For the first two decades of the internet age, from the early 1990s to the 2010s, high-quality antivirus software that blocked the most malware came at an appropriate premium. After all, the endpoint was—and still is—of the primary attack vectors for cyber threats, so it stands to reason that antivirus could charge a premium to secure your endpoint.
Spending on endpoint security software thus increased as additional capabilities were added to protect against advanced threats. It wasn’t long before attackers changed their techniques to bypass traditional signature-based antivirus through fileless attacks, in-memory exploits, and unknown malware.
This resulted in the rise of next-generation antivirus platforms, or NGAV, which add various mechanisms to detect and—theoretically—block these new and evasive attack techniques. Nearly all of today’s third-party endpoint security products go well beyond signature-based technology to include machine learning, behavioral monitoring, heuristics, and a host of other modules that have become table stakes functionality.
The ability to block known file-based attacks is the bread and butter of antivirus platforms. Even with “next-gen” features like machine learning, additional coverage of unknown attacks is limited to close variants of the known. Because most endpoint protection platforms leverage the same or similar technology for prevention, the same set of attacks are prevented. More importantly, they’re also all missing the same types of attacks as well.
Major testing agencies like AV-Comparatives, AV-Test, and SE Labs regularly benchmark the major endpoint security platforms, and most of the platforms are within a few percentage points of each other in terms of efficacy every single time. The recent Business Security Test from AV-Comparatives is indicative of this trend; each of the top 10 vendors in that testing pool blocked between 98.4 percent and 99.9 percent of the 801 attacks in the Real World Protection Test.
While, yes, a difference of 1.5 percent can be the difference between a breach and a close call, that additional security can often be found via doing basic cyber hygiene tasks such as limiting admin privileges and making sure that all critical systems are patched regularly. Anti-malware is only one component of endpoint security; there are other critical controls that can reduce the attack surface, preventing many adversarial techniques without having to detect them in the first place.
Ultimately, with how little differentiation there is in terms of attacks blocked there’s little reason to pay for antivirus protection when Window’s free Defender Antivirus is among the list of products participating in these tests. You still need antivirus--that will never go away at least from a compliance perspective—but the question of “should you pay for antivirus?” has never been easier to answer with a resounding “no.”
Probably the biggest reason you shouldn’t pay for antivirus is how good the free options are, especially for Windows systems in the form of Defender AV. Microsoft unveiled their Defender AV product as a component of Windows 8 and consistently improved it through the most recent updates of Windows 10.
In fact, Microsoft has poured more than $1 billion a year into improving its cybersecurity offerings since 2017. This largely took the form of improving the capabilities of Defender AV and improving the tools such as Personal Firewall, Device Control, and Drive Encryption that ship with every Windows system.
Defender AV, incidentally, is one of the top-rated antivirus platforms on the market today. AV-Comparatives and AV-Test both show that Defender AV is virtually equal to or better than every third-party antivirus on the market today.
Additionally, in 2019, Gartner named Microsoft a leader in the endpoint protection platform market, adding yet more validation that the company has done a lot to improve its cybersecurity portfolio. While this did include their paid Defender for Endpoint product, most of the prevention capabilities are included in the free Defender Antivirus. These continual positive test results, as well as the reality that Defender AV is integrated with the operating systems, makes it a solid choice for Windows systems. That’s even ignoring the consistent improvements that get added to Defender AV, including many of the capabilities that third-party NGAVs also use.
Antivirus software has become a commodity product in the past few years, with product differentiation between vendors largely based on management as opposed to security efficacy. Whether signature-based AV or machine learning-based NGAV, ultimately both are best against known and file-based attacks that directly match the data in their signature database or within the training dataset used for the algorithm.
This continuing lack of differentiation between products makes it clear that spending your hard-earned budget on antivirus is increasingly not the best use of spend. Better instead to use a free AV built into the operating system—especially Defender AV for Windows machines—that provides all the same or better protection as an expensive third-party system and instead put the money you would spend on AV toward exploit prevention and memory protection that can block the advanced attacks that regularly bypass endpoint security stacks.