Elastic Endpoint is EDR product, the malicious binary payload should be detected upon execution. This is similar to “scan files upon modification” option, where you can opt-out from it to improve performance but you still have guarantee that a malicious executable at rest won’t be allowed to execute.