Antivirus software — who needs it?

In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I've been involved in computer security -- as a practitioner, a consultant, and an instructor/speaker -- for several years. I feel fairly confident in calling myself an expert. I don't run anti-malware on any of my own computers. Why not? It's simple: I know what to click and what to skip, what to visit and what to avoid. I have control over what I choose to open, what I choose to load, and what I choose to run. And yeah, before the question arises, every four months or so I run a scan, and I've never gotten infected with anything.

Now don't think that I run totally naked (the other residents of my house probably would object, and I shudder to imagine how hot the laptop would feel then, haha). Because there's no way to control what someone else might throw at my Ethernet port, I do run the Windows firewall. I also run with UAC enabled because I want IE's protected mode, but I configure the policy to elevate without prompting.

Am I saying that anti-malware is useless? Absolutely not. In many instances, and for many people, it's still necessary. But we can't ignore the fact that malware is getting more sophisticated. Nor can we ignore the fact that, as I have this conversation with other security experts and similarly-minded folk, I often ask this question: "When's the last time your antivirus or antispyware detected anything?" Invariably, the answer is, "Never."

Comments (22)

  1. Anonymous says:

    An  interesting comment recently appeared on my older post about whether or not to use antimalware

  2. Anonymous says:

    By Steve Riley Senior Security Strategist Trustworthy Computing Group, Microsoft Corporation (originally

  3. Anonymous says:

    And even when AV might offer value, is it worth it to run it if the AV software requires that you run as admin?  (Short answer:  hell no!  wrote this a bit over a year ago:

  4. Anonymous says:

    Have you ever tried feeding something you wrote into an online language translator, then doing it a second

  5. Anonymous says:

    Ah, "defense in depth." Eric, please don’t take this personally at all — however, I hate that phrase! It’s been so overused that it’s lost its meaning. I avoid it now completely…

    Anyway, back to the idea at hand. Anti-malware is just one of many many choices we all have when it comes to securing our systems. But before making any choices, we must first understand the risks each of us faces and also have a feel for our individual "risk tolerances."

    Not every security feature is good. And not every feature needs to be used by everyone. For example, I have long been recommending that folks not use account lockout, because it creates more risks than it alleviates, and you can satisfy the supposed threat by using long passphrases. Just because a security feature exists, does it have to be enabled or used?

    Nowhere have I said that avoiding anti-malware is good for everyone. I said that I don’t use it on my own computers because I am addressing the malware threats in other ways. And, as I wrote, it’s working for me: I’ve avoided infections in all my machines for as long as I’ve been in computing (hint: who remembers the S-100 bus? haha)

    Remember this important fact: for every threat, there are multiple mitigations. What works for one person might not work for someone else. It all comes back to building your own risk profile and understanding which threats you are vulnerable to (and which you can ignore).

  6. Anonymous says:

    A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number

  7. Justin Ho says:


    Don’t run as admin and surf the web.  Antivirus won’t do anything for you, no matter how up-to-date it is, if you click on every single link and run application you download.

  8. biD1 says:

    How can I configure UAC to elevate without prompting?

    Please help, Thank you

  9. Peder Vendelbo Mikkelsen says:

    Remo, check out the documentation on technet2:

    Windows Vista User Account Control Step by Step Guide

  10. forest2 says:

    The point is well taken that malware’s capability has outstripped AV software, but nonetheless I think you should always run AV – even software from reputable sources has been known to ship, inadvertently, with malware.

  11. The Gort says:

    Windows comes with malware included, even if you don’t consider Windows to be malware.  Install a fresh copy of windows and then you run adaware without connecting to the internet and it will detect malware right away.

  12. Andy Dowling says:


    I find that running as a limited user offers plenty of protection when you know what to avoid, and software restriction policies give a little more peace of mind when sharing your system with others.

  13. cwoller says:

    > "When’s the last time your antivirus or

    > antispyware detected anything?" Invariably,

    > the answer is, "Never."

    Hey – you folks tell me from time to time, that the fact, that my antivirus won’t find anything does *not* mean that there isn’t anything…

    With this in my mind, I don’t understand the above question.

  14. Doug Woodall says:

    There are so many if’s and’s or butt’s if you are online nowadays and want to insure your online safety.

    I agree with steriley on the point that computer security products have created a huge market for themselves. Are they needed? Depends on your education I always say.

    I never used anything, till,,,

    I became a businessperson online. I quickly found as I moved about the net promoting my Biz that I was coming into contact with lots of threats. It became necessary to get a lil help if I wanted to get anything done.

    So I started using a AntiVirus, AntiSpyware and a good Firewall, along with Firefox.

  15. Application Security Reviews at says:

    Steve – I found your post interesting and while I dont necessarily agree, I do understand your point. I agree that AV is not a "silver bullet" in protecting against malware or worms, etc but I feel it is definitely a compensating control and should not be removed from workstations.

