ES0.1 Why Traditional AV Fails

· Module 0 · Free

Operational Objective

The endpoint security conversation in most organisations starts and ends with antivirus. "Is AV running? Is it up to date? Good — endpoints are protected." This mental model was accurate in 2010 when the primary threat was executable malware written to disk, and it has been catastrophically wrong for every year since. Modern attack chains use fileless execution, living-off-the-land binaries, in-memory payloads, and legitimate credential abuse — none of which create the on-disk malware artifacts that signature-based AV was designed to detect. The result: organisations with 100% AV deployment and current signatures still suffer breaches because their entire endpoint security strategy relies on a control that addresses less than 30% of the techniques attackers actually use. This subsection explains why traditional AV fails, what replaced it, and why each successive generation of endpoint security solves some problems while creating new gaps that attackers exploit.

Deliverable: Understanding of the four generations of endpoint security (AV → EPP → EDR → XDR), the specific attack techniques each generation addresses and fails to address, and the architectural shift from signature matching to behavioral analysis that underpins modern endpoint protection.

Estimated completion: 30 minutes

Figure ES0.1 — Four generations of endpoint security. Each generation addresses the failures of the previous one while introducing new limitations. XDR provides the broadest coverage but only when configured beyond defaults — which is the gap this course closes.

The signature problem: why AV stopped working

Antivirus was built to solve a specific problem: known malicious files written to disk. The detection mechanism is straightforward — the AV vendor collects malware samples, generates signatures (byte patterns, file hashes, behavioral fingerprints), distributes those signatures to endpoints, and the local AV engine scans files against the signature database. If the file matches a known signature, it is blocked or quarantined. This model worked when malware was distributed as compiled executables attached to emails or downloaded from websites, and when the number of unique malware samples was measured in thousands per day.

The model breaks when any of its assumptions are violated. Assumption one: the malware is a file on disk. Fileless attacks execute code in memory using legitimate interpreters — PowerShell, WMI, .NET — and never write a standalone executable. There is no file to scan. Assumption two: the malware has a known signature. Polymorphic malware generates a unique binary for every infection. Metamorphic malware rewrites its own code. Server-side polymorphism generates unique payloads per download. The signature database cannot contain a signature for a binary that did not exist when the database was compiled. Assumption three: the malware behaves differently from legitimate software. Living-off-the-land attacks use signed Microsoft binaries (PowerShell, certutil, mshta, regsvr32, rundll32) for the entire attack chain. The “malware” is the operating system itself, used in ways the designers did not intend.

Expand for Deeper Context

The scale of the signature problem is worth understanding. AV-TEST Institute registers over 450,000 new malware samples per day. Even if a vendor achieves 99% detection of known malware within 24 hours of first observation, 4,500 new samples per day go undetected. The real number is worse because the 99% figure applies to samples that reach the vendor’s collection infrastructure — samples used in targeted attacks against specific organisations may never reach the vendor’s honeypots or submission portals. The detection gap for targeted attacks is substantially wider than for commodity malware.

The economics have shifted too. Generating unique malware variants costs the attacker almost nothing — automated packers, crypters, and builders produce unique binaries in seconds. Generating signatures costs the vendor time, infrastructure, and analyst effort. The attacker wins the arms race through volume alone: it is cheaper to generate 1,000 unique variants than for the vendor to write 1,000 signatures. This economic asymmetry is why every major AV vendor has moved beyond pure signature detection — the model is not scalable against the current threat volume.

The living-off-the-land revolution

The most significant shift in endpoint attack methodology is not a new exploit or a new malware family — it is the systematic abuse of legitimate operating system tools for the entire attack chain. Living-off-the-land binaries (LOLBins) are signed, trusted Microsoft executables that attackers repurpose for malicious operations. PowerShell downloads and executes payloads. Certutil decodes base64-encoded executables. Mshta executes HTA files from remote URLs. Regsvr32 loads DLLs from remote servers. Rundll32 executes arbitrary DLL exports. BITSAdmin downloads files using the Background Intelligent Transfer Service. Msiexec installs remote MSI packages.

None of these are malware. They are legitimate Windows utilities, signed by Microsoft, present on every Windows installation, and required for normal system administration. The AV cannot block PowerShell — it would break every administrator’s workflow. It cannot block rundll32 — half the operating system depends on it. The detection challenge is not “is this binary malicious?” but “is this legitimate binary being used maliciously?” — and that question requires behavioral analysis that signature-based AV was never designed to perform.

