Good Enough Is Great: Modern Antivirus Best Practices for Windows
Good Enough Is Great: Modern Antivirus Best Practices for Windows
For most of the last twenty years, the standard advice for any new Windows computer was simple: the first thing you do is buy antivirus software. Norton, McAfee, Kaspersky, Trend Micro — pick one, pay your annual subscription, and sleep a little better at night. That advice is now out of date. The antivirus that ships with Windows, Microsoft Defender, has quietly become one of the best products on the market, and the case for paying a third party has weakened considerably. This memo explains what changed, why "more antivirus" is often worse than "less antivirus," and what a small business owner should actually do to protect a fleet of Windows computers in 2026.
The quiet rise of Microsoft Defender
It is easy to forget how bad Microsoft's first attempts at antivirus were. When Security Essentials launched in 2009 and was folded into Windows 8 as Defender in 2012, independent test labs routinely scored it at the bottom of the pack — sometimes catching only half the threats that paid competitors caught. Security professionals treated it as a placeholder, something to tolerate until you installed a "real" antivirus.
That changed gradually, then suddenly. Microsoft poured a decade of investment into the product: cloud-based threat intelligence, machine learning models trained on the telemetry of more than a billion Windows devices, and integration with the operating system at a depth no third party can match. By 2021, Gartner named Microsoft a Leader in its Endpoint Protection Platforms Magic Quadrant — the industry equivalent of being inducted into the hall of fame. Today, AV-TEST — the German lab that has been the industry's most respected independent reviewer for two decades — gives Defender a perfect 18 out of 18 score in nearly every monthly test, matching Norton, Bitdefender, and Kaspersky (AV-TEST, n.d.). AV-Comparatives, the Austrian lab, awards Defender its highest "Advanced+" rating and recently certified that it blocks 100% of attempts to tamper with or disable itself (AV-Comparatives, 2025). In MITRE's rigorous ATT&CK evaluations — which simulate the techniques of real nation-state attackers — Microsoft has achieved 100% technique-level detection for six consecutive years, with zero false positives (MITRE Engenuity, 2024).
The expert consensus has shifted accordingly. Wirecutter, which has reviewed antivirus software for The New York Times since 2017, now flatly recommends against buying third-party antivirus for most people: "Most people should neither pay for a traditional antivirus suite, such as McAfee, Norton, or Kaspersky, nor use free programs like Avira, Avast, or AVG" (Purdy, 2024). The bouncer at your front door used to be a bored teenager. Microsoft spent a decade replacing him with a trained professional, and you've already paid for him as part of your Windows license.
Why stacking antivirus programs makes things worse
A natural reaction to security advice is to want more of it. If one antivirus is good, two must be better, right? In practice, this is one of the most common and most damaging mistakes a small business can make. The federal government's authoritative guide on the topic, NIST Special Publication 800-83, warns explicitly that "running multiple antivirus products on a single host simultaneously is likely to cause conflicts between the products" and recommends against it (Souppaya & Scarfone, 2013).
The reasons are technical but the analogy is intuitive: antivirus software works by burrowing deep into the operating system, intercepting every file that opens, every program that runs, and every network connection that's made. Windows was designed with the assumption that one program would be doing this at a time. When two are doing it simultaneously, they collide. They scan each other's quarantine folders. They flag each other's behavior as suspicious. They compete for the same files at the same moment, causing your computer to slow to a crawl or freeze entirely. It's like hiring two security guards who don't know about each other — they spend all their time investigating each other instead of watching the door, and occasionally they tackle a legitimate employee in the crossfire.
The problem extends beyond performance. Every additional piece of security software you install becomes another door an attacker can pry open — which brings us to the most uncomfortable part of this conversation.
