Is paying for antivirus a waste of money?

Commentary: It's been a long time since anti-malware suites have found anything on my computers. Maybe the Windows Defender that comes with Windows 10 is good enough?

I always run an anti-malware security suite on my PC. Over the years I've made a point of running a variety of products.

At least for many years, perhaps more than ten, they've found no malware on my computers. None.

Perhaps I'm a more sophisticated user and I'm less likely to be taken off guard, but that can't be the whole answer. By the same token of expertise I take certain risks with dangerous files and sites that I would urge others to avoid like the plague.

But now comes news that could change the calculus: Independent test lab AV-Test's December tests of Business security suites on Windows 10 showed marked improvement for Microsoft's anti-malware engine, the one that comes free for Windows 10 users as Windows Defender. This program used to be limited to "antispyware," a strange and purposeless distinction from malware generally.

Microsoft has long had a free anti-malware product, Microsoft Security Essentials, for users to run on earlier versions of Windows, and it has always been used as a baseline in AV-Test rankings because it was so reliably at the bottom of the pack. Microsoft is also working to improve its protection by adding a cloud-based retrospective analysis service to detect breaches that have slipped through.

The results are for System Center Endpoint Protection which is its managed solution. The user experience is different, but the engine is the same and the AV-Test results should be closely comparable to tests on Microsoft's consumer product at the same time (November and December).

It's definitely not at the top and it's definitely not "industry-leading," but is it good enough? What do you really get from paying for the full AV subscription? The answer is complicated.

Because AV-Test has always shown BitDefender to have very high quality products, I decided to ask them for a response. I spoke with Bogdan Botezatu, senior e-threat analyst at BitDefender.

While trying hard not to bad-mouth a competitor, he pointed out that for all its improvement, Microsoft's engine and updates are still behind the leaders of the pack.

Until the recent results they were bad, but better than nothing and Botezatu is right about their place in the market. It's not an official position, but I've always assumed that Microsoft was intentionally trying not to use its free anti-malware to compete with the commercial products because its position with Windows would make that an unfair fight, something for which it has gotten in just a little bit of trouble in the past.

So Botezatu is right that if you want the best protection, Microsoft doesn't give it to you. It's reasonable to believe that it's still not trying to, but by improving its product it prods the rest of the industry to do so, although it's already a highly competitive industry, one of the most for non-free client-based software.

A better point is that the better commercial products like BitDefender's include a Host Intrusion Prevention Service (HIPS) which scans system behavior, including all traffic going to and from the Internet, for threats. If a threat gets through the file scanning it may still be detected by suspicious behavior. I haven't seen any of these detections either, but this is where I can reasonably say that while I might be willing to download malicious files for analysis, I'm not going to execute them (except maybe in a test VM).

Many of the good commercial products also maintain reputation systems for Internet sites and files and block or warn the user when a suspicious one is encountered, and I have seen these warnings, most recently from Norton. Most of the time I've considered the warnings false positives and skipped around them, but for the average user perhaps it wasn't too paranoid.

I should note that my anti-malware products all do find and remove tracking cookies, a "threat" I personally don't find all that threatening. I suspect they are aggressive with these cookies so they can be seen to be protecting the user.

Another factor is the advances in recent years in Windows and the major browsers. Windows and IE have their own reputation service called SmartScreen for sites and files, the latter on Windows 8 and later. Google has a Safe Browsing API that checks links against a blacklist. Google Chrome, Microsoft IE and Edge and Mozilla's Firefox all spend a lot of time scrutinizing web code looking for common attacks and use techniques like ASLR which, while imperfect, make the job of the attacker much harder.

Ransom malware costs $18 million in losses, says FBI

The FBI says the file-encrypting malware can cost individuals anywhere between $200 and $10,000 each time.

Read More

Ironically, this technological approach is becoming less relevant in recent years, as the initial vector for attacks is increasingly one of pure social engineering. Botezatu says that at their own offices they have been receiving a barrage of malicious Office documents posing as invoices in emails to back office staff. I suspect that this sort of attack is the main way ransomware, such as that which recently held a California hospital hostage, gets into systems. Security products can try to eliminate the human factor, but those pesky humans keep finding new ways to let the barbarians past the gates.

Botezatu also argued for the other security features that come with modern suites, like anti-spam and even password managers. There is something to this. BitDefender's Wallet password manager is a Windows-only product but others, like Norton Identity Safe, are available on Windows, Mac, iOS and Android. I can't say how it compares to standalone password managers but, as they say about Windows Defender, it's certainly better than nothing. As for antispam, it's not a topic I've thought of for a while. I assume most people are using a mail service like Gmail that does a pretty good job of blocking spam.

So are the paid suites worth the money? Looking at all these facts, I'm unclear. If I'm only concerned about the scanning engine then I might go with a free product from the likes of AVG or Avira or BitDefender. If you really have a problem with the money then this is definitely your best option. But the full suites usually work out to less than $20 per year per device. That's just not that much. If I'm not sure then I'm not comfortable switching to a solution that everyone agrees is inferior.

It's like a motorcycle helmet. Lots of people don't wear them and never have a problem. Some people wear them and still get in fatal accidents. But it can make a big difference. If a real threat comes my way and the anti-malware stops it then it has definitely paid for itself.