What Is Next-Generation Antivirus (NGAV)?

What Is Next-Generation Antivirus?

Next-generation antivirus (NGAV) represents a fundamental shift in how cybersecurity tools protect business endpoints. Traditional antivirus software works by comparing files against a database of known malware signatures — a catalogue of identified threats. When a file matches a known signature, it is flagged as malicious. This approach is effective against catalogued threats but has a critical weakness: it can only detect threats that have been seen before. Attackers exploit this limitation by constantly modifying their malware — even minor changes produce a different file hash that no longer matches any existing signature in the database.

NGAV addresses this gap by using machine learning, behavioural analysis, and cloud-based threat intelligence to detect threats based on what they do, not just what they look like. According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, and 85% of those breaches involved phishing (DSIT 2025). Many of the payloads delivered through phishing are specifically crafted to evade signature-based detection, making NGAV an essential upgrade from legacy antivirus for any UK business serious about its security posture.

How NGAV Differs from Traditional Antivirus

The differences between NGAV and traditional antivirus are not merely incremental — they represent fundamentally different approaches to threat detection. Understanding these differences helps businesses evaluate whether their current endpoint security is adequate for the modern threat landscape.

Signature-Based Detection: The Legacy Approach

Traditional antivirus maintains a database of known malware signatures — unique identifiers derived from the code of previously identified threats. When a file is scanned, its signature is compared against this database. If a match is found, the file is blocked. This approach relies entirely on the malware having been previously discovered, analysed, and catalogued. New malware variants, even those based on known threats with minor modifications, may evade detection entirely. The sheer volume of new malware — hundreds of thousands of new variants are identified daily — means that signature databases are perpetually incomplete.

Machine Learning Detection

NGAV uses machine learning models trained on vast datasets of both malicious and legitimate software behaviour. These models can classify a new, previously unseen file as likely malicious based on its characteristics — code structure, imported functions, entropy levels, packing techniques, and other features statistically associated with malware. This provides protection against novel malware before any signature is available, closing the detection gap that traditional antivirus leaves open.

Behavioural Analysis

Rather than analysing files statically, behavioural analysis monitors running processes in real time. If a process begins behaving in ways associated with malware — encrypting files rapidly across multiple directories (a ransomware indicator), accessing LSASS memory to harvest credentials, spawning unexpected child processes, or making unusual network connections — behavioural detection flags and can automatically terminate the process. This approach catches threats that look benign on disk but act maliciously when executed.

Cloud-Based Threat Intelligence

NGAV tools connect to cloud threat intelligence platforms that aggregate threat data from millions of endpoints worldwide. When a new threat is identified anywhere in this network, detection updates are distributed to all connected endpoints within minutes. This collective intelligence model means that a threat first detected in one organisation immediately becomes detectable across the entire user base — a significant advantage over standalone antivirus products that update on scheduled intervals.

Protection Against Fileless Attacks

Fileless malware presents a specific challenge that traditional antivirus cannot address. Fileless attacks operate entirely in memory using legitimate system tools — PowerShell, Windows Management Instrumentation (WMI), mshta.exe, and other built-in utilities. Because no malicious file is written to disk, there is nothing for signature-based scanning to detect. These living-off-the-land techniques are increasingly common because they evade traditional defences and are harder to investigate forensically.

NGAV detects fileless attacks through memory scanning and behavioural analysis of the system tools being abused. When PowerShell is used to download and execute a payload in memory, or when WMI is used to establish persistence, behavioural detection identifies the anomalous usage pattern and blocks the malicious activity. This capability is critical as fileless techniques are now used in a significant proportion of targeted attacks against UK businesses.

NGAV and EDR: How They Relate

NGAV and Endpoint Detection and Response (EDR) are related but distinct capabilities. NGAV is focused on prevention — detecting and blocking threats before they execute or early in execution. EDR adds a forensic and response layer — capturing detailed telemetry about all endpoint activity, enabling investigation of incidents after they occur, and providing response capabilities such as device isolation, process termination, and file quarantine.

Modern enterprise endpoint security products combine NGAV and EDR in a single agent. Microsoft Defender for Business, for example, provides both NGAV capabilities (machine learning detection, behavioural analysis, cloud threat intelligence) and EDR capabilities (detailed telemetry, device isolation, automated investigation). AMVIA deploys Defender for Business as a unified endpoint security solution, and for businesses requiring additional depth, managed antivirus services layer human investigation and response on top of the automated detection.

Deployment and Configuration

NGAV requires deliberate configuration to deliver its full protective value. Default installations of NGAV products — including Defender for Business — do not activate all available protective features. Attack surface reduction rules need to be enabled in block mode rather than left in audit-only mode. Controlled folder access should be configured to protect critical directories against ransomware encryption. Cloud-delivered protection must be enabled to benefit from real-time threat intelligence updates.

Configuration also involves managing exclusions carefully. Overly broad exclusions — often added to resolve compatibility issues with specific applications — can create significant security gaps. Each exclusion effectively creates a blind spot in your detection capability. AMVIA reviews exclusions as part of the configuration process and works with application vendors to find alternatives to broad exclusions wherever possible.

Pricing and Licensing for UK SMEs

For UK SMEs on Microsoft 365 Business Premium, Defender for Business is included at no additional endpoint security cost — making it one of the most accessible enterprise-grade NGAV products available. Businesses on Microsoft 365 Business Basic or Standard do not receive Defender for Business and would need to upgrade or add standalone licensing. The average cost of a data breach for UK organisations was £3.4 million in 2024 (IBM 2024), making the investment in proper NGAV deployment and configuration a clear priority.

Third-party NGAV products such as SentinelOne, CrowdStrike Falcon, and Sophos Intercept X are also available, typically priced between £3 and £8 per endpoint per month depending on the tier and volume. For most UK SMEs already using Microsoft 365 Business Premium, Defender for Business provides comparable protection without additional licensing costs, but AMVIA assesses each client's specific requirements and recommends the most appropriate solution.

Why NGAV Alone Is Not Enough

No NGAV product provides 100% detection. Sophisticated attackers test their techniques against major security products before launching attacks, and novel attack methods will inevitably evade automated detection at some point. Only 14% of UK businesses have a formal incident response plan (DSIT 2025), which means the majority have no structured process for handling the threats that get past their automated defences.

This is why AMVIA combines NGAV deployment with managed monitoring and response. Security alerts generated by Defender for Business are monitored through AmviaIQ, investigated by AMVIA's security team, and responded to without waiting for you to raise a support ticket. Monthly reports provide visibility of all detections across your managed device estate, and regular configuration reviews ensure that protective capabilities keep pace with the evolving threat landscape. Contact AMVIA on 0333 733 8050 to discuss NGAV protection for your business.