Do You Really Need to Buy an Antivirus App or a VPN Anymore?
Isn’t the built-in security on today’s PCs, phones, and tablets good enough? The answer depends on the OS you’re running.
When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.
(Illustration: Shutterstock/mentalmind)
If you don’t have a third-party antivirus installed on your Windows PC, you’ve probably noticed the occasional message from Microsoft Defender. And hey, Macs don’t catch viruses, right? Maybe you can just rely on the security that’s built in, rather than laying out your hard-earned cash for security protection. And maybe not. In most cases, you really should pay for security, or use a third-party free solution. Depending on the operating system, adding security beyond what’s built in ranges from a good idea to an absolute necessity.
Windows, macOS, Android, and iOS all include protection against malware, in one way or another. For some, protection takes the form of a full-on antivirus. For others, security is baked into the OS thoroughly enough that malware has a really hard time doing anything. Either way, you can improve your protection by installing a third-party antivirus.
Do I Need Antivirus Software If I Have Windows Defender?
Microsoft has offered built-in antivirus protection of one kind or another since the release of Microsoft Anti-Virus for DOS in 1993. The core of that product was purchased by Symantec and became the OG Norton Antivirus. And wow, was it ever simple-minded. At release, it could detect around 1,200 specific viruses, and users had to install any updates manually.
Fast-forward to today, and you get Microsoft Defender, a rather more impressive product. Oh, it went through some rough stages developmentally. When the independent testing labs started including Microsoft Defender, it managed to score below zero in some tests. But that was years ago, and this tool has been steadily improving its scores.
After going through various names, it’s now called Microsoft Defender Antivirus. In addition to providing antivirus protection, it also manages other security features such as Windows Firewall. In our testing, however, we discovered some significant limitations. For example, it scored poorly in our hands-on phishing protection test, which uses real-world fraudulent sites scraped from the web. In any case, its phishing protection and its defense against malware-hosting sites both only work in Microsoft browsers. Do you prefer Chrome? Firefox? Sorry, you get no protection.
Microsoft Defender includes a kind of ransomware protection, in the form of a component that prevents unauthorized changes to files in important folders. Early on, Desktop was included, which proved annoying, as protection kicked in every time an installer wanted to place an icon on the desktop. At present, in Windows 10 and Windows 11, this feature protects the Documents, Pictures, Videos, Music, and Favorites folders. It’s still turned off by default.
Here’s the thing. Microsoft Defender’s own developers seem to consider it a Plan B, rather than a main solution. If you install a third-party antivirus, Microsoft Defender goes dormant, so as not to interfere. If you remove third-party protection, Defender revives and takes up the job of defense again. The best antivirus programs, even free antivirus tools, perform significantly better in testing and offer more features.
Do I Need Antivirus on My Android Phone?
Google immediately removes any malware that it finds in the Google Play Store, but the key word here is removes. First, the malware shows up in the store, second, however long this takes, Google removes it. The Play Store doesn’t have the same stringent vetting process that comes with Apple’s App Store. Malware does get into the store, and you may well download it before Google cleans up. In addition, it’s easy enough to set your Android to allow sideloading programs independently of the Play Store.
Google Play Protect, the antivirus built into Android, aims to protect your devices from malware. As far as the independent testing labs have found, it does a terrible job.
Our Top Antivirus Picks
Bitdefender Antivirus Plus Review
McAfee AntiVirus Plus Review
Webroot SecureAnywhere AntiVirus Review
Avast One Essential Review
Bitdefender Antivirus for Mac Review
Norton 360 Deluxe for Mac Review
Experts at AV-Comparatives (Opens in a new window) tested Google Play Protect along with 10 third-party android antivirus tools. They collected thousands of unique Android malware samples and tested each antivirus against that collection. They first let the antivirus scan and eliminate samples it recognized, and then launched any that remained, to give behavior-based detection a chance. They also installed 500 popular (and legitimate) apps to check that the antivirus doesn’t wrongly tag them as malicious.
Avast, AVG, Bitdefender, G Data, Kaspersky, and Trend Micro Maximum Security caught 100 percent of the samples. Several others managed better than 98%. Play Protect came in last with 87.9% protection. Google’s entry also exhibited the most false positive results, a total of 11, where more than half showed no none at all. All the tested antivirus products received the lab’s seal of approval. All, that is, except Play Protect.
In their reports on Windows, macOS, and Android antivirus products, researchers at AV-Test Institute (Opens in a new window) assign a product up to six points each for Protection, Performance, and Usability. That last one means the product doesn’t freak out the user by falsely accusing valid apps. All but two of the products tested earned a perfect 18 points. As for Google, it took just three of six possible points for protection. That’s actually an improvement—in most previous tests, Google scored two points for protection.
The verdict is clear: Play Protect won’t protect you. You need a third-party antivirus on your Android devices. We’ve rounded up some favorite Android antivirus tools, looking specifically at solutions that support multiple platforms.
