Antivirus software has been a mainstay of computer security advice for thirty years. It still has a role. But what that role is — and what it definitively doesn’t cover — has changed significantly, and most people’s understanding hasn’t caught up.
What antivirus software actually does
Antivirus software uses two main approaches to detect malware. Signature-based detection matches files against a database of known malware signatures — if a file matches, it’s flagged. Behavior-based detection watches for suspicious activity patterns (a program trying to access the registry in an unusual way, or attempting to encrypt files rapidly) and flags those regardless of whether the specific malware is known.
This works reasonably well for known malware — the kind that’s been circulating long enough to be added to signature databases. It works less well for new malware, for sophisticated malware designed to evade detection, and for things that technically aren’t malware but still extract your data (many apps that are just bad but not clearly malicious).
What it doesn’t protect against
Phishing. Antivirus doesn’t protect you from clicking a link in an email and entering your password on a fake login page. The page is a legitimate website from the attacker’s perspective — no malware involved. Your credentials are gone before any security software has anything to scan.
Social engineering. If an attacker convinces you to install something yourself, most antivirus software will not intervene — you’ve granted the installation. This is why tech support scams are so effective even on computers with antivirus running.
Zero-day exploits. A zero-day is a vulnerability that’s been discovered but not yet patched or added to security databases. By definition, no antivirus database has a signature for it. Sophisticated attackers targeting specific individuals or organizations use zero-days specifically because signature-based detection won’t catch them.
Account compromise. If your email password is in a breach database and someone logs into your account, antivirus software on your computer does nothing — the attacker is using your legitimate credentials on a web server you don’t control.
What’s built into your OS and whether it’s enough
Windows Defender (now called Microsoft Defender Antivirus) comes built into Windows and has improved substantially over the past decade. In independent AV testing, it consistently scores in the top tier alongside paid options. For most users, it’s sufficient — it’s updated continuously, integrates tightly with the OS, and doesn’t require a subscription.
Mac users: macOS has built-in malware detection (XProtect) and a system integrity protection layer that makes Mac malware significantly harder to execute. Macs have a smaller attack surface partly by design. This doesn’t mean Macs can’t get malware — they can and do — but the risk is lower and built-in protections cover most common threats. A third-party antivirus on Mac is optional for most users.
If you want third-party antivirus
Malwarebytes is the most widely respected option for both Windows and Mac. The free version does manual scans; the paid version ($40/year) adds real-time protection. It’s particularly good at detecting adware and potentially unwanted programs that traditional antivirus sometimes misses. Running Malwarebytes alongside Windows Defender is a reasonable setup that covers more ground than either alone.
Avoid the big-brand security suites — Norton, McAfee, Kaspersky. They’re bloated, expensive, and don’t consistently outperform free alternatives in independent testing. Kaspersky has additional concerns: it’s Russian software with documented ties to Russian intelligence services, and the US government has banned its use on federal systems.
What matters more than antivirus
Keep your operating system and applications updated. Most successful malware exploits known vulnerabilities in software that users haven’t patched. Updates close those holes. Use a password manager and unique passwords — credential stuffing attacks are more common than malware infections for account takeovers. Enable 2FA on important accounts. Don’t install software from untrusted sources. Be skeptical of email attachments and unsolicited downloads.
These practices prevent the attacks that antivirus doesn’t cover. Antivirus adds a layer on top — useful, but not a substitute for the fundamentals.
The bottom line
On Windows: Microsoft Defender is enough for most people. Add Malwarebytes Free for occasional manual scans. On Mac: built-in protections cover most threats; add Malwarebytes if you want a second opinion. Don’t pay for a bloated security suite. And recognize what antivirus doesn’t cover — phishing, account compromise, zero-days — so you’re not relying on it for threats it can’t address.