> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iru.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Endpoint Detection & Response (EDR) Overview
> Learn how Iru Endpoint Detection and Response (EDR) works on macOS and Windows, including platform capabilities, detection coverage, and posture modes.
This guide applies to Mac computers and Windows devices
The Endpoint Detection and Response add-on is required to use the EDR Library Item.
### About Iru Endpoint EDR
Iru Endpoint EDR is a security tool that monitors enrolled devices for malware and potentially unwanted programs (PUPs). It is integrated into the Iru Endpoint platform and managed through the same web app you use for device management.
EDR is deployed as a Library Item called **EDR** in Iru Endpoint Blueprints. Once you enable it in a Blueprint, it deploys and activates automatically on enrolled devices. On macOS, EDR can terminate processes and quarantine files when Protect posture is enabled, supports response actions such as device isolation from the Detections page, and supports custom allow and block lists based on file hashes or paths.
Admins can view detected threats, quarantine actions, and security events on the **Detections** page in the Iru Endpoint Web App. See [Understanding the Detections Page](/en/endpoint/endpoint-detection-response-edr/understanding-the-detections-page) for dashboard widgets, filters, and device record views.
### Platform Capabilities
Iru Endpoint EDR monitors Mac computers using **file-based and behavioral detection**. It runs on enrolled Macs through Apple's Endpoint Security framework and analyzes files and processes against threat intelligence and detection models. EDR uses Apple's native frameworks for monitoring without significant performance impact.
**Core capabilities:**
* **File-based detection** — Categorizes files as malware, PUPs, benign, or unknown
* **Behavioral detection** — Identifies malicious or suspicious process activity
* **Automated threat response** — Terminates processes and quarantines files in Protect mode
* **Custom allow and block lists** — Override default threat intelligence using file hashes or paths
* **Posture modes** — Configure independent Detect or Protect modes for malware, PUPs, and malicious behavior
* **Device isolation** — Quarantine compromised devices from the network during active incidents
For behavioral detection tuning, see [Behavioral Detection Rule Groups](/en/endpoint/endpoint-detection-response-edr/behavioral-detection-rule-groups).
The Endpoint Detection and Response add-on is also required for the [Accessory & Storage Access Library Item](/en/endpoint/endpoint-detection-response-edr/configure-the-accessory-and-storage-access-library-item). You do not need to assign the EDR Library Item to the Blueprint to deploy the Accessory & Storage Access Library Item.
Iru Endpoint EDR for Windows monitors Windows computers using **file-based detection**. It analyzes files against threat intelligence and detection models and categorizes them as malware, PUPs, benign, or unknown.
Iru Endpoint supports **Windows 11 24H2 or 25H2** on Pro, Pro Education, Enterprise, or Education editions. See [Windows Setup](/en/endpoint/getting-started/platform-setup/windows-setup) for platform prerequisites.
**Core capabilities:**
* **File-based detection** — Analyzes files against threat intelligence and detection models
* **Detect mode** — Scans and reports malware and PUPs without automatic quarantine
### Posture Modes
The EDR agent supports **Detect** and **Protect** posture modes, configured independently for **Malware**, **PUPs**, and **Malicious behavior**.
| Mode | Behavior |
| ----------- | ------------------------------------------------------------------------ |
| **Detect** | Scans and reports known malicious items. No automatic quarantine. |
| **Protect** | Scans, reports, **and automatically quarantines** known malicious items. |
The EDR agent uses **Detect** mode for **Malware** and **PUPs**. Detections are reported in the Iru Endpoint Web App without automatic quarantine.
For configuration steps, see [Configure the EDR Library Item](/en/endpoint/endpoint-detection-response-edr/configure-the-edr-library-item).
### Considerations
* **Platform scope**: File-based and behavioral detection with malicious behavior posture
* **Posture configuration**: Configure Malware, PUP, and malicious behavior posture modes independently
* **Response actions**: Configure process termination, file quarantine, custom allow and block lists, and [device isolation](/en/endpoint/endpoint-detection-response-edr/device-isolation) from the threat detail view
* **EDR deployment**: EDR is deployed as the **EDR** Library Item in Blueprints and activates automatically on enrolled devices
* **Testing**: Validate your deployment using the EICAR test file; see [Testing EDR Malware Detection](/en/endpoint/endpoint-detection-response-edr/endpoint-detection-response-testing-malware-detection)
* **Platform scope**: File-based malware and PUP detection in Detect mode
* **Posture configuration**: Malware and PUP detections are reported without automatic quarantine
* **EDR deployment**: EDR is deployed as the **EDR** Library Item in Blueprints and activates automatically on enrolled devices
* **Testing**: Validate your deployment using the EICAR test file; see [Testing EDR Malware Detection](/en/endpoint/endpoint-detection-response-edr/endpoint-detection-response-testing-malware-detection)
### Next Steps
* [Understanding the Detections Page](/en/endpoint/endpoint-detection-response-edr/understanding-the-detections-page)
* [Configure the EDR Library Item](/en/endpoint/endpoint-detection-response-edr/configure-the-edr-library-item)
* [Testing EDR Malware Detection](/en/endpoint/endpoint-detection-response-edr/endpoint-detection-response-testing-malware-detection)
* [Understanding Threat Events](/en/endpoint/endpoint-detection-response-edr/understanding-threat-events)