled task? Did a server connect to an unusual external address after a suspicious process started?

EDR response actions may include isolating a host from the network, killing a process, collecting forensic data, blocking a hash, or rolling back selected changes. These actions should follow policy and evidence. Isolating a developer laptop may be low impact. Isolating a production domain controller without coordination may disrupt the organization. Practical security requires knowing the asset and involving the right teams.

Vulnerability Scans

Vulnerability scanners check systems for missing patches, insecure configurations, exposed services, weak protocol settings, default credentials, unsupported software, and known vulnerabilities. A scanner may be credentialed, meaning it logs in to inspect configuration and patch state, or uncredentialed, meaning it observes from the network. Credentialed scans usually provide more accurate results, but they require secure handling of scan credentials.

Scan findings are not the same as incidents. A critical vulnerability on an internet-facing VPN appliance is urgent even if no exploit is confirmed. A medium finding on an isolated test system may be less urgent. Prioritization should consider severity, exploit availability, asset criticality, exposure, business function, and compensating controls.

Practical Scenario

A weekly scan reports a critical remote code execution vulnerability on a public web server. The server team says the web application still works, so they want to wait until the next quarterly maintenance window. A better security response is to validate the finding, determine exposure, check whether exploitation is being observed, apply the vendor patch or mitigation as soon as practical, and monitor for related indicators.

If the patch cannot be applied immediately, compensating controls might include IPS rules, web application firewall rules, segmentation, temporary service restriction, or increased monitoring. These controls reduce risk but should not become a substitute for fixing the weakness.

Another scenario: EDR alerts that a spreadsheet application launched a script interpreter and connected to an external IP address. Antivirus may or may not flag the file. The EDR process chain is important because it shows suspicious behavior after the document opened. The right response includes isolating the host if policy allows, preserving the alert details, checking whether credentials were used, and searching for similar activity on other endpoints.

For the exam, match the tool to the purpose: antivirus blocks known malware, EDR investigates endpoint behavior and supports response, and vulnerability scans find weaknesses that need risk-based remediation.

High-Yield Checkpoints

• Antivirus focuses on known malicious files and behaviors, while EDR gives deeper endpoint visibility and response options.
• Endpoint controls are most useful when agents are deployed, updated, monitored, and protected from tampering.
• Vulnerability scans identify weaknesses; they do not prove exploitation by themselves.
• Scanning results should be prioritized by severity, exposure, asset value, exploitability, and compensating controls.
• Security teams should coordinate scans so testing does not create unexpected outages or alert fatigue.