Expand for Deeper Context

The LOLBAS project (lolbas-project.github.io) catalogues over 200 Windows binaries, scripts, and libraries that can be abused for malicious purposes. The categories include: execution (running arbitrary code), download (fetching remote payloads), compile (building executables from source), reconnaissance (gathering system information), and credential access (extracting stored credentials). Every Windows endpoint has these tools installed by default.

At Northgate Engineering, CHAIN-ENDPOINT demonstrates this perfectly. The Cobalt Strike operator’s entire initial compromise chain uses LOLBins: the phishing email triggers mshta.exe to execute an HTA payload, which launches PowerShell to download and execute the Cobalt Strike stager in memory, which loads the beacon DLL via rundll32. The only non-Microsoft binary in the chain is the beacon DLL, which exists only in memory. The endpoint’s AV — running with default Defender settings — does not alert on any of these executions because each individual binary is a signed Microsoft executable performing an action that could be legitimate.

This is why the endpoint security stack requires more than AV. Attack surface reduction rules can block specific LOLBin abuse patterns (like Office spawning PowerShell, or mshta executing from a downloaded file). EDR behavioral analysis can detect the process chain anomaly (mshta → PowerShell → rundll32 is not a normal process chain). But the AV layer — scanning files for signatures — cannot distinguish legitimate from malicious use of a signed system binary. It was not designed to.

From AV to EPP: adding behavioral analysis

Endpoint Protection Platforms (EPP) extended the AV model with cloud-based lookups, machine learning classifiers, and behavioral heuristics. Instead of relying solely on local signature databases, EPP sends file metadata (and sometimes the file itself) to a cloud service for analysis. The cloud service runs the file through multiple ML models, sandboxes, and reputation engines, returning a verdict in seconds. Microsoft’s Block at First Sight feature exemplifies this: when Defender encounters an unknown file, it sends file metadata to the cloud protection service. If the file has never been seen before, the cloud service can request the full file for detonation and return a block verdict within 10 seconds.

EPP also introduced AMSI — the Antimalware Scan Interface — which provides visibility into script content at the point of execution. Before AMSI, PowerShell scripts that were obfuscated or encoded were invisible to AV until they were decoded and executed. AMSI intercepts the script content after deobfuscation, before execution, giving the AV engine a chance to scan the actual code the interpreter is about to run. This closed the simplest fileless attack vectors: a base64-encoded PowerShell command that downloads Invoke-Mimikatz is now visible to the AV engine through AMSI, even though the encoded command line on disk is not recognisably malicious.

Expand for Deeper Context

AMSI is not a complete solution. It is a speed bump that forces attackers to invest additional effort, not a wall that blocks all fileless attacks. AMSI bypass techniques are well-documented and widely used by penetration testing tools and real adversaries alike. The most common bypass patches the amsi.dll in memory, causing the AMSI scan function to return a clean result without actually scanning the content. More sophisticated bypasses use reflection to modify the AMSI scan buffer or disable the AMSI provider entirely.

The EPP improvement over AV is real but bounded. Cloud protection catches more unknown malware than local signatures alone. AMSI catches more fileless attacks than file-based scanning alone. But the architectural limitation remains: EPP focuses on the prevention decision — block or allow — at the point of execution or file write. It does not continuously monitor what happens after an allowed process starts running. A PowerShell process that passes the AMSI scan at launch but then uses reflection to load a malicious .NET assembly in memory after 30 seconds is invisible to EPP. That gap is what EDR was built to fill.

EDR: continuous monitoring of endpoint behavior

Endpoint Detection and Response fundamentally changed the architecture of endpoint security. Instead of making a single block/allow decision at the point of file write or process execution, EDR continuously records endpoint telemetry — every process creation, every network connection, every file write, every registry modification, every DLL load, every logon event — and correlates these events over time to identify behavioral patterns that indicate compromise.

The shift is architectural. AV asks: “Is this file malicious?” EDR asks: “Is this sequence of behaviors malicious?” An attacker who uses PowerShell to enumerate Active Directory, then uses net.exe to map network shares, then uses robocopy to stage sensitive files in a temp directory, then uses certutil to encode the staged files for exfiltration — each individual action is legitimate. PowerShell queries AD every day. Net.exe maps shares for IT operations. Robocopy copies files for backups. Certutil encodes files for email. But the sequence — reconnaissance, followed by mapping, followed by staging, followed by encoding — is the behavioral fingerprint of data exfiltration. EDR detects this because it records and correlates the entire sequence, not just individual file events.

