Do you need anti-virus software?

If you’ve even heard about computers, you’ve heard about viruses. And if you’ve heard about viruses, you’ve heard about anti-virus software.

You might pay for some, you might use a free one, or you may not know if you have any at all.

Honestly, in 2023, you almost certainly don’t need to pay for anti-virus software, nor do you even need to use a free 3rd-party one. There’s not much harm in doing that, but you don’t need to.

Your computer has built-in security software, and that’s enough. Here’s why.

The clinical studies are optimistic

The best data we have about viruses comes from a few clinical studies done in 2015 and 2016 by a Montreal researcher and Microsoft. They’re a bit old, but these studies, done on real-world users behaving normally (one study uses telemetry from over 100 million Windows devices), demonstrate 2 important things:

  1. 3rd-party antivirus programs are more than 95% effective (even “99.45%” effective) at removing malware⁠(Lévesque et al., 2016, pp. 12-15; Maimon, 2019; Levesque et al., 2015).

  2. So is Microsoft’s own anti-virus software, Microsoft Defender, built free into every Windows computer. That’s not explicitly studied in this research, but it’s notable that Defender detected things other programs missed; and that jives with synthetic testing like AV-Test, which consistently rates all anti-virus software highly, including Microsoft’s⁠(Test Antivirus Software for Windows 10 - December 2022, n.d.; Anderson, 2018)⁠.

Yeah, it’s happening

These studies also align with other research, new and old, about malware prevalance. And all the research seems to agree:

The only really bad choice is skipping anti-virus software altogether.

These same clinical trials found that 15% of computers—about 1 in 7—encountered malware in 4 months(Lévesque et al., 2016)⁠. Without anti-virus software to block the malware, all of those computers would have been infected.

All other sources find comparable rates, describing a steady decline over time. A 2013 study from the same author reports an encounter rate of nearly 40% in 3 months⁠(Lalonde Levesque et al., 2013, p. 25)⁠, and a Kaspersky report from 2014 agrees at 38.4% annually⁠(Garnaeva et al., 2014, p. 26)⁠. Further reports from Kaspersky, which are still published today, describe a loose decline ⁠(Kaspersky Security Bulletin: Overall Statistics for 2017, 2017, p. 4)⁠—to 15.4% in 2021 and 2022⁠(Kaspersky Security Bulletin 2021 Statistics, 2021, p. 3; Kaspersky Security Bulletin 2022 Statistics, 2022, p. 16)⁠. Similarly, Microsoft reported 18% in 2015 and similar numbers in 2017⁠(Anthe et al., 2015, p. 80; Avena et al., 2017, p. 48), but only 5.1% monthly in 2018⁠(Agrawal et al., 2019, p. 25). It’s reasonable to estimate that between 15-30% of computers—1-in-7 to 1-in-3—encounter malware annually.

And all studies show these numbers can be much higher in some places, beyond even 50% in countries like Pakistan and Indonesia⁠(Anthe et al., 2015, p. 87)⁠.

Malware is out there, so it’s good that anti-virus software is effective.

So why don’t I need to buy something?

Specifically, it’s good that built-in anti-virus software is effective. With the data we have—directly from synthetic testing and indirectly from real-world analysis—it seems fair to say that paid, free, and built-in anti-virus software will all protect you equally well.

It’s good because you don’t have to pay for anything—you get good protection for free.

Hassle is a risk

Built-in antivirus might also be good because it’s less hassle.

Data from Microsoft indicates that, for computers with 3rd-party antivirus, more than 10% of computers had expired, out-of-date, snoozed, or no antivirus protection in 2013 and 2014⁠(Batchelder et al., 2014, pp. 22-25; Levesque et al., 2015, p. 104). It can be hard to keep 3rd-party software up-to-date, and outdated antivirus is almost as bad as none at all(Batchelder et al., 2014, pp. 25, 27)⁠.

3rd-party antivirus is just another subscription to remember to pay for, and, in my subjective experience, it can be more annoying to remove old anti-virus software than to remove actual viruses.

The scarier risks

Plus, there are the other more newsworthy risks to 3rd-party antivirus:

But, honestly, I’m not sure any of these risks are super impactful. Kaspersky might be controlled by the Russian government, but in practice you’ll get a virus because you forgot to pay them and your subscription expired—not because the FSB installed one.

They’re just further reasons to avoid the hassle and stick with the built-in stuff.

When did this change?

This conclusion is probably a bit jarring. You’ve probably gotten a virus before and remember dealing with it, so this new advice—that you don’t need to pay for anti-virus software—is probably odd. Why do you not need it? Did something change?

Yes. Anti-virus software came into a lawless world, where people desperately needed protection. In 2004, a new Windows XP computer would catch malware within 20 minutes of just connecting to the Internet⁠(Granneman, 2004; Ullrich et al., 2003; Ullrich et al., 2003; OgdruJahad, 2018)⁠—an encounter rate and infection rate of 100%.

And for a while, Microsoft was really slow to respond. Windows XP Service Pack 2 and Windows 7 fixed many of the glaring security vulnerabilities XP had⁠(Fendley, 2005)⁠, but even then a new Windows computer wouldn’t be well-equipped to deal with new threats. By Microsoft’s own data, it took until late 2015 for Windows’ built-in tools to start matching third-party anti-virus software⁠(Anderson, 2018)⁠.

But now the world is different. As described above, Microsoft did their job—Defender is a great defense against viruses. And we now know from experience how difficult it is to keep 3rd-party software up-to-date.

In other words, even if paying for 3rd-party anti-virus software was useful at one point, it’s not necessary today.

iOS, Android, Mac, and Linux

But let’s talk about Macs, Linux, smartphones, and IoT devices. Interestingly, we have very little data about them.

All of these devices can get viruses—there’s nothing inherent to them that would prevent it. So are they safe?

We don’t have much publicly available, holistic data about malware infections on Macs. Nor for Linux machines, iPhones, your new Google Pixel, or your smart lightbulb. Kaspersky found that about 5% of its American Mac users encountered malicious software of any kind in 2021, but noted that most of the top 10 attacks were adware, not malware⁠(Kaspersky Security Bulletin 2021 Statistics, 2021, pp. 12-13)⁠. A similar report found a 2% encounter rate on Android devices, dominated by “RiskTools” (programs that can be used maliciously), adware, and trojans⁠(Shishkova, 2021)⁠.

These numbers illustrate a few key points:

I don’t know for sure, but that might be what we discussed in Will I even be hacked?—hackers want money. And on these new platforms, it’s probably easier to make money by showing ads than by stealing bank information. Windows, with its non-adware viruses, might be just a vestige of the past.

But I imagine that in a few years Android will have a security push, just like Windows did in 2015. And you might want anti-virus software while you wait.

Conclusion

And so it all comes together: malware is almost entirely a Windows-specific problem, and Windows has a great built-in solution.

Computers across the globe still encounter malware, but Microsoft Defender does a great job protecting against it, without the hassle of a 3rd-party subscription.

It’s worth looking to the emerging markets, like Android (and maybe iOS), or paying extra attention if you live in a high-risk country (like Pakistan and Indonesia), but even so I would invest my money elsewhere, like using an automated backup service.

If you want to keep your device safe, I would recommend these steps instead:

Why? Well, in 2017, the huge WannaCry ransomware attack had 2 noteworthy features:

Both automatic updates and a good backup would have protected you completely. And they’re both cheaper than buying anti-virus software.