Antivirus, EDR, and Vulnerability Scans

Three Tools, Three Questions

Endpoint and vulnerability controls help teams find problems before or during an attack, but they answer different questions:

Matching the tool to the question is a recurring CC exam pattern.

Antivirus Basics

Antivirus compares files, scripts, processes, and behaviors against known malicious indicators. Traditional AV leaned on signatures; modern AV adds heuristics, reputation, cloud lookups, and behavior analysis. It can quarantine files, block execution, remove malware, or alert an administrator.

AV is valuable but limited. It may miss new malware, living-off-the-land techniques that abuse legitimate tools, or fileless activity that never writes to disk. It also depends on current definitions, healthy agents, and protection from tampering. In a scenario where a laptop has outdated definitions and keeps re-detecting the same threat after every reboot, suspect persistence: the next steps include isolation, a full scan, definition updates, investigation of the persistence mechanism, and possible reimaging.

EDR Basics

EDR provides far richer telemetry and response capability. It can record process trees, command lines, network connections, file writes, registry changes, user logons, script execution, and parent-child process relationships. That lets analysts answer questions like: Did Microsoft Word launch PowerShell? Did a user account create a scheduled task? Did a server reach an unusual external address right after a suspicious process started?

EDR response actions include isolating a host from the network, killing a process, collecting forensic data, blocking a file hash, or rolling back selected changes. These follow policy and evidence. Isolating a developer laptop may be low impact; isolating a production domain controller without coordination can disrupt the whole organization. Know the asset and involve the right teams.

Vulnerability Scans

Vulnerability scanners check for missing patches, insecure configurations, exposed services, weak protocol settings, default credentials, unsupported software, and known vulnerabilities. Two modes appear on the exam:

• Credentialed scan: logs in to inspect configuration and patch state from the inside. More accurate and fewer false positives, but the scan credentials must be stored and handled securely.
• Uncredentialed scan: observes from the network without logging in. Less accurate but closer to an external attacker's view.

Scan findings are not incidents. A critical remote code execution flaw on an internet-facing VPN appliance is urgent even with no confirmed exploit, while a medium finding on an isolated test box is less pressing. Prioritize using severity, exploit availability, asset criticality, exposure, business function, and compensating controls.

Worked Scenarios

Scenario 1. A weekly scan reports a critical remote code execution vulnerability on a public web server. The server team wants to wait until the next quarterly maintenance window because the app still works. The stronger response: validate the finding, determine exposure, check for active exploitation, and apply the vendor patch or mitigation as soon as practical. If patching must wait, compensating controls such as IPS rules, a web application firewall, segmentation, temporary service restriction, or heightened monitoring reduce risk, but they are not a substitute for fixing the weakness.

Scenario 2. EDR alerts that a spreadsheet application launched a script interpreter and connected to an external IP address. AV may or may not flag the file, but the EDR process chain shows suspicious behavior after the document opened. The right response: isolate the host if policy allows, preserve the alert details, check whether credentials were used, and hunt for the same activity on other endpoints.

Common trap: treating a scan finding as proof of compromise. A scan finds potential weakness; only investigation or EDR/AV evidence shows actual attacker activity.

Why Endpoint Hygiene Matters

Every endpoint control depends on conditions the exam likes to probe:

• Coverage: an agent that was never installed on a server protects nothing there.
• Currency: stale antivirus definitions miss recent malware, and an unpatched scanner misses recent vulnerabilities.
• Health: a stopped, crashed, or disabled agent is a blind spot an attacker will seek out.
• Tamper protection: if a user or attacker with local rights can turn the agent off, the control is only as strong as that protection.

A recurring scenario describes a host that keeps re-detecting the same malware after each reboot; the lesson is that detection without removing persistence does not solve the problem.

Putting the Tools Together

In a real investigation these controls reinforce one another. A vulnerability scan tells you a server is exposed; antivirus tells you whether a known malicious file is present; EDR tells you what is actually happening on the box and lets you contain it. The strongest exam answers respect those boundaries: do not expect a scanner to confirm compromise, do not expect antivirus to explain a fileless attack chain, and do not expect EDR to enumerate every missing patch.

Match the tool to the question, prioritize findings by real risk rather than raw severity counts, and remember that compensating controls reduce risk while you remediate but never replace the fix itself.