Microsoft Defender for Endpoint records this telemetry into the DeviceEvents family of tables: DeviceProcessEvents (process creation and command lines), DeviceNetworkEvents (network connections and DNS), DeviceFileEvents (file creation, modification, deletion), DeviceRegistryEvents (registry key changes), DeviceLogonEvents (authentication events), and DeviceImageLoadEvents (DLL and driver loads). These tables are queryable through Advanced Hunting using KQL, enabling both automated detection rules and proactive threat hunting.

Expand for Deeper Context

The limitation of EDR is configuration and attention. EDR generates telemetry — it does not automatically prevent all attacks. MDE’s automated investigation and response (AIR) can automatically investigate and remediate some alert types, but many require human analysis. Custom detection rules must be written to catch organisation-specific patterns. Hunting queries must be executed to find threats that no automated rule has been built for. The EDR is a visibility and detection platform. Its value scales with the skill and effort applied to configuring it.

At NE, MDE is onboarded on 780 of 865 endpoints. The sensor is collecting telemetry into the DeviceEvents tables. But there are zero custom detection rules, AIR is configured at the default semi-automated level, and nobody has executed a hunting query in the Advanced Hunting console in six months. The EDR is running — it is generating alerts for known patterns — but the custom detection capability that makes EDR valuable for catching targeted attacks sits unused. This is the gap between “deployed” and “engineered” that this course closes.

XDR: cross-workload correlation and why it still requires engineering

Extended Detection and Response extends the EDR model across workloads: endpoint + identity + email + cloud + applications. Microsoft’s Defender XDR correlates signals from MDE (endpoints), MDI (identity/Active Directory), MDO (email), MDA (cloud apps), and Entra ID Protection (identity risk) into unified incidents. An AiTM phishing attack that starts with a malicious email (MDO), captures credentials (Entra ID), establishes a new session from an anomalous location (Entra ID Protection), and then accesses sensitive SharePoint sites from the compromised endpoint (MDE) — XDR correlates all four signals into a single incident, providing the analyst with the complete attack chain instead of four unrelated alerts.

The architectural advantage of XDR is real. Single-workload EDR can see the endpoint activity but cannot see that the same user received a phishing email 10 minutes earlier or that their identity was compromised through an AiTM attack. XDR connects the dots. But the persistent problem remains: XDR correlates what it can see, and what it can see depends on what you have configured. If ASR rules are not enforced, the prevention layer has gaps. If custom detections are not written, the detection layer has gaps. If forensic readiness is not configured (audit policies, Sysmon, PowerShell logging), the telemetry layer has gaps. XDR amplifies the value of a well-configured endpoint security stack and amplifies the consequences of a poorly configured one.

This is the central thesis of this course: the Microsoft security ecosystem provides the architecture for comprehensive endpoint security. But architecture is not protection. Configuration is protection. Tuning is protection. Validation is protection. The gap between “installed” and “engineered” is where attackers live.

Decision Point

Your CISO asks: “We have Defender for Endpoint on every machine. Are our endpoints protected?” The honest answer is: partially. MDE is deployed, which provides baseline AV protection and telemetry collection. But the ASR rules that prevent initial access techniques are not in block mode. The cloud protection that catches unknown malware is at the default level instead of High+. The custom detections that catch organisation-specific attack patterns do not exist. The forensic readiness that ensures evidence is available when an incident occurs is not configured. “Protected” requires configuration beyond defaults — and that configuration is the work of this course.

Try it: assess your AV generation

Open your MDE portal (security.microsoft.com → Settings → Endpoints → Advanced features) and answer these questions:

Is cloud-delivered protection enabled? At what level? (Default, High, High+, Zero Tolerance)
Is Block at First Sight enabled?
Is AMSI enabled for all script interpreters?
How many custom detection rules exist in Advanced Hunting → Custom detection rules?
How many ASR rules are in block mode? (Settings → Endpoints → Attack surface reduction)

If cloud protection is at Default, Block at First Sight is off, and you have zero custom detection rules, your endpoint security stack is operating at Gen 1.5 — signature AV with some cloud enhancement. If cloud protection is at High+ with Block at First Sight enabled, AMSI active, and custom detection rules deployed, you are operating at Gen 3. The delta between your current generation and Gen 4 (fully configured XDR) is the work this course covers.

