UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Migration · Endpoint Security

Migrating from legacy AV to modern EDR (CrowdStrike or SentinelOne): UK playbook

Servnet Editorial · Cyber Security Practice7 min read

Legacy signature-based antivirus (Symantec, McAfee, Trend Micro, ESET) is end-of-life for ransomware defence. Modern EDR — CrowdStrike Falcon, SentinelOne Singularity, Sophos Intercept X, or Microsoft Defender XDR — is the upgrade path. This is the realistic 6-8 week UK rollout playbook.

Legacy AV → EDR — 8-week migration
W0W2W4W6W8Pilot ring (5%)2wCo-existence3wMass rollout2wAV uninstall1wTotal: 8 weeks end-to-end

Week 1 — EDR selection + commercial

Run vendor selection — see our 7-question framework or head-to-head comparison.

Commercial negotiation — net UK pricing typically 25-40% off vendor list. Servnet handles.

Sign master services agreement + EDR licensing.

Weeks 2-3 — Pilot deployment

Deploy to 50-100 pilot endpoints covering: typical user laptops, power-user workstations, terminal servers, file servers, domain controllers, dev / test workloads.

Configure exclusions + tuning — every environment has false-positive sources (custom software, dev tools, vendor management agents).

Validate against legacy AV — both should run side-by-side during pilot to confirm no protection gap.

Weeks 4-6 — Mass deployment

Phased rollout via SCCM, Microsoft Intune, Jamf Pro (Mac), or ansible (Linux).

Typical pace: 200-500 endpoints per day for a competent IT team.

Per-OS phases: Windows first (largest fleet, lowest risk), then macOS, then Linux servers last.

Weeks 7-8 — Legacy AV decommission

Once new EDR confirmed deployed + reporting healthy: uninstall legacy AV via existing management console.

CRITICAL: never uninstall legacy AV before new EDR is fully deployed + tuned + reporting. Sequence matters.

Keep legacy AV management console accessible for 90 days for audit + historic incident review.

EDR detection stack — what you gain
4Behavioural detectionProcess tree + MITRE ATT&CK mapping3Threat intelCloud-fed IOCs + reputation2Endpoint telemetryPersistent forensic data lake1Response actionsIsolate, kill, rollback

Common gotchas

Conflicting kernel-level drivers — never run two EDRs on the same endpoint. They conflict.

McAfee / Trend Micro embedded in network appliances (firewall AV, email gateway AV) — separate decision from endpoint AV. EDR doesn't replace network AV.

Exclusion list — legacy AV exclusions don't translate directly. Rebuild from current vendor's recommendations + your specific custom software list.

Server protection — some environments use different AV on servers vs endpoints. Check before assuming single-platform replacement.

What Servnet does

Servnet runs AV → EDR migrations as a defined practice across CrowdStrike, SentinelOne, Sophos, and Microsoft Defender. Typical UK engagement: 6-8 weeks end-to-end for 500-2,000 endpoints.

Key takeaways
  • 6-8 weeks end-to-end is realistic for 500-2,000 endpoint UK environments.
  • Run side-by-side during pilot (different endpoints, not same) — never two EDRs per endpoint.
  • Mass deployment via SCCM / Intune / Jamf typically 200-500 endpoints/day.
  • Critical sequence: new EDR fully deployed + tuned + reporting BEFORE legacy AV uninstall.
  • Exclusion list rebuild is the most-skipped step + biggest false-positive source.
Frequently asked

FAQs — Migrating from legacy AV to modern EDR (CrowdStrike or SentinelOne)

Sequencing

Can we run two EDRs side-by-side on the same machine?

No — they conflict at kernel level. You CAN run different EDRs on different machines during transition (e.g. CrowdStrike on new laptops being deployed, legacy AV on existing fleet until SCCM rollout). Most migrations complete in 4-8 weeks of phased cutover.

Performance

Will modern EDR slow our endpoints?

Modern EDR (CrowdStrike, SentinelOne, Defender for Endpoint, Sophos) typically uses 2-5% CPU + 100-300 MB RAM at idle — comparable to or lighter than legacy AV. Users rarely notice. Servers + power-user workstations: spec correctly.

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →