Home / Blog / General / The difference between Endpoint Protection and Traditional Antivirus

April 16, 2019

In the ever-changing world of cyber security, technologies never stand still. So as a customer it can be difficult to know at what point it’s worth upgrading – is this “new” solution going to be significantly better? Or is it worth waiting?

It’s a particularly troubling question in relation to antivirus. As one of your primary defences, you don’t want to leave your users at risk.

So what is Endpoint Protection, and how is it different to traditional antivirus (AV)?

The difference between Endpoint Protection and Traditional Antivirus

Defining traditional antivirus (AV)

AV solutions are typically at work all the time, running in the background on your machine. Every time you open or download a file or a program, the AV scans it to check for malware – malicious software that is intended to damage or compromise your system. Malware includes things like Trojans, worms, viruses, etc.

You may also use your AV to run full-system scans – again, the AV will check every file on your system (including things like cookies that you aren’t really aware of) for signs of malware.

» How does it know what malware looks like?

Every AV program carries a list of virus definitions, or signatures, which have been discovered by cyber security researchers. The program crosschecks the files against this list of definitions. If anything matches – snap! It’s considered a threat and dealt with accordingly.

In order to be effective, this list must be continually updated with the latest virus definitions. Your AV program should do this automatically, provided you have the correct settings in place.

So to sum up: traditional AV looks for known malware code on all your files. But what about unknown code? And what if it’s not attached to a file?

What does Endpoint Protection (EPP) do differently?

Like traditional AV, Endpoint Protection works continuously in the background. But rather than searching for specific known signatures, EPP monitors behaviours.

This is the main, and really significant difference.

Nearly 1 million different types of malware are released – every day! It is not possible for any AV solution to know them all. And since the majority of attacks today come from unknown sources – and increasingly they’re “fileless” – mean traditional AV has quickly become ineffective.

In fact, Gartner dropped the AV Magic Quadrant in 2006.

» Think of it this way:

If there’s a security alert in the airport, would you be happy for the security professionals to focus all their efforts on facial recognition software, seeking out the faces of known criminals? Or do you want them to also look for suspicious behaviour? Keeping people out of secure areas, monitoring what individuals are doing… and generally taking the necessary security measures to keep everyone safe?

This is how EPP operates – by seeking out indicators of compromise, or IoCs, which suggest that malware is present. Detecting signs of malicious behaviour.

More effective than legacy AV

Endpoint Protection Platforms are not reliant on the virus definitions being updated, or security researchers defining every possible threat. Instead, EPP monitors your system and effectively says: OK, this might not be malware, but we’re not going to let it access a program’s configuration, or corrupt the memory space of another program. If it acts like malware, EPP assumes it is malware and reacts accordingly.

Antivirus versus Endpoint Protection SentinelOne

Endpoint Protection (EPP) + Endpoint Detection & Response (EDR)

It is important to acknowledge that no program is going to be able to stop every attack. No-one can promise you 100% protection. But some EPP solutions include detection and response capabilities, to recognise IoCs, detect that an attack has taken place and act to contain and remediate the damage.

Again, this multi-layered approach to security is an essential feature in a first-line defence. If an attacker permeates a system protected with traditional AV, there’s no remediation available. Once they’re in, they’re in.

SentinelOne Autonomous Endpoint Protection

Next-Gen Endpoint Protection automatically detects threats, stops them in their tracks and cleans up after them – giving you a bird’s eye view of your system that you need to identify the behaviour that is putting your organisation at risk.


SentinelOne logo

About SentinelOne

› Autonomous Endpoint Protection

SentinelOne’s Endpoint Protection Platform (EPP) provides organisations real-time, unified endpoint protection, unifying prevention, detection and response – in one platform.

SentinelOne EPP leverages advanced machine learning and intelligent automation to prevent and detect attacks across all major vectors, with rapid elimination of threats, fully automated policy-driven response, and complete visibility into the endpoint with real-time forensics.

› Certified AV replacement

The independent anti-virus research institute (AV-TEST) has awarded SentinelOne EPP the Approved Corporate Endpoint Protection certification for both Windows and OS X, which validates its effectiveness for detecting both advanced malware and blocking known threats – the only next generation endpoint protection vendor to obtain this certification on both platforms.


Related articles:


About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.