Lesson Notes
Antivirus & EDR Basics
Module 5: Defensive Strategies. Behavioral detection.
Module 5: Antivirus & EDR Basics — Comprehensive Theory Guide
Antivirus (AV) and Endpoint Detection and Response (EDR) are core layers of endpoint security. They run on workstations and servers to detect and block malicious software and to respond to suspicious behavior. Traditional AV is largely signature-based: it compares files and sometimes memory to a database of known malware (file hashes, byte patterns, or behavioral signatures). EDR extends this with continuous monitoring of process, file, network, and registry activity; it records and analyzes behavior so that novel or polymorphic malware—and encrypted or fileless payloads—can be detected even when no signature exists. This lesson explains the difference in detail, why behavioral detection matters for modern threats, and how to verify that AV is active using the EICAR test file. Do not use real malware outside an isolated, authorized lab.
Signature-Based Detection: Strengths and Limits
Signature-based AV scans files (on access, on demand, or on schedule) and compares them to a database of known-bad patterns: file hashes (MD5, SHA-256), byte sequences, or more complex patterns (e.g. YARA rules). When a match is found, the file is quarantined, deleted, or blocked. This is very effective against known malware and widespread families. Limitations: new malware (zero-day or new variant) has no signature until the vendor adds one; polymorphic or packed malware changes its binary form so that a single hash or pattern does not match every variant; and encrypted payloads (e.g. downloaded over HTTPS and decrypted in memory) may never exist as a static file to be hashed. So signatures alone are insufficient for advanced or targeted attacks.
Behavioral Detection and EDR
Behavioral detection focuses on what programs do, not just what they look like. Examples: a process injecting code into another process; a script or executable writing to sensitive registry keys (e.g. persistence); mass file encryption (ransomware); or a host making unexpected network connections (C2, lateral movement). EDR agents collect telemetry (process creation, file writes, network flows, etc.) and send it to a central platform where analysts or automated rules look for suspicious sequences. Alerts can trigger response actions: isolate the host, kill a process, or quarantine a file. Because behavior is observed at runtime, encryption of the payload (e.g. TLS-delivered malware) does not prevent detection—the decrypted behavior is what is monitored. Novel malware that has never been seen before can still be caught if its behavior matches known-bad patterns (e.g. "powershell with encoded command and network callback").
EICAR Test File and Verification
The EICAR test file is a standard string (you can create a text file with the exact EICAR content) that antivirus products are configured to detect as if it were malware. It is harmless—it does not execute or spread. Purpose: verify that AV is installed, running, and scanning. Create or download the file in a safe location (e.g. Desktop or a test folder); your AV should almost immediately quarantine it or show an alert. If nothing happens, AV may be disabled, excluded, or not updated. Never use real malware to "test" AV outside an isolated lab with proper authorization; EICAR is the safe way to confirm detection is working.
Key Takeaway for Lesson 18
AV uses signatures to detect known malware; EDR adds behavioral monitoring and response. Behavioral detection is essential for encrypted, polymorphic, or novel threats. Use the EICAR test file to verify AV is active; only test real malware in an authorized, isolated lab. Next: encryption essentials (AES, RSA, hashing, VeraCrypt).