    Its true that threats are increasing in sophistication – issues like botnets and data compromises are growing at an alarming rate – but I feel that a blend of defenses is necessary. Security awareness is core but there is always a need to create that layered approach to security. Firewalls, IDS, AV, HIDS, etc are all building blocks of those defenses. A well architected solution shouldn’t be cumbersome but should compliment the system you’re using.


    Application Security Reviews, Ethical Hacking, Compliance Gap Analysis, Network Security

  16. AdamV says:

    ‘ "When’s the last time your antivirus or antispyware detected anything?" Invariably, the answer is, "Never." ‘

    This is what I describe as using anti-virus to keep away the elephants:

  17. Eric Kumar says:

    Hi Steve, just stumbled upon your blog via google search. Interesting post… so I stopped by to comment. I think AV software (or anti-malware software) is an essential component and one of the many “defense in depth” strategies in order to protect computers, no matter how secure the OS “seems” to be. In the end, OS or other security products are still software – which means they are buggy, breakable and penetrable. Always better to have a layered defense, one of the components being an AV software.

    In spite of all protection, the average computer user is still fallible due to their own stupidity or intellectuality, widely because the average user does not take computer security seriously. I recently posted a blog entry about this on my blog. Please visit if you get a chance:


    Eric Kumar

  18. Nick Brown says:

    I’ve been saying for years that anti-virus software is unnecessary.  Nice to hear it from a security professional. 🙂

  19. softwares says:

    i think every computer user need it.

  20. Peter van Dam says:

    Antivirus and anti-malware tools these days use like 80% of CPU, slowdown your harddrive by at least 50% and annoy you all the time with unneccisary popups.

    Why should I be asked if I want to allow an app like Internet Explorer 7, verified by Microsoft, signed and everything to connect to the internet. Or the same for Messenger. Such program should know better then me, not the other way.

    And what about the bsods they are causing from time to time (looking to trend micro) or a total system failure (looking to AVG). Those issues are happening to many times, and those companies just see it as an "Oops", and can’t be sued for anything.

    A virus was something that slows down your system, annoys you frequently, and makes your system unstable, and are hard to be removed 100%. Well, most anti-virus software completly meet with those requirements.

    I’m running Windows Vista for like 3 years now, had run OneCare in the first few months, but removed it. Never had any virus in these three years. Also, like you, I checked a few times to be sure I didn’t have anything.

    I recently visit a store to upgrade my pc. 5 people that visited during that time, had no internet, or other kind of issues, simply becuase firewalls or antivirus software blocked it. Including IE. It’s just stupid how they work these days.

    And why those sheduled scans all the time? When i’m about to use the file, your giong to scan it anyway, so why use my hard drive and cpu resources every week for absolutely no reason?

    All those things make me believe that when you just keep UAC enabled, to simply remove any antivirus that runs real-time. And install scanners that simply can run on command, or prevent it, like spywareblaster.

  21. reza says:

    Damage to PC is only in a second, I have experiance before that one of my friend turn of his anti-malware and in that time he insert a Flash Memory and then PC infected. damage to PC is possible for everyone , you may leave your PC for a second and in that time your friend insert a Malware removable device. Anti-Malware will help Microsoft to build their next operating system.How? Anti-malware companies are member of Microsoft Security Alliance and they are discussing about new Malware and how to be protect. Let’s see if you have new Malware in your PC and it will not detect by you AntiMalware , but it probably will send to your Anti-Malware vendor as suspect behavier (if you chose join the program to improve product) and they analyze and ty to find anti-malware path for this malware and other malware similar to this. What will happen next? Microsoft will review malware by type and how they damage then when they plan to build next product such as Windows they make it more secure which these Malware could not damage them easily. In Windows Vista what I say is you are in guest mode and admin mode!. If you are do your normal job such as watch movie,open internet explorer and etc, your are guest mode mean that if you visit malware website and it try to damage your PC then it will damage in low level unless you accept it by UAC. whenever UAC ask you do you want continue then you are doing admin job,else your are doing in guest job. Then if your friend send you a Picture with your email and when you click on it and it show do you want contine then… it is not picture because picture will not do something with admin mode. If you are like steve and you know how to when and what to download and install then thats fine without anti-virus. But , I if you are downloading several movie from bittorrent or always click on "Free…" and you open all the attachments and you always visit malware website then you must have anti-malware. Please note that if you our using non-genuine Windows then you never should think about protection at all because there is no solution for protecting non-genuine windows from Malware. If you are using non-genuine Anti-Malware then there is no solution to be protect your PC against Malware. remeber always look for license term and always try to download from main website of software vendors.

  22. sunkumarspace says:

    i think antivirus is must otherwise it will damage yours pc, may be as some say with sandboxie and other virtualisation tools youmay be safe even returnil sometime hacjks then i think if no antivirus then widos steady stse on is a ghood option

Skip to main content