What Is Next-Generation Antivirus (NGAV)?

What Is Next-Generation Antivirus?

Traditional antivirus works by comparing files against a database of known malicious software signatures. When a match is found, the file is flagged as malicious. This approach is effective against catalogued threats but has a fundamental weakness: it can only detect threats it has already seen. Attackers exploit this by constantly modifying malware — even minor changes produce a different hash that does not match any existing signature.

Next-generation antivirus (NGAV) addresses this limitation by adding detection methods that do not rely on known signatures. NGAV uses machine learning to identify files and processes that exhibit characteristics associated with malware — even if the specific variant has never been seen before. It uses behavioural analysis to monitor what processes do rather than what they look like. And it connects to cloud-based threat intelligence so that newly identified threats are recognised across all connected endpoints within minutes of being discovered.

Key Capabilities of NGAV

Machine learning models in NGAV tools are trained on vast datasets of both malicious and legitimate software behaviour. They can classify a new, previously unseen file as likely malicious based on its characteristics — code structure, imported functions, entropy, and other features associated with malware. This provides protection against novel malware before any signature is available.

Behavioural analysis monitors running processes in real time. If a process begins behaving in ways associated with malware — encrypting files rapidly across multiple directories (a ransomware indicator), accessing LSASS memory to harvest credentials, spawning unexpected child processes, or making unusual network connections — behavioural detection flags and can automatically terminate the process.

Fileless malware presents a specific challenge because it does not write files to disk — it operates entirely in memory using legitimate system tools like PowerShell, WMI, or mshta.exe. Traditional antivirus has nothing to scan. NGAV detects fileless attacks through memory scanning and behavioural analysis of the system tools being abused.

NGAV and EDR: How They Relate

NGAV and EDR (Endpoint Detection and Response) are related but distinct. NGAV is focused on prevention — detecting and blocking threats before they execute or early in execution. EDR adds a forensic and response layer — capturing detailed telemetry about all endpoint activity, enabling investigation of incidents, and providing response capabilities like device isolation and process termination.

Modern enterprise endpoint security products combine NGAV and EDR in a single agent. Microsoft Defender for Business, for example, provides both NGAV (machine learning detection, behavioural analysis, cloud threat intelligence) and EDR (detailed telemetry, device isolation, automated investigation). These are not separate products — they are layers of a single managed endpoint security solution.

Microsoft Defender for Business as NGAV

Microsoft Defender for Business — included in Microsoft 365 Business Premium — is AMVIA's primary NGAV platform for UK SMEs. It provides machine learning-based threat detection drawing on Microsoft's cloud threat intelligence (built from telemetry across hundreds of millions of endpoints globally), behavioural detection for fileless and living-off-the-land attacks, attack surface reduction rules that block common attack techniques at the source, and automated investigation capability.

The key difference from Windows Defender Antivirus (built into Windows 10/11 as a consumer product) is the management capability, configuration depth, and the cloud-connected intelligence that Defender for Business provides. AMVIA configures Defender for Business beyond default settings to take full advantage of its protective capabilities.

Key Considerations for UK SMEs

• If you are on Microsoft 365 Business Premium, you already have an NGAV product — the question is whether it is correctly configured and monitored
• NGAV still requires configuration — attack surface reduction rules and controlled folder access need to be deliberately enabled
• No NGAV tool is 100% effective — a managed monitoring and response layer is needed to catch what automated detection misses
• Ensure NGAV covers all endpoints — every unmanaged device is a potential entry point for attackers
• Regular reporting on NGAV detections provides visibility of the threats your business is facing and whether protections are working

How AMVIA Can Help

AMVIA deploys and manages Microsoft Defender for Business as a fully managed NGAV service for UK SMEs. We configure the product to Microsoft's recommended security baseline, enable attack surface reduction rules and controlled folder access, and monitor endpoint security alerts through AmviaIQ. Monthly reports provide visibility of protection status and any detections across your managed device estate. Contact AMVIA on 0333 733 8050 to discuss NGAV protection for your business.