Jump to content

Does the installation of a signature-based AV interfere with the EDR?


HCHTech

Recommended Posts

I have a managed AV product on all of my commercial customer's machines.   For those that also have MB's EDR installed, is this a problem?

The AV vendor is trying to sell me on their EDR, telling me that having the AV in place with an EDR will stop the EDR from automated remediation, and that I shouldn't be running both on the same machine.  Further, than there is no possibility than a signature-based AV would find something that the EDR would miss.  I'm not ready to believe this, and have always been a fan of having more than one vendor's products looking at the data as a form of layered security.  For most all of my commercial clients, the hardware firewall has gateway AV, and gateway AS, and I have both a managed AV and Malwarebytes EDR on the endpoints.  So 3 separate vendor's products have a chance to review the traffic.

Does my approach make sense or am I doing my clients a disservice by loading their endpoints with both products?

Link to post
Share on other sites

  • Staff

Malwarebytes is well known for working alongside other vendors. The key is to make sure to add exclusions when necessary.
Here is a link to Malwarebytes recommended exclusions: https://service.malwarebytes.com/hc/en-us/articles/4413799074451-Third-party-vendor-exclusions-for-Malwarebytes-Nebula . 

I would recommend contacting the AV Product vendor for any exclusions they would recommend for their solution with Malwarebytes.

Malwarebytes EDR does include Endpoint Protection (AV Product) as well. One of the key roles of an EDR is to alert, catch and/or contain a infection that may slip past an AV product. 

Although many AV products use Signatures, Malwarebytes has multiple layers of defense and does not rely on signatures alone. 

Most of the Next Generation Firewalls do offer AV capabilities (Signature-based) and it is never a bad idea to layer your security when possible.

  

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

On 10/6/2022 at 9:14 AM, HCHTech said:

telling me that having the AV in place with an EDR will stop the EDR from automated remediation, ...,Further, thay there is no possibility than a signature-based AV would find something that the EDR would miss. 

Thanks, @Coach-E, can you please comment on the above statements?  I can't imagine it has weight, but I'd like the opinion of someone more in a position to have real knowledge / experience with the situation.   I can only guess with my way-too-small sample size.

Link to post
Share on other sites

  • Staff
3 hours ago, HCHTech said:

telling me that having the AV in place with an EDR will stop the EDR from automated remediation, ...,Further, thay there is no possibility than a signature-based AV would find something that the EDR would miss. 

Having an AV in place may catch the infection 1st so there would be no need for EDR to remediate.  With Malwarebytes EDR you can perform a scan on demand and our Linking Engine can find and remediate what the other solutions miss.

Here is a link to our Malwarebytes Remediation Map as an real time example : https://www.malwarebytes.com/remediationmap

Without the AV product being used our EDR would catch signatures but at the EP level.  EDR would not miss it but just not react to an infection that was proactively blocked or remediated due to the fact it was already eradicated.

You are correct that having a signature based AV would not stop an EDR from catching threats.  What I would point out is what if there was no signature for malware with the signature only AV product?  This is where EDR would alert, catch and/or contain a infection.

  • Thanks 1
Link to post
Share on other sites

On 10/7/2022 at 5:00 PM, Coach-E said:

You are correct that having a signature based AV would not stop an EDR from catching threats.  What I would point out is what if there was no signature for malware with the signature only AV product?  This is where EDR would alert, catch and/or contain a infection.

Thank you - this is my point...that having both products still has value.  PLUS having both of those products being from different vendors would also appear to be a better answer than a one-vendor solution.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.