Skip to main content

Service comparison

Antivirus vs EDR: which one does your business actually need?

In short

Antivirus blocks known malware. EDR catches the infostealers and ransomware precursors hitting Indonesian companies. The difference, and when each is enough.

Security monitoring

Most businesses already run antivirus and assume their endpoints are covered. The question worth asking is narrower than it sounds. Antivirus is good at one thing, and that one thing no longer covers how most attacks actually work. This page lays out what each approach does, what is actually reaching Indonesian endpoints, when antivirus alone is still a defensible choice, and how the migration to managed EDR runs in practice.

What each one is built for

Antivirus, sometimes sold as EPP or endpoint protection, works by recognition. It matches files against a list of known threats and blocks the matches. It is fast and it still catches a lot of ordinary malware. The catch is in the word known. It can only stop what someone has already seen and fingerprinted.

EDR, endpoint detection and response, works by observation. Instead of only checking files, it records what the endpoint is doing and watches for behaviour that looks like an attack. That lets it catch things that have no file to scan, like an attacker abusing PowerShell or logging in with stolen credentials. When something goes wrong, it also gives you the means to respond: isolate the machine, see what was touched, and trace where the attacker went.

What is actually hitting Indonesian endpoints

The volume is not hypothetical. BSSN's national cyber monitoring recorded 330,527,636 traffic anomalies across Indonesian networks in 2024, roughly 900,000 potential incidents per day probing for an unwatched machine.

The shape of what gets through has changed too. The Verizon 2025 Data Breach Investigations Report found ransomware in 44 percent of confirmed breaches, up from 32 percent the year before, and in 88 percent of breaches at small and medium businesses. The quiet precursor to many of those incidents is the infostealer: cheap commodity malware that empties a browser of saved passwords, session cookies, and tokens in seconds, then sells them on as logs. The same report matched ransomware victims against criminal marketplaces and found that 54 percent had corporate credentials circulating in infostealer logs before the extortion happened. The ransomware you eventually see is often the last step of an intrusion that started with a credential stolen weeks earlier.

Why signature antivirus misses the precursors

That chain is exactly what signature-based antivirus struggles with, for three reasons. Infostealer builds are churned out and repacked faster than signatures are written, so a fresh sample often scans clean on the day it matters. The theft itself takes seconds and leaves no persistent file for the next scheduled scan to find. And the follow-on intrusion may involve no malware at all: the attacker signs in with the stolen credentials, moves around using PowerShell and legitimate admin tools, and only drops recognisable ransomware at the very end, after backups have been located and staged for deletion. By the time a signature product has something to match, the part worth stopping has already happened.

EDR is built for the middle of that chain. It flags the process that reads the browser credential store, the login at 2am from a machine that has never done that, the admin tool run by an account that has never used it. Those behaviours are visible whether or not any file matches a signature.

The difference that matters

 Antivirus (EPP)EDR
How it detectsMatches files to known signaturesWatches endpoint behaviour in real time
Unknown and fileless attacksLargely missedDetected by behaviour, no signature needed
Stolen-credential misuseInvisible, no malicious file involvedFlagged through anomalous logins and tool use
Visibility after a breachLittle to noneFull record of what the attacker did
Response optionsQuarantine or delete a fileIsolate the host, hunt across endpoints, roll back
What it needs from youInstall and updateSomeone to read and act on alerts
Cost logicLow per-device licence, no staffing neededHigher per endpoint, plus people to watch it, usually via a managed service

The short version is that antivirus answers "is this file bad?" and EDR answers "is something bad happening here?" Those are different questions, and the second one is the one attackers force you to ask.

When antivirus alone is still a defensible choice

There is an honest case at the very small end. If you run a handful of laptops, no servers, everything in cloud SaaS, hold no regulated or payment data, and losing a machine would cost you a reinstall rather than a stopped operation, then a reputable antivirus with automatic updates is a risk you can reasonably accept, provided the basics around it hold: MFA on email and banking, patched browsers and operating systems, and offline backups of anything you cannot recreate.

Be clear about what you are accepting: a quiet intrusion would go unnoticed. For a five-person firm with little to steal, that can be a rational trade. The moment you hold customer data, fall under UU PDP or OJK obligations, or would lose real money from a week of downtime, the maths flips.

The migration path to managed EDR

Moving is less disruptive than most teams expect, because modern EDR includes the prevention layer antivirus provided; you are replacing an agent, not adding a second one. A typical path takes a few weeks: inventory your endpoints and operating systems, pilot the agent on the IT team's own machines, roll it out in detection-only mode alongside the old antivirus, spend a week or two tuning the noisy detections, then enable blocking and retire the old agent.

The step most organisations skip is the one that decides whether any of this works: connecting the alerts to someone who watches them around the clock. That is the difference between owning EDR and being protected by it, and it is why most Indonesian companies buy the tool and the eyes together as managed EDR.

What we provide

Managed EDR deployment24/7 alert monitoring and triageBehaviour-based threat detectionFileless and living-off-the-land detectionHost isolation and guided responseThreat hunting across endpointsCoverage for Windows, macOS, and LinuxIntegration with your existing SOC or SIEM

We deploy and run EDR as part of a managed service, so you get the detection and the people reading it together rather than another unwatched tool. For the longer reasoning behind all of this, written from the field, see why antivirus is not enough. The monitoring itself sits inside our managed SOC, and when something does get through, our incident response team takes it from there.

References

  1. 1.Verizon. 2025 Data Breach Investigations Report. Verizon Business, 2025.
  2. 2.BSSN. "Lanskap Keamanan Siber Indonesia 2024." Direktorat Operasi Keamanan Siber, Badan Siber dan Sandi Negara, 2025.

Reviewed by Mohit Bhansali, Head of Technology

Frequently asked questions

Antivirus blocks files it recognises as malicious by matching them against known signatures. EDR records what happens on an endpoint, which process started another, what connected to the network, when a sensitive system area was touched, and flags suspicious behaviour even when no malicious file is involved. In short, antivirus stops known bad files, while EDR detects attacker behaviour and lets you respond to it.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.