The dirty secret of third-party antivirus
For a product that exists to protect you from software vulnerabilities, antivirus has a remarkably bad track record of containing software vulnerabilities itself. Between 2014 and 2017, Tavis Ormandy, a researcher at Google's elite Project Zero security team, systematically audited the major commercial antivirus products. What he found was alarming. In Symantec/Norton, he discovered "wormable" flaws — bugs so severe that an attacker could compromise a computer just by emailing the user a file, without the user even opening it. "These vulnerabilities are as bad as it gets," Ormandy wrote. "An attacker could easily compromise an entire enterprise fleet using a vulnerability like this" (Ormandy, 2016). He found similar critical flaws in Kaspersky, Trend Micro, Avast, Sophos, ESET, and others.
The reason antivirus is uniquely dangerous when it has bugs is that antivirus runs at the highest privilege level the operating system offers. To do its job, it has to read every file, parse every format, and intercept every network packet — which means a flaw in the antivirus gives an attacker the same total access. The fox is not just guarding the henhouse; the fox has the master key to every henhouse on the property.
A 2017 study by researchers at the University of Michigan, UC Berkeley, Mozilla, Google, and Cloudflare examined how antivirus products handle encrypted web traffic, the HTTPS connections that protect your banking and email. They found that of twenty antivirus products tested, eighteen actually weakened the security of those connections, and half introduced severe new vulnerabilities (Durumeric et al., 2017). The Cybersecurity and Infrastructure Security Agency issued an alert the same year warning that "many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data," exposing users to man-in-the-middle attacks (CISA, 2017). The antivirus, in other words, was acting like a security guard who insisted on opening all your sealed mail before delivering it — and whose seals were weaker than the originals.
Privacy is the other shoe. In 2024, the Federal Trade Commission fined Avast $16.5 million and banned it from selling browsing data after finding that the company had spent years secretly harvesting and selling its customers' web browsing histories — every site visited, every search performed — to more than a hundred third parties through a subsidiary called Jumpshot. "Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite," the FTC director said (Federal Trade Commission, 2024). The same year, the U.S. Department of Commerce fully prohibited the sale of Kaspersky software in the United States, citing national security risks tied to the Russian government that "could not be addressed through mitigation measures short of a total prohibition" (Bureau of Industry and Security, 2024). None of this means every third-party antivirus is malicious. But it does mean that installing one is a decision with real costs — not a free upgrade.
Antivirus is not a strategy
Even if you have the best antivirus in the world running perfectly, you are not secure. This is the single most important shift in security thinking over the last decade, and it's the one most small business owners have not absorbed. Modern attackers increasingly don't need malware at all. According to CrowdStrike's 2025 Global Threat Report, 79% of detected attacks in 2024 involved no malware whatsoever — attackers used stolen passwords, legitimate system tools, and social engineering to walk in through the front door. Antivirus is designed to catch malicious files. It cannot catch a thief who has your house key.
The professional response to this reality is called defense in depth, a concept the National Security Agency borrowed from military strategy. The idea is that no single security control is sufficient, so you build overlapping layers — if one fails, others catch the threat. Think of your business like a building. Antivirus is the front-door lock. Important, but on its own it stops only the most casual threats. A serious security posture also includes well-lit entrances (visibility into what's happening on your systems), employee badges that only open the doors each person actually needs (least privilege), keeping the building in good repair (patching), an alarm system (monitoring), and insurance with a fireproof safe for your records (backups).
The single highest-leverage thing you can do, after enabling Defender, is keep your software updated. CISA's analysis of major breaches consistently finds that more than 80% of successful attacks exploit vulnerabilities for which a patch had been available for over a year (CISA, n.d.-c). Updates are tedious; they interrupt your day; they sometimes break things. They are also the closest thing to a free lunch in security. Turn on automatic updates for Windows, your browsers, and your business applications, and accept the occasional inconvenience as the price of admission.
The second highest-leverage practice is to stop running your computer as an administrator for daily work. Windows lets you create standard user accounts that can do everything you actually need — open email, browse the web, edit documents — but cannot install software or modify system files without explicit permission. Day-to-day use of an administrator account means that any malware you accidentally invite in inherits your god-mode privileges. CISA's small business guidance is unambiguous on this: "Remove administrator privileges from user laptops" (CISA, n.d.-b). NIST formalizes this as the principle of least privilege — the idea that every user and program should have only the access they actually need (Joint CISA, NSA, FBI, 2022). Running as administrator every day is like leaving the master key in every door of your office building. Standard accounts give each employee only the keys they need.