Do I Need Antivirus on My Mac?
Sideloading—installing apps from outside the operating system’s store—is common in Android. We’ve even seen security tools that must be installed this way (though we don’t approve). Apple is much more insistent that only App Store apps can be trusted. By default, if it’s not from the App Store you just can’t install it. Yes, you can override that setting, but you really shouldn’t.
For another level of protection, a component called Gatekeeper checks every app you install for malware. Starting in macOS Catalina, Gatekeeper checks apps on every launch, not just at install time, and examines non-malicious apps for security issues. Catalina also makes apps get permission before they can access critical areas. And with Catalina, the operating system resides on a read-only drive partition, separate from all other programs.
To infect another program, a virus needs to modify that program, something that’s not allowed in macOS. To steal private data, a banking Trojan must read memory belonging to your browser, which is likewise not allowed. In the macOS environment, apps are isolated, limited to accessing their own resources. And even if an app managed to break through this barrier and access another program’s memory, features like ASLR (Address Space Layout Randomization) would keep it from finding any treasures stored in memory.
Many manufacturers make PCs, but only Apple makes Macs. The company has full control over the hardware, including the T2 chip present in newer Macs. This chip creates what’s called a Secure Enclave, https://jiji.ng/ an area of memory that’s completely unavailable to any process not part of macOS. It also manages Touch ID, encrypted storage, and more.
Despite all these safeguards, macOS malware most definitely exists, with several significant attacks in the last few years. A sophisticated example dubbed Gimmick (Opens in a new window) (or Storm Cloud) wreaked havoc in Asia. The Crescent Core (Opens in a new window) attack inveigled its way past Gatekeeper by co-opting a certificate that Apple assigned to another developer. More recently. the Silver Sparrow malware downloader made its way onto 30,000 Macs before it was caught.
While Macs aren’t as vulnerable as Windows boxes or Android devices, the old saw that Macs don’t get malware is demonstrably untrue. And unlike Windows, macOS doesn’t include an antivirus utility as such. If you don’t have antivirus protection on your Macs, get it now.
Recommended by Our Editors
Do I Need Antivirus on My iPhone?
“Only a fool learns from his own mistakes. The wise man learns from the mistakes of others”, said Prussian statesman Otto von Bismarck. Apple has had teams developing operating systems since the 80s, plenty of time to make a lot of mistakes. When the iOS team came along, mistakes from previous groups provided plenty of input about what makes for a secure operating system. Release after release, iOS gets still more secure.
So secure, in fact, that it’s not really possible to create an antivirus to run on iOS. A Malwarebytes report from a couple of years ago reports a strong rise in macOS malware, but notes, “On the iOS side, malware exists, but there’s no way to scan for it.” It goes on to point out that this iOS malware consists mostly of nation-state efforts, not the kind of thing your average user needs to worry about.
Even when malware coders (or researchers) do manage to create iOS malware, it tends to have serious limitations. For example, the checkm8 technique allows a partial jailbreak of many older iPhones, from the iPhone 4s to the iPhone X. However, putting checkm8 in place requires that you have physical access to the phone, which must be connected to a desktop computer. A newer technique dubbed NoReboot (Opens in a new window) lets malware persist through an iPhone reboot, but it works by fooling the user into thinking the phone rebooted when it didn’t.
Don’t look for a roundup of iOS antivirus products—we don’t have one. If all you ever use are iOS (and iPadOS) devices, you really don’t need antivirus. You’ll still want to use an iPhone VPN in some situations, however. Speaking of VPNs.
What About My Phone’s Built-In VPN?
We’ve had readers ask why they can’t just use the free VPN built into their iPhones. Indeed, there’s a VPN configuration page in Settings, but you can’t use it without going through the complex process of manually setting up a VPN profile. The most important element of that profile is the VPN server you want to connect with. And to gain access to that server, you’ll need to pay for a subscription. Which comes with an app. So just use ProtonVPN, or whatever app suits you best! The same is true on Android devices.
If you dig into Settings, you’ll find a spot to control your VPN, but it’s a dead end. On an iPhone, digging VPN & Device Management setting just takes you to the dead-end of "Add VPN Configuration.". On Android (at least on the Android device I use for testing) the VPN settings slot simply reports “None.” Sorry, your phone just doesn’t have a VPN client built in.
You Tossed Your Cookies But They’re Still Tracking You; Here’s How to Hide Your Browser Fingerprint
Browser fingerprinting is a sneaky way advertisers and others track you online. We explain how this surveillance technique works and what you can do to protect your privacy.
When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.
(Photo: ra2studio/Getty Images)
Except for your internet provider’s bill, surfing the web is free, but as with most things you get for free, there’s a hidden price. Advertisers and data brokers can monetize their knowledge about your online habits and activities. They know where you go, how you behave, and what you buy. How? By using data that your browser freely supplies to create a fingerprint that uniquely identifies you. Unlike other tracking techniques, browser fingerprinting leaves no traces. How can you protect your privacy and avoid being fingerprinted?
