We set out to do a standard Wirecutter guide to the best antivirus app, so we spent months researching software, reading reports from independent testing labs and institutions, and consulting experts on safe computing. And after all that, we learned that most people should neither pay for a traditional antivirus suite, such as McAfee, Norton, or Kaspersky, nor use free programs like Avira, Avast, or AVG. The “best antivirus” for most people to buy, it turns out, is nothing. Windows Defender, Microsoft’s built-in tool, is good enough for most people.

We spent dozens of hours reading results from independent labs like AV-Test and AV-Comparatives, feature articles from many publications such as Ars Technica and PCMag, and white papers and releases from institutions and groups like Usenix and Google’s Project Zero. We also read up on the viruses, ransomware, spyware, and other malware of recent years to learn what threats try to get onto most people’s computers today.

Over the years, we’ve also spoken with security experts, IT professionals, and the information security team of The New York Times (Wirecutter’s parent company) to filter out the noise of the typical antivirus table-tennis headlines: Antivirus is increasingly useless, no, actually it’s still pretty handy, no, antivirus is unnecessary, wait, no, it isn’t, and so on.

Although in any category we usually test all the products we’re considering, we can’t test the performance of antivirus suites any better than the experts at independent test labs already do, so we relied on their expertise.

But ultimately, relying on any one app to protect your system, data, and privacy is a bad bet, especially when almost every antivirus app has proven vulnerable on occasion. No antivirus tool, paid or free, can catch every malicious bit of software that arrives on your computer. You also need secure passwords, two-factor logins, data encryption, systemwide backups, automatic software updates, and smart privacy tools added to your browser. You need to be mindful of what you download and to download software only from official sources, such as the Microsoft App Store and Apple Mac App Store, whenever possible. You should avoid downloading and opening email attachments unless you know what they are. For guidance, check out our full guide to setting up all these security layers.

Why we don’t recommend a traditional antivirus suite

It's insufficient for a security app to just protect against a single set of known “viruses.” There is a potentially infinite number of malware variations that have been crypted—encoded to look like regular, trusted programs—and that deliver their system-breaking goods once opened. Although antivirus firms constantly update their detection systems to outwit crypting services, they’ll never be able to keep up with malware makers intent on getting through.

A quick terminology primer: The word malware just means “bad software” and encompasses anything that runs on your computer with unintended and usually harmful consequences. In contrast, antivirus is an out-of-date term that software makers still use because viruses, Trojan horses, and worms were huge, attention-getting threats in the 1990s and early 2000s. Technically, all viruses are a kind of malware, but not all pieces of malware are viruses.

So why shouldn’t you install a full antivirus suite from a known brand, just to be on the safe side? For many good reasons:

For these reasons, we don’t recommend that most people spend the time or the money to add traditional antivirus software to their personal computer.

Two caveats to our recommendation:

If you have a laptop provided by your work, school, or another organization, and it has antivirus or other security tools installed, do not uninstall them. Organizations have systemwide security needs and threat models that differ from those of personal computers, and they have to account for varying levels of technical aptitude and safe habits among their staff. Do not make your IT department’s hard job even more difficult.

People with sensitive data to protect (medical, financial, or otherwise), or with browsing habits that take them into riskier parts of the Internet, have unique threats to consider. Our security and habit recommendations are still a good starting point, but such situations may call for more intense measures than we cover here.

Windows Defender is mostly good enough

If you use Windows 10, you already have a robust antivirus and anti-malware app—Windows Defender—installed and enabled by default. The AV-Test Institute’s independent testing gave Windows Defender a recommendation in December 2019, and a nearly perfect rating in performance.

Because Windows Defender is a default app for Windows 10, by the same company that makes the operating system, it doesn’t have to upsell you or nag you about subscriptions, and it doesn’t need the same kind of certificate trickery to provide deeply rooted protection for your system. It doesn’t install browser extensions or plug-ins for other apps without asking. Windows Defender does have the problem of being the default detection app that malware makers first attempt to work around. But having layers of security and good habits—especially sticking to official app stores and not downloading questionable free versions of things you should pay for, as we cover in another blog post—should keep you safe from the worst kind of Defender-defeating malware.

AV-Test dinged Windows Defender in protection back in September 2019 due to its failure to catch some zero-day malware attacks. Windows Defender rebounded in AV-Test’s December tests, fixing those real-world testing issues and catching 100 percent of the attacks. In any case, Windows Defender routinely performs as well in lab tests as any paid third-party antivirus software, and when a major vulnerability was discovered in Windows Defender in May 2017, Microsoft was remarkably fast with the fix—from a Friday-night disclosure to a Monday-evening patch.

No antivirus software consistently receives perfect scores from every test lab, every month, in every test, but Windows Defender typically does as well as (or better than) the competition, it’s free, and it’s enabled by default.

Why Macs don’t need traditional antivirus

Due to a combination of demographics, historical precedent, and tighter controls, Macs have historically been less vulnerable to infection than Windows computers:

People have far fewer Macs than Windows computers: Over the past year, 17 percent of Web-browsing desktop computers ran macOS, compared with about 78 percent for all Windows versions combined, so macOS is a less lucrative target for parties making malware.

Macs include a wider variety of useful first-party apps by default, and both macOS and downloaded apps receive updates through Apple’s own App Store. Windows PC owners are more accustomed to downloading both software and hardware drivers from the Internet, as well as providing permissions to third-party apps, which are more likely to be malicious.

Newer versions of Windows must make concessions to allow apps made for older versions of Windows to run, creating a complicated set of legacy systems to secure. In contrast, macOS has seen less change since the introduction of OS X, and Apple has been less hesitant to render apps made for older versions obsolete. In fact, with the introduction of macOS Catalina in 2019, the company rendered older 32-bit apps useless.

Catalina also adds security features that make running malicious software difficult, including requiring apps to request a variety of permissions, such as access to files, microphones, cameras, and other services, as you install them. This makes it pretty difficult to install something you don’t mean to.

This is not to say Macs lack any vulnerabilities. Mac owners who install a bad browser extension are just as vulnerable as Windows or Linux users. The Flashback malware exploited a Java vulnerability and tricked more than 500,000 Mac users in 2012, affecting about 2 percent of all Macs. We’ve also seen some reports that Mac malware is growing, but the built-in security protections of macOS mean it’s typically more of a nuisance, like annoying adware, than a real problem.

You should still practice safe computing on a Mac and install applications only from the official Mac App Store. Browser extensions can also be problematic, so install only thoroughly vetted extensions that you really need.

Most people don’t need added protection

If you spend a lot of time in sketchier corners of the Internet, or if you think you may have already downloaded malicious software that Windows Defender didn’t catch, we’ve found that Malwarebytes is mostly unintrusive and can identify malware that Windows Defender may have missed, or malware that has made its way onto a Mac. But the paid version is not necessary for most people.

Malwarebytes can detect certain kinds of zero-day exploits that Windows Defender may miss, which means the two programs running in tandem can work well together (provided that you set it up correctly). The premium version adds live scanning of downloads, which is useful if you download a lot of software or email attachments, but at $40 per year it’s an expensive proposition for protection against something most people don’t do often. For most everyone else, you can run the free version of Malwarebytes and use it to manually scan your system when you think you’ve possibly downloaded malware.

The best protection is layers and good habits

The idea that any one app could be universally aware of and protect against all threats is ludicrous. As security journalist Brian Krebs writes, antivirus “is probably the most overstated tool in any security toolbox.” Antivirus can certainly catch unwanted programs and protect your system, but it’s not enough on its own. We’ve written a guide to the best layers of security and good habits for anyone who uses a computer.