The latest tech news, backed by expert insights
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Next-generation antivirus, or NGAV, is a cloud-based technology that uses artificial intelligence, machine learning and behavioral analysis to protect endpoints against malware and other types of cyberthreats.
Unlike traditional antivirus software that uses signature-based detection to identify previously known threats, NGAV can detect unknown malware threats and malicious behavior as they occur in near real-time. In this way, it offers a more effective method for addressing modern threats such as ransomware, scripting attacks, fileless malware and zero-day vulnerabilities.
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Legacy antivirus (AV) solutions use a database of malware signatures and heuristics to detect viruses in endpoint devices such as desktop computers, laptops, tablets and smartphones. These signatures are strings of characters within a file that indicate a virus could be present.
This approach leaves endpoints vulnerable to potential threats that have yet to be identified and cataloged in the signature database. Even with frequent signature updates, a new or unknown malicious file could go undetected.
In contrast, NGAV solutions use behavioral detection to identify the tactics, techniques and procedures (TTPs) associated with cyberattacks. Machine learning algorithms continually monitor events, processes, files and applications for malicious behavior.
If an unknown vulnerability is targeted for the first time in a zero-day attack, NGAV can detect and block the attempt. NGAV can also prevent fileless attacks such as those that exploit Windows PowerShell and document macros, or phishing emails that persuade users to select links that run fileless malware.
As a cloud-based technology, NGAV is also faster, easier and more cost-effective to deploy and manage than their traditional counterparts. With its ability to monitor endpoint activity and provide immediate incident response, NGAV can block many of the attack vectors hackers use to infiltrate systems.
Cloud-based NGAV can be deployed, updated and managed faster, easier and with fewer resources that traditional AV. There is no extra hardware or software to install and configure, no signature updates to continually administer, and has little to no impact on endpoint performance.
Legacy antivirus can detect only known malware signatures that have been previously identified and entered into a database. NGAV monitors and analyzes endpoint behaviors in near real-time to detect and block both known and unknown threats, including zero-day attacks.
NGAV gives security teams the capability to proactively defend against rapidly evolving and advanced threats. Over time, machine learning algorithms become more adept at identifying typical endpoint behaviors and differentiating them from patterns that indicate a heightened risk of a cyberattack.
While capabilities differ across vendors, most NGAV solutions offer the following capabilities:
Although NGAV is more effective than traditional antivirus software, it is not foolproof. Occasionally, it might return a false positive or fail to detect a virus. Cybercriminals and hackers are still creating and testing new methods of evading the latest antivirus protection technologies.
When NGAV defenses are breached on an endpoint device, organizations often rely on other technologies, such as endpoint detection and response (EDR), unified endpoint management (UEM) or security information and event management (SIEM). These security solutions offer a broader, system-wide approach to the prevention and mitigation of cyberthreats across many different endpoints.