It’s Not a Cookie
It’s important to explain what cookies are right from the outset, if only to help people what browser fingerprinting isn’t. Cookies have been around almost as long as web browsers have existed. The purpose of a cookie is to let a website remember things about you without having to maintain a monster database of everyone who ever visited. Each cookie is a simple text file that lives on your computer, not on the site. The site can put information into the cookie, such as your preferred address, things you’ve bought, or which page you were reading in an online novel. When you revisit that site, it can pull out its own cookie (but nobody else’s) and read back that info.
However, modern websites aren’t simply monolithic entities. They contain links and content from advertisers and other third-party sites. These third parties can save their own cookies to your PC, containing whatever data they have available, including the site that’s hosting the ad. If an advertiser has a presence on multiple sites, its cookie data now lets it link your presence on each of those sites you visit. Suddenly cookies don’t seem so tasty.
Internet experts proposed reining in this abuse by letting browsers add a Do Not Track header to page requests. This effort fizzled because sites were free to ignore the header. Security companies responded by devising Do Not Track technology that actively prevented tracking. Trackers responded with new technologies such as supercookies, evercookies, Flash cookies, and more.
All these tracking technologies involve placing something (a text file, a script, a file) on the victim’s computer. And all of them have been foiled in various ways.
Fingerprinting is different. It doesn’t change anything on your computer; it just takes advantage of normal browser functions.
Hello, I Know You
When you’re surfing the web, it really feels like you have a direct, continuous connection with the site you’re perusing. In truth, your experience is made up of many small interactions between your browser and the website’s server. The browser sends a request, and the server sends a response. That request necessarily includes your IP address—without it, the server wouldn’t know where to send the response. But over time, browsers have come to send more and more information.
Compatibility isn’t much of an issue these days, but if you go back far enough, you’ll find a time when websites had to tune their responses to the requesting browser, perhaps sending a different page to Netscape Navigator than they did to Internet Explorer. Requests to a server identify the browser making the request, right down to the precise version and build number. That’s a simple enough need, but it’s the start of a slippery slope.
To render a design-rich page from a website, your browser needs access to the right fonts. Just what fonts are available depends on the operating system. Your browser queries the OS for a list of fonts and passes that list along to the website. If a needed font is missing, the site might choose to display a simplified page. Yes, we all have the same basic set of fonts that come with Windows, but installation of other programs often adds new fonts, and uninstallation doesn’t remove them. After a while, our font collections start to diverge.
Too Much Information
Modern browsers reveal a huge amount of information not just about themselves, but also about the operating system in which they reside. Sites can run simple scripts to learn even more: things like the screen resolution in use, and which plugins are installed. A crazy string of text called User Agent reveals a lot about your browser. Here’s a User Agent string from Chrome: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36”. And here’s one from Edge: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.67”.
Websites can query and receive tons of other information about your system’s settings and configuration. This massive dump of available information can be boiled down to a single, simple value called a fingerprint. The chance of any two PCs having the same fingerprint is low, and the consequences for a tracker who did encounter such a duplication are likewise low. Yes, your fingerprint might change based on changes to your system, but that doesn’t happen often. When it does, it’s not all that important to the tracker, either. Trackers don’t care about losing track of you temporarily. As long as they can track plenty of others, no problem! And they don’t need cookies.
Put Your Fingerprint Under the Microscope
For a quick look at the many arcane bits and bobs that make up your browser fingerprint, pay a visit to the Electronic Frontier Foundation’s Cover Your Tracks (Opens in a new window) page (formerly called Panopticlick). With your permission, this page gathers the information used to generate a fingerprint, along with some useful stats. I learned, for example, that my fingerprint is unique among more than 250,000 fingerprints tested by the site in the last 45 days.
Taking a more long-term view, security and privacy researchers at Friedrich-Alexander University Erlangen-Nürnberg, Germany have been running a study on browser fingerprinting (Opens in a new window) since 2016. I’ve participated since the beginning. Participation is simple; once a week you get an email with a link to check your fingerprint. You can review the stats of your own participation at any time. For example, I know that I had the same unique and trackable fingerprint for 263 days in 2017. You don’t have to register if you just want to view the aggregate statistics.
There are plenty of other pages that can show you the components of your browser fingerprint, with varying degrees of detail. Reporting from the open-source AmIUnique (Opens in a new window) site helpfully color-codes the components that are the farthest from the norm, the ones that contribute the most to making your fingerprint different from the rest. Device Info (Opens in a new window) lists a near-overwhelming collection of information revealed to any website through your browser.
Hide Your Fingerprint
After a lifetime of working with clay, potters may find their fingerprints have simply abraded away. What can you do to wear away your browser fingerprint and keep it from giving away your identity?