A security solution that continuously records endpoint activity — process execution, file changes, network connections, registry modifications — and uses behavioral analysis to detect, investigate, and respond to threats including ransomware.
EDR represents a fundamental advancement beyond traditional antivirus. While antivirus relies primarily on signature-based detection — matching files against a database of known malware — EDR continuously records endpoint telemetry and analyzes behavioral patterns. This means EDR can detect ransomware precursors like credential dumping (Mimikatz), lateral movement (PsExec over SMB), defense evasion (disabling security software), and pre-encryption activities (deleting shadow copies) even when no malware file exists on disk.
Modern EDR platforms provide three critical capabilities: detection (identifying suspicious behavior through rules, machine learning, and threat intelligence), investigation (providing analysts with process trees, file timelines, and network connections to understand the full scope of an incident), and response (enabling remote actions like endpoint isolation, process termination, file quarantine, and credential reset). The combination of continuous recording and remote response makes EDR the most important technical control for catching ransomware during the critical window between initial compromise and encryption deployment.
The key difference is visibility and scope. Antivirus asks: "Is this file malicious?" EDR asks: "Is this behavior suspicious?" Modern ransomware frequently uses legitimate system tools (PowerShell, WMI, PsExec) that antivirus cannot flag because they are not malware. EDR detects the suspicious patterns in how these tools are used — for example, PsExec being used to remotely execute commands across dozens of machines in rapid succession, which is characteristic of ransomware deployment, not normal administration.