How traditional antivirus actually works
Traditional antivirus software works by maintaining a database of known malware “signatures” — essentially digital fingerprints of files that have been identified as malicious. When a file arrives on your device, the antivirus scans it and compares it against that database. If there's a match, it blocks or quarantines it.
This approach worked reasonably well in the early days of computing, when malware was relatively simple and slow-moving. But the threat landscape has changed dramatically — and signature-based detection has not kept pace.
The core limitation
Traditional antivirus can only detect threats it has already seen. If a piece of malware is new, modified, or designed to look like a legitimate file, it will pass straight through — undetected.
Why modern attacks bypass antivirus entirely
Cybercriminals are well aware of how antivirus works — and they design their tools to avoid it. There are several techniques that regularly get past traditional protection:
- Zero-day exploits: Attacks that target vulnerabilities that haven't been patched or publicly disclosed yet. Because no signature exists for them, antivirus has nothing to match against.
- Polymorphic malware: Malware that constantly rewrites its own code to change its signature every time it spreads. Traditional AV sees a “new” file and misses it entirely.
- Fileless attacks: Malware that never writes a file to disk at all. Instead, it runs entirely in memory — using legitimate processes like PowerShell or Windows Management Instrumentation (WMI) as cover. There's nothing for a file scanner to find.
- Living-off-the-land (LotL) attacks: Attackers use built-in Windows tools (such as PowerShell, certutil, or wscript) to carry out malicious activity. Because these are legitimate system tools, traditional AV ignores them.
- Ransomware deployed after a slow compromise: Many ransomware attacks today begin weeks or months before any encryption happens. An attacker gains a foothold quietly and only triggers the payload when they're ready. Traditional AV won't detect the slow reconnaissance phase.
According to industry research, over 70% of successful malware attacks now use fileless or signature-evasion techniques. Signature-based antivirus is simply not designed to catch them.
What is EDR — and how is it different?
EDR stands for Endpoint Detection and Response. Rather than comparing files against a signature database, EDR continuously monitors everything that happens on a device — every process, every file access, every network connection, every user action — and uses that data to identify behaviour that looks like an attack in progress.
Think of it this way: traditional AV asks “have I seen this file before?” EDR asks “is what's happening on this device consistent with an attack?” That's a fundamentally different question — and it can catch threats that have never been seen before.
Traditional Antivirus
- • Signature-based detection only
- • Can only catch known threats
- • Blind to fileless and memory attacks
- • No visibility into attack context
- • Alerts after damage may already be done
- • No automated response or rollback
EDR (SentinelOne)
- • AI-powered behavioural analysis
- • Detects unknown and zero-day threats
- • Catches fileless, in-memory attacks
- • Full attack story and timeline
- • Real-time detection and isolation
- • Autonomous response and rollback
What SentinelOne EDR specifically does
SentinelOne is an enterprise-grade EDR platform recognised as a Leader in the Gartner Magic Quadrant for Endpoint Protection Platforms. Here's how it works in practice:
- Dual-layer AI protection: SentinelOne uses two AI engines working together. A static AI analyses files before they execute (similar to AV, but without relying solely on signatures). A behavioural AI monitors what actually happens when code runs — catching threats that look clean until they start acting maliciously.
- Autonomous threat response: When a threat is detected, SentinelOne can respond immediately and automatically — killing malicious processes, isolating the affected device from the network, and quarantining threats — without waiting for a human to approve each action. This matters when ransomware can encrypt hundreds of files in seconds.
- Ransomware rollback: SentinelOne can reverse the damage caused by ransomware by rolling back encrypted or deleted files to their pre-attack state using volume shadow copies. This capability alone can save hours or days of recovery time — and potentially thousands of rands in data loss.
- Storyline technology: Every process, file, network connection, and user action is tracked and automatically linked into a complete “attack story.” This gives your IT team or managed security provider full context — not just an alert, but a clear timeline of exactly what happened, where it started, and what it touched.
- MITRE ATT&CK mapping: Detections are automatically mapped to the MITRE ATT&CK framework — the globally recognised taxonomy of attacker techniques. This helps prioritise responses and understand which phase of an attack is underway.
- Cross-platform coverage: SentinelOne protects Windows, macOS, and Linux endpoints from a single management console — important for businesses that run mixed environments.
- Works without constant cloud connectivity: Unlike some cloud-dependent security tools, the SentinelOne agent makes decisions locally on the device. This means it protects your endpoints even when they're offline or outside the office.
Why this matters for South African businesses specifically
South Africa consistently ranks among the most targeted countries for cybercrime in Africa, with ransomware attacks on small and mid-sized businesses increasing sharply year on year. Many of these attacks are designed to look like normal business activity — a compromised supplier email, a legitimate-looking invoice attachment, a PowerShell script triggered by a phishing link.
For businesses in industries like food production, winemaking, healthcare, and legal services — where operational downtime or a data breach has serious compliance and financial consequences — the ability to detect, isolate, and recover from an attack quickly is not a luxury. It's a baseline requirement.
Traditional antivirus was not built for this threat environment. EDR was.
Already have antivirus? You may still have gaps.
We can review your current endpoint protection and show you exactly what is and isn't covered. No obligation — just a clear picture of your risk.
Book a free security review