What is next-generation antivirus (NGAV)?
Explore IBM's next-generation antivirus solution Subscribe to Security Topic Updates
Graphic illustration of a maze featuring a person navigating to a mobile device, tablet and laptop with blue and purple colors

Published: 20 December 2021
Contributors: Gregg Lindemulder, Amber Forrest

What is NGAV?

Next-generation antivirus, or NGAV, is a cloud-based technology that uses artificial intelligence, machine learning and behavioral analysis to protect endpoints against malware and other types of cyberthreats.

Unlike traditional antivirus software that use signature-based detection to identify previously known threats, NGAV can detect unknown malware threats and malicious behavior as they occur in near real-time. In this way, it offers a more effective method for addressing modern threats such as ransomware, scripting attacks, fileless malware and zero-day vulnerabilities.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for the X-Force Threat Intelligence Index

How NGAV works

Legacy AV solutions use a database of malware signatures and heuristics to detect viruses in endpoint devices such as desktop computers, laptops, tablets and smartphones. These signatures are strings of characters within a file that indicate a virus could be present.

This approach leaves endpoints vulnerable to potential threats that have yet to be identified and catalogued in the signature database. Even with frequent signature updates, a new or unknown malicious file could go undetected.

In contrast, NGAV solutions use behavioral detection to identify the tactics, techniques and procedures (TTPs) associated with cyberattacks. Machine learning algorithms continually monitor events, processes, files and applications for malicious behavior.

If an unknown vulnerability is targeted for the first time in a zero-day attack, NGAV can detect and block the attempt. NGAV can also prevent fileless attacks such as those that exploit Windows PowerShell and document macros, or phishing emails that persuade users to click on links that execute fileless malware.

As a cloud-based technology, NGAV is also faster, easier and more cost-effective to deploy and manage than their traditional counterparts. With its ability to monitor endpoint activity and provide immediate incident response, it can block many of the attack vectors that hackers use to penetrate systems.

NGAV benefits
Rapid deployment

Cloud-based NGAV can be deployed, updated and managed much faster, easier and with fewer resources that traditional AV. There is no extra hardware or software to install and configure, no signature updates to continually administer, and has little to no impact on endpoint performance.

Speedy threat detection

Legacy antivirus can detect only known malware signatures that have been previously identified and entered into a database. NGAV monitors and analyzes endpoint behaviors in near real-time to detect and block both known and unknown threats, including zero-day attacks.

Proactive protection

NGAV gives security teams the capability to proactively defend against rapidly evolving and advanced threats. Over time, machine learning algorithms become more effective in distinguishing normal endpoint behaviors from those that raise the risk of a cyberattack.

NGAV capabilities and limitations

While capabilities differ across vendors, most NGAV solutions offer the following capabilities:

  • Machine learning algorithms: NGAV can examine thousands of file characteristics and endpoint activities in near real-time and identify anomalies and unexpected actions that can help stave off known and unknown threats.

  • Behavioral analysis: NGAV establishes baseline behaviors and identifies suspicious behaviors that indicate malicious activity or cyberattack through anaysis of users, devices, applications and systems.

  • Threat intelligence: Many NGAV solutions can integrate the latest threat intelligence on the sources, tactics and impacts of specific malware attacks to help detect and block them faster and more effectively.

  • Predictive analytics: NGAV can feed the massive amount of data it collects into predictive models that can detect the presence of malware or a potential cyberattack before it occurs, and then take action to prevent or minimize damage.

Although NGAV is more effective than traditional antivirus software, it is not foolproof. Occasionally, it may return a false positive or fail to detect a virus. Cybercriminals and hackers are still creating and testing new methods of evading the latest antivirus protection technologies.

In the event that NGAV defenses are breached on an endpoint device, organizations often rely on other technologies, such as endpoint detection and response (EDR), unified endpoint management (UEM) or security information and event management (SIEM). These security solutions offer a broader, system-wide approach to the prevention and mitigation of cyberthreats across many different endpoints.

Related solutions
IBM Security® MaaS360® mobile threat defense

Seamlessly deploy advanced mobile threat defense (MTD) solutions to protect your entire mobile environment from cyberthreats and user-based risks.

Explore MaaS360 mobile threat defense Try MaaS360 free for 30 days

Unified endpoint management

Enroll, manage and protect all devices, corporate and personal, onsite and remote, from a single console.

Explore unified endpoint management

Advanced threat detection with IBM Security QRadar® SIEM

Detect threats in near-real time—analyze millions of events using thousands of prebuilt use cases, user and network behavior analytics, application vulnerability data and X-Force® Threat Intelligence.

Explore advanced threat detection with QRadar SIEM
Resources What is unified endpoint management (UEM)?

UEM enables IT and security teams to monitor, manage and secure all end-user devices on the network in a consistent manner, using one tool.

What is security information and event management (SIEM)?

SIEM helps security teams detect user behavior anomalies and use AI to automate manual processes associated with threat detection and incident response.

What is endpoint security?

A network's first line of cybersecurity defense, endpoint security protects users and devices—desktops, laptops, mobile devices, servers—against cyberattacks.

Take the next step

IBM Security MaaS360 lets you manage and protect all your devices—corporate and personal, onsite and remote—from a single console with AI-driven unified endpoint management (UEM). Learn more about MaaS360 or schedule a free demo with an IBM technical expert.

Explore MaaS360 Book a live demo