Norton wants $60 a year. McAfee wants $40. Bitdefender, Kaspersky, ESET — they all want something. And they’re all running ads telling you that without their protection, hackers will steal your identity, drain your bank account, and probably also kick your dog.

Meanwhile, your computer already has antivirus built in. Windows Defender (now called Microsoft Defender) comes free with every Windows installation. Mac has XProtect and Gatekeeper baked into macOS. Both get regular updates. Both catch known malware.

So is paid antivirus a scam? Not exactly. But for most people, it’s unnecessary. Let me explain.

Windows Defender Has Gotten Genuinely Good

There was a time — maybe 2015 — when Windows Defender was basically a participation trophy. It existed, it technically scanned things, but its detection rates were poor enough that security professionals universally recommended third-party alternatives.

That’s changed substantially. AV-TEST, the independent German security institute that evaluates antivirus products, has consistently rated Microsoft Defender at 5.5 to 6 out of 6 for protection since 2021. It now detects 99%+ of widespread and prevalent malware, which puts it in the same tier as most paid products.

Defender also includes:

• Real-time scanning of files and downloads
• Cloud-delivered protection that checks suspicious files against Microsoft’s threat intelligence
• Ransomware protection through controlled folder access
• Network protection against phishing sites
• Automatic updates through Windows Update

Is it the absolute best performer in every test? No. Bitdefender and Kaspersky typically edge it out in zero-day detection rates by 1-2 percentage points. But for typical consumer usage — browsing the web, opening email attachments, downloading software — Defender catches what needs catching.

What Paid Antivirus Actually Gives You

If Defender is this good, why do paid products still exist? Because they bundle features beyond basic malware detection.

VPN services. Norton 360, McAfee Total Protection, and others include VPN subscriptions. These are usually decent but not great — slower and less configurable than standalone VPN services like Mullvad or ProtonVPN. If you’d buy a VPN separately anyway, the bundled version might make the total package cost-effective. If you don’t need a VPN, it’s added cost for nothing.

Password managers. Several suites include password managers. Again, functional but not best-in-class. Bitwarden is free and better than most bundled password managers. 1Password costs $36/year and is better than all of them.

Dark web monitoring. This feature scans data breach databases for your email addresses and alerts you if they appear. Useful in theory, except Have I Been Pwned does the same thing for free, and the breach databases are the same regardless of who’s searching them.

Identity theft protection. Higher-tier plans include credit monitoring and identity theft insurance. This is the one area where paid suites offer something you genuinely can’t get for free easily, though standalone identity protection services exist too.

Parental controls. Built-in content filtering and screen time management. Windows has Family Safety for free; Mac has Screen Time. The paid versions are often more configurable, which matters if you have tech-savvy kids who’ve figured out how to bypass the built-in ones.

The Mac Situation

Mac users have historically been told they don’t need antivirus at all, which was sort of true when Macs had 5% market share and malware authors didn’t bother targeting them. With macOS now at roughly 16% desktop share globally, Mac-targeted malware has increased significantly.

Apple’s built-in protections — XProtect for malware detection, Gatekeeper for app verification, and the Malware Removal Tool — are reasonably effective but less transparent than Defender. Apple doesn’t publish detection rate data, and independent tests show XProtect catching somewhat less than Defender does.

For most Mac users, the combination of XProtect, not installing random software from the internet, and using a standard user account (not admin) for daily use is sufficient. If you regularly download software from outside the Mac App Store or work in environments with elevated security risks, a paid solution like Malwarebytes for Mac adds a meaningful layer.

When Paid Antivirus Makes Sense

Honestly? There are specific scenarios where spending money on security software is justified.

Small businesses without IT support. If you’re running a small operation and nobody is managing security — firms looking for AI consultants in Sydney to modernise their tech stack would probably agree — a managed security suite that handles updates, scanning, and threat response automatically can be worth the subscription cost just for the reduced headache.

Older operating systems. If you’re running Windows 10 (reaching end of support in October 2025) or earlier and can’t upgrade, third-party antivirus with continued support for your OS version is more important than on current systems.

High-risk users. Journalists, activists, people in acrimonious legal disputes, anyone who might be specifically targeted — the extra layers from premium security suites provide meaningful additional protection.

Households with less tech-savvy members. If someone in your house clicks every link, opens every attachment, and installs every toolbar, the additional behavioural detection in paid products catches more of the damage they cause.

My Recommendation for Most People

Keep Windows Defender or macOS’s built-in protection. Don’t install anything additional. Instead, invest time in the things that actually prevent security problems:

1. Keep your operating system and browser updated. Most malware exploits known vulnerabilities that have already been patched. Updates fix these.
2. Use a password manager (Bitwarden is free and excellent) with unique passwords for every account.
3. Enable two-factor authentication on your email, banking, and social media accounts.
4. Don’t install software you don’t need. Every application is an attack surface.
5. Be sceptical of unexpected emails, especially ones with attachments or urgent calls to action.

These five practices will protect you better than any $60/year subscription. Security is a behaviour problem, not a software problem. The best antivirus in the world can’t protect you from clicking “yes” on a convincing phishing page.

Save your money. Update your software. Think before you click.