The third pillar is multi-factor authentication, often called MFA or 2FA. A password alone is a single house key — if someone copies it (and the IBM Cost of a Data Breach Report finds that compromised credentials are involved in roughly 80% of breaches), they walk right in. MFA adds a second check, like a doorbell camera that asks "is that really you?" before unlocking. Even when an attacker has your password, they can't get past the second factor without your phone confirming. CISA states bluntly that "users who enable MFA are significantly less likely to get hacked" (CISA, n.d.-d), and the agency's preferred order, from best to worst, is: hardware security keys (FIDO/WebAuthn), authenticator apps with number matching, SMS text codes, and finally — far behind — no MFA at all. Enable it everywhere it's offered, starting with email and banking.
The fourth pillar is backups, and the standard CISA endorses is the 3-2-1 rule: three copies of your important data, on two different types of storage, with one copy stored offsite (CISA, n.d.-e). Backups are your fire insurance. They don't prevent the fire; they mean you can rebuild after one. With ransomware now figuring into 44% of investigated breaches per the Verizon Data Breach Investigations Report, backups have moved from "nice to have" to "the difference between a bad week and a closed business."
Configuring Defender properly
Defender's defaults are good, but a few settings are worth verifying. Open Windows Security from the Start menu. Every section should show a green checkmark; if anything shows yellow or red, address it before doing anything else. Under Virus & threat protection → Manage settings, confirm that Real-time protection, Cloud-delivered protection, and Tamper Protection are all on. Cloud-delivered protection is particularly important — it allows Defender to check unfamiliar files against Microsoft's threat intelligence in milliseconds, often blocking brand-new malware that no traditional signature would catch. Tamper Protection prevents malware (or a confused user) from disabling Defender, even with administrator access. Leave it on permanently.
Under Firewall & network protection, confirm the firewall is enabled for all three network types (Domain, Private, and Public). Under App & browser control, confirm all SmartScreen settings are on — this is Defender's reputation-based protection that blocks known phishing sites and dangerous downloads, particularly effective in the Edge browser.
The one feature worth manually enabling is Controlled Folder Access, found under Virus & threat protection → Ransomware protection. This is Defender's purpose-built anti-ransomware feature, and it is off by default because it requires some setup. When enabled, only programs Microsoft trusts (or programs you specifically approve) can modify files in your protected folders — Documents, Pictures, and so on. Think of it as putting your most important file cabinets in a locked room: even if a burglar gets into your office, they can't get into that room. Expect to spend the first week or two approving legitimate applications that try to save files there, but the protection against ransomware is worth the friction.
Periodic scanning matters less than it used to. With real-time and cloud protection both active, Defender catches threats as they appear; the value of a weekly full scan is mostly peace of mind. A monthly full scan is reasonable. If you ever suspect something has slipped through — unusual computer behavior, unexpected pop-ups, sudden slowness — a useful "second opinion" is the free version of Malwarebytes, which is designed to coexist with another antivirus because it only runs when you launch it manually (no real-time protection in the free version). Microsoft's own free Safety Scanner and the ESET Online Scanner serve the same role. The rule to remember: never run two real-time antiviruses, but on-demand scanners are fine and occasionally useful.
The "scareware" problem
A growing share of malware now arrives disguised as antivirus. You're browsing a normal website when suddenly a full-screen pop-up appears: a Microsoft logo, a warning siren, "CRITICAL ERROR — YOUR COMPUTER IS INFECTED — CALL 1-800-XXX-XXXX IMMEDIATELY." This is scareware, and it works by panicking non-technical users into either downloading malicious software or calling a fake support line where scammers will ask for remote access to your computer and your credit card. The FBI's Internet Crime Complaint Center logged $16.6 billion in reported losses in 2024, with tech support scams alone accounting for $1.46 billion (Federal Bureau of Investigation, 2025). Adults over 60 lose money to these scams at five times the rate of younger adults.
Three rules will protect you and your employees from nearly all of these. First, real Defender notifications appear in the small notification area at the bottom-right of your screen, never in a web browser window. If a "virus warning" appears in a browser pop-up, it is not from your antivirus. Second, Microsoft will never call you about viruses, ever, under any circumstances. Anyone who claims to be calling from Microsoft Support is a scammer; hang up. Third, no legitimate antivirus product demands payment via pop-up. If you find yourself confronted with a screaming pop-up that won't close, don't click anything in it — close the browser entirely using Task Manager (Ctrl+Shift+Esc), and if that fails, restart the computer. Train your staff on these three rules; they will prevent more financial loss than any software you can buy.
When to consider stepping up: EDR and Defender for Business
For very small businesses — a few employees, no sensitive customer data, no regulatory obligations — the free Defender that comes with Windows is genuinely sufficient when paired with the practices above. As your business grows, two thresholds are worth knowing about.
The first is the limitation of traditional antivirus itself. Antivirus is a bouncer checking IDs against a list of known troublemakers; it doesn't notice when someone with a valid ID starts behaving strangely. Endpoint Detection and Response (EDR) is a newer category of security tool that watches behavior rather than just files: it notices when a user account suddenly logs in from another country, when a normally quiet program starts encrypting files, or when an attacker uses legitimate Windows tools (PowerShell, for example) to do illegitimate things. Given that 79% of modern attacks involve no malware files at all, EDR catches a class of threats that antivirus structurally cannot. Cyber insurance carriers increasingly require EDR — not just antivirus — as a condition of coverage; if you carry a policy, check what it actually requires.
For small businesses, the natural step up is Microsoft Defender for Business, which is built on the same enterprise-grade engine that powers Defender for Endpoint at large companies but priced and packaged for organizations under 300 users. It costs roughly $3 per user per month standalone and adds EDR capabilities, a centralized management dashboard, automated threat investigation, vulnerability management, and protection across Windows, Mac, iOS, and Android devices (Microsoft, n.d.-a). It's most cost-effective when bought as part of Microsoft 365 Business Premium at roughly $22 per user per month, which bundles it with Office, Microsoft Intune for device management, Entra ID P1 for stronger identity controls, and Defender for Office 365 to scan email attachments and links. For a business already paying for Office, Business Premium is often the most cost-effective security upgrade available.
A note on Windows 10
Microsoft ended mainstream support for Windows 10 on October 14, 2025. As of late 2025, Windows 10 still ran on roughly 44% of Windows desktops globally — an estimated 400 million machines (CISA, n.d.-c). If you are still using Windows 10 in 2026, no antivirus — Defender or otherwise — can compensate for the lack of operating system updates. Endpoint protection runs on top of the OS; when the OS itself develops new vulnerabilities and they are never patched, the protection underneath you erodes regardless of what's running on top. Running Windows 10 today is like driving a car after the manufacturer has stopped making replacement parts: it works today, but every new pothole becomes permanent, and eventually something critical breaks with no way to fix it. Microsoft offers paid Extended Security Updates ($61 per device for the first year, doubling annually), but this is best used as a transition runway, not a destination. Windows 11's much-criticized hardware requirements — TPM 2.0, Secure Boot, modern processors — exist for security reasons that genuinely matter: hardware-level encryption, protection against firmware-level malware, and isolation of sensitive credentials from the rest of the operating system. The path forward is Windows 11.
What to actually do
For most small businesses on Windows, the right answer in 2026 is shorter than the marketing material around antivirus would suggest. Use Microsoft Defender, which you already have. Verify its settings and turn on Controlled Folder Access. Stop paying for third-party antivirus suites unless you have a specific reason. Don't install two antiviruses at once; if you want a second opinion, use an on-demand scanner like Malwarebytes Free occasionally. Spend the money and attention you save on the things that actually move the needle: keeping every piece of software updated, removing administrator privileges from daily-use accounts, enabling multi-factor authentication on every account that offers it, maintaining backups under the 3-2-1 rule, and training yourself and your staff to recognize phishing and scareware. If your business has grown enough to need centralized management or carries cyber insurance, look at Microsoft 365 Business Premium for its EDR and identity features. If you're still on Windows 10, plan your move to Windows 11.
The headline is counterintuitive but freeing: the most important security upgrade you can make in 2026 is probably not buying anything at all. It's using the protection you already have, configured correctly, as one layer among several — and putting your time and attention into the layers antivirus was never designed to provide.
References
AV-Comparatives. (2025, February 24). AV-Comparatives awards 2024 for Microsoft. https://www.av-comparatives.org/av-comparatives-awards-2024-for-microsoft/
AV-TEST. (n.d.). Test antivirus software Microsoft — Windows Defender. AV-TEST Institute. https://www.av-test.org/en/antivirus/home-windows/manufacturer/microsoft/
Bureau of Industry and Security. (2024, June). Commerce Department prohibits Russian Kaspersky software for U.S. customers [Press release]. U.S. Department of Commerce. https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-u.s.-customers
Cybersecurity and Infrastructure Security Agency. (2017, March 16). HTTPS interception weakens TLS security (Alert TA17-075A). https://www.cisa.gov/news-events/alerts/2017/03/16/https-interception-weakens-tls-security
Cybersecurity and Infrastructure Security Agency. (n.d.-a). Secure your business. https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business
Cybersecurity and Infrastructure Security Agency. (n.d.-b). Cyber guidance for small businesses. https://www.cisa.gov/cyber-guidance-small-businesses
Cybersecurity and Infrastructure Security Agency. (n.d.-c). Update business software. https://www.cisa.gov/secure-our-world/update-business-software
Cybersecurity and Infrastructure Security Agency. (n.d.-d). More than a password. https://www.cisa.gov/MFA
Cybersecurity and Infrastructure Security Agency. (n.d.-e). Back up business data. https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/back-up-business-data
Durumeric, Z., Ma, Z., Springall, D., Barnes, R., Sullivan, N., Bursztein, E., Bailey, M., Halderman, J. A., & Paxson, V. (2017). The security impact of HTTPS interception. Proceedings of the Network and Distributed System Security Symposium (NDSS). https://jhalderm.com/pub/papers/interception-ndss17.pdf
Electronic Frontier Foundation. (n.d.). Surveillance Self-Defense. https://ssd.eff.org/
Federal Bureau of Investigation. (2025). Internet Crime Complaint Center 2024 annual report. https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
Federal Trade Commission. (2024, February 22). FTC order will ban Avast from selling browsing data for advertising purposes [Press release]. https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over
Joint CISA, NSA, FBI. (2022). Weak security controls and practices routinely exploited for initial access (Cybersecurity Advisory AA22-137A). https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-137a
Microsoft. (n.d.-a). What is Microsoft Defender for Business? Microsoft Learn. https://learn.microsoft.com/en-us/defender-business/mdb-overview
Microsoft. (n.d.-b). Virus and threat protection in the Windows Security app. https://support.microsoft.com/en-us/windows/virus-and-threat-protection-in-the-windows-security-app-1362f4cd-d71a-b52a-0b66-c2820032b65e
MITRE Engenuity. (2024). ATT&CK evaluations: Enterprise round 6. https://evals.mitre.org/enterprise/er6
National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (CSWP 29). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
Ormandy, T. (2016, June 28). How to compromise the enterprise endpoint. Google Project Zero. https://projectzero.google/2016/06/how-to-compromise-enterprise-endpoint.html
Purdy, K. (2024). The best antivirus software. Wirecutter / The New York Times. https://www.nytimes.com/wirecutter/blog/best-antivirus/
Souppaya, M., & Scarfone, K. (2013). Guide to malware incident prevention and handling for desktops and laptops (NIST SP 800-83, Rev. 1). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-83r1