Compliance Myth: "Our AV is up to date, so we meet the endpoint security requirement"

The myth: Compliance frameworks require “antivirus” or “anti-malware” protection. Running Defender AV with current signatures satisfies this requirement. Auditors check for AV presence, not configuration depth.

The reality: The compliance requirement has evolved faster than most organisations’ implementations. PCI DSS v4.0 Requirement 5.2 requires that anti-malware mechanisms “detect all known types of malware” and “detect, alert on, and address new malware threats.” CIS Controls v8 Safeguard 10.1 requires “anti-malware software” that is centrally managed and kept current. ISO 27001:2022 A.8.7 requires “protection against malware” with “detection, prevention and recovery controls.” None of these frameworks are satisfied by default AV with current signatures alone — they require the detection and prevention capabilities that only a configured endpoint security stack provides. An auditor who checks only for AV presence is performing a superficial audit. An auditor who checks for ASR enforcement, cloud protection levels, EDR configuration, and custom detection coverage is performing the audit the framework requires.

Troubleshooting

“We can’t justify the cost of EDR — AV should be enough.” If you have M365 E5, you already have EDR. Defender for Endpoint P2 is included in your existing license. The cost is not additional licensing — it is the engineering time to configure it. This course provides the configuration, the queries, and the deployment methodology. The investment is your time, not your budget.

“Our AV catches everything — we haven’t had a breach.” Survivorship bias. You know about the malware your AV caught. You do not know about the attacks that bypassed your AV and were never detected. Without EDR telemetry, hunting queries, and custom detections, you have no visibility into fileless attacks, living-off-the-land activity, or credential abuse that your AV was never designed to detect. The absence of detected breaches is not evidence of the absence of breaches — it may be evidence of the absence of detection.

“We have a managed SOC — they handle endpoint security.” Your managed SOC triages alerts generated by your endpoint security configuration. If your ASR rules are not in block mode, those alerts were never generated. If your custom detections do not exist, those alerts were never created. If your audit policies are at default, the telemetry your MSSP needs for investigation was never collected. The managed SOC operates ON your configuration — they do not create it for you. This course builds the configuration that makes your managed SOC effective.

Operational Artifact — Endpoint Security Generation Assessment

Assess your current endpoint security generation using these criteria. Gen 1 (AV): Signature-based scanning only, no cloud protection, no behavioral analysis. Gen 2 (EPP): Cloud-delivered protection enabled, AMSI active, Block at First Sight on, but no continuous monitoring or behavioral correlation. Gen 3 (EDR): Continuous telemetry collection, process chain analysis, automated investigation available, custom detection rules deployed, hunting queries executed regularly. Gen 4 (XDR): Cross-workload correlation active (MDE + MDI + MDO + MDA), unified incidents, cross-workload custom detections, automated cross-workload response. Most M365 E5 environments operate between Gen 1.5 and Gen 2.5 — they have the licenses for Gen 4 but the configuration for Gen 2. Identify your generation. The delta to Gen 4 is your engineering roadmap.

A PowerShell script downloads a .NET assembly from a remote server and loads it directly into memory using [System.Reflection.Assembly]::Load(). The assembly performs credential dumping. Defender AV is running with current signatures and cloud protection at the default level. What is the most likely detection outcome?

Defender AV blocks the PowerShell script before execution because the download URL matches a known malicious indicator — AV signature matching evaluates URLs, not just files, and blocks known malicious downloads at the network layer.

Defender AV blocks the .NET assembly when it is loaded into memory because the assembly's bytecode matches a known credential dumping tool signature — AV scans all memory allocations for signature matches.

AMSI may detect the PowerShell script content if the script matches known patterns, but if the script is sufficiently obfuscated or uses an AMSI bypass technique, the assembly loads into memory without AV detection because there is no file on disk to scan. The credential dumping activity may be detected by EDR behavioral analysis (if configured) through DeviceProcessEvents showing LSASS access — but default AV alone has significant gaps against this attack chain.

Defender AV definitely blocks this attack because cloud protection analyses all PowerShell commands in real time and the cloud ML model detects credential dumping patterns regardless of obfuscation.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus