Poll Paid vs Free Antivirus in 2026: What are you using, and is it worth paying for?

[Divergent]

I did not; I use MD with WHHL of @Andy Ful

"Oh, so you do use Microsoft Defender and layered hardening? That is a massive backpedal from your earlier flex about 'real power users' only needing official websites and statistical analysis.

You just proved my entire point. You are using MD as your last line of defense because you inherently know that your 'official website' logic is flawed. You use Andy Ful's hardening because you know you need Defense in Depth. If simply downloading 'powerfully' was enough, you wouldn't need MD or WHHL. Thanks for finally agreeing with the rest of us: layered security and AV are mandatory, regardless of how smart you think you are.

P.S. Why is it that whenever you back yourself into a corner, your first instinct is to tag @Andy Ful ?

 

[Parkinsond]

"Oh, so you do use Microsoft Defender and layered hardening? That is a massive backpedal from your earlier flex about 'real power users' only needing official websites and statistical analysis.

Because you could not get what I mean; I was referring to paid AVs with extra tools not necessary for me.

 

[Divergent]

Because you could not get what I mean; I was referring to paid AVs with extra tools not necessary for me.

You can move the goalposts as much as you want, but the facts remain, you rely on an AV (Defender) because you know perfectly well that your 'official website' strategy is flawed. You need that behavioral safety net just like everyone else. It's okay to admit that defense in depth is necessary.

 

[RoboMan]

Suppose an advanced user has no AV but plugged in one of his friend’s flash drive which contains a legitimate software installer but infected with sality. The advanced user will have to disable any anti exe or allow the notifications from HIPS to install that application from the flash drive. What happens then? Without an AV, the worm infects your PC. Sure a worm is not as advanced as the stealth malware of today but an infection is an infection. IMHO, an AV should always be there as the last line of defence. This question is for everyone and not only directed to Roboman.

I agree with your point of view. I always recommend an antivirus, even though I respect if a so called power-user believes he doesn't need it, replacing it with other software. Nevertheless, in this specific scenario, I would think that even if he's dumb enough to disable the anti-executable (is he really a professional?), the Windows Hardening policies would stop the script from running. A true advanced user that decided to not use an antivirus would have (I believe) several layers of other type of protection. Would I recommend this? Not at all, hence my first post defending antivirus use whatever the case. I truly believe that infection is possible even with the most advanced users. "Good surfing habits" aren't always reliable. I made a post on this thread discussing how, even though I consider myself an advanced user on terms of safe surfing, commited a stupid mistake on a bad day and got infected, even with an antivirus: How I got infected last time thread

All in all, I'll always recommend the use of one whatever the case. As I always say, the first line of defense should be an anti-executable or Application Control (since the safest way to make sure a file isn't gonna infect you is not letting it run). After that, static detection and behavioural analysis are always a good and efficient should-have.

 

[Sampei.Nihira]

Suppose an advanced user has no AV but plugged in one of his friend’s flash drive which contains a legitimate software installer but infected with sality. The advanced user will have to disable any anti exe or allow the notifications from HIPS to install that application from the flash drive. What happens then? Without an AV, the worm infects your PC. Sure a worm is not as advanced as the stealth malware of today but an infection is an infection. IMHO, an AV should always be there as the last line of defence. This question is for everyone and not only directed to Roboman.

Hi,
The user you call an expert, whom I would call cautious, should treat a pen drive that does not belong to them as potentially dangerous.

Even without real-time AV, nothing will happen if they insert the pen drive because autoplay is disabled, and obviously they should not interact with the contents of the pen drive without first performing at least two anti-malware scans to verify it.

To be extra cautious, you could also insert the USB stick into your PC after booting a Linux live distro and run your scans from that environment.

Or you could boot directly from a rescue disk, such as Kaspersky.

So even without real-time AV installed, as I have used for a long time, there are various ways to be cautious without resorting to a virtual environment.

 

[devjitdutta2025]

Hi,
The user you call an expert, whom I would call cautious, should treat a pen drive that does not belong to them as potentially dangerous.

Even without real-time AV, nothing will happen if they insert the pen drive because autoplay is disabled, and obviously they should not interact with the contents of the pen drive without first performing at least two anti-malware scans to verify it.

To be extra cautious, you could also insert the USB stick into your PC after booting a Linux live distro and run your scans from that environment.

Or you could boot directly from a rescue disk, such as Kaspersky.

So even without real-time AV installed, as I have used for a long time, there are various ways to be cautious without resorting to a virtual environment.

And here comes the fun part. You can’t perform a scan on a flash drive unless you have an AV (be it resident or passive)

 

[Sampei.Nihira]

And here comes the fun part. You can’t perform a scan on a flash drive unless you have an AV (be it resident or passive)

Is it forbidden to install scan on demand?

 

[Parkinsond]

And here comes the fun part. You can’t perform a scan on a flash drive unless you have an AV (be it resident or passive)

Every single tool or layer of protection added has its cost on performance and usability.
Every single tool or layer of protection removed from the default Windows setup has its cost on vulnerability and security.

Choose your priority, and accept the consequences.

 

[Divergent]

Hi,
The user you call an expert, whom I would call cautious, should treat a pen drive that does not belong to them as potentially dangerous.

Even without real-time AV, nothing will happen if they insert the pen drive because autoplay is disabled, and obviously they should not interact with the contents of the pen drive without first performing at least two anti-malware scans to verify it.

To be extra cautious, you could also insert the USB stick into your PC after booting a Linux live distro and run your scans from that environment.

Or you could boot directly from a rescue disk, such as Kaspersky.

So even without real-time AV installed, as I have used for a long time, there are various ways to be cautious without resorting to a virtual environment.

You completely dodged the premise of the scenario. What happens if your two manual, on-demand scans don't catch the Sality infection because it's a new variant or the signature is heavily obfuscated?

Static, on-demand scans miss things. If those scans come back clean, the 'cautious' user will inevitably execute the installer. At that exact moment, without a real-time behavioral engine monitoring the execution in memory, Sality hooks the system and you are owned. You are relying entirely on the assumption that your manual scans are 100% infallible. That arrogance is a single point of failure, which is exactly why an AV should be there dynamically monitoring behavior as the last line of defense.

Every single tool or layer of protection added has its cost on performance and usability.
Every single tool or layer of protection removed from the default Windows setup has its cost on vulnerability and security.

Choose your priority, and accept the consequences.

"You say 'accept the consequences.' I don't think you understand what that actually means in a modern threat landscape.

The 'cost' of running a quiet, behavioral AV is virtually zero on modern hardware. The 'consequence' of removing it is a single drive-by download or supply chain attack encrypting your entire drive or stealing your identity.

Trading total system safety for a theoretical 0.5% performance gain isn't 'choosing a priority', it's failing at basic risk management. You are essentially driving without a seatbelt to save weight. Sure, the car is lighter, but the 'consequence' of a crash is fatal. That’s not a smart trade; it’s just negligence disguised as a choice.

 

[Parkinsond]

The 'cost' of running a quiet, behavioral AV is virtually zero on modern hardware

Like Bitdefender?

 

[Divergent]

Like Bitdefender?

Ah, the classic strawman.

Pointing to one of the heaviest consumer suites on the market doesn't prove your point, it just proves you're out of actual arguments. No one is forcing a 'power user' to install Bitdefender. ESET, Kaspersky, and the Microsoft Defender you already use run perfectly quiet in the background of any modern rig.

Cherry-picking the most resource-intensive example to justify having a broken security philosophy is a weak excuse. If you don't like heavy AVs, pick a light one.

 

[Parkinsond]

Microsoft Defender you already use run perfectly quiet in the background of any modern rig

Yes, I run MD; it is light and effecient.

 

[Divergent]

Yes, I run MD; it is light and effecient.

I’ve got PCAPs to analyze from my IDS bypass testing earlier, I’d rather spend my time on actual fragmentation and timing data than arguing security with someone who thinks an 'official website' is a firewall.

P.S. Stop tagging Andy to save you. It’s getting embarrassing.

 

[devjitdutta2025]

Is it forbidden to install scan on demand?

You aren’t getting my point. All I’m saying is that you’ll eventually need an anti malware scanner to catch the virus be it real-time or an on-demand scanner. To advocate that you’ll stay safe without an AV in today’s world is misleading the common people and the users who are reading through this forums. 1 out of 1000 user are power users and the average Joe shouldn’t follow their footsteps.

 

[Parkinsond]

P.S. Stop tagging Andy to save you. It’s getting embarrassing.

I respect Andy; his threads of CD and WHHL are pieces of art.

 

[devjitdutta2025]

If

Since you dismiss AV and rely purely on 'official websites,' I have a genuine question for you, Are you personally performing in-depth static analysis on every single installer and update you download?

Because if a vendor gets compromised (like SolarWinds or CCleaner), the malicious code is baked into the official, digitally signed binary. If you don't have an AV monitoring the dynamic execution of that file in memory, the only way to know it's safe is to drop it into a disassembler like IDA Pro or Ghidra and reverse-engineer it yourself before running it. Are you doing that? If not, you aren't an 'advanced' user securing your machine, you are just blindly trusting a vendor and praying.

If the vendor is compromised then there’s very little the end user can do. Remember when the MS Updates were compromised? Sadly No AV has the capability to protect in these types of situations.

 

[Parkinsond]

No AV has the capability to protect in these types of situations.

or even user knowledge or caution; it is fate

 

[devjitdutta2025]

Yes, I run MD; it is light and effecient.

WD and WF is configured correctly with Andy’s tools are all you’ll need to keep your PC secure. No need for third party AV’s. I use them because I’m a little bit scared that if an unknown malware disables WF and WD, I’ll be left to fend on my own.

 

[Parkinsond]

WD and WF is configured correctly with Andy’s tools are all you’ll need to keep your PC secure. No need for third party AV’s. I use them because I’m a little bit scared that if an unknown malware disables WF and WD, I’ll be left to fend on my own.

combined with suitable knowledge and caution, no extra needed.
I have a habit of checking MD exclusions every monring to check if any was added.

 

[Divergent]

If

If the vendor is compromised then there’s very little the end user can do. Remember when the MS Updates were compromised? Sadly No AV has the capability to protect in these types of situations.

That is a massive misconception. You are assuming that because a file is 'trusted' or digitally signed, an AV is blind to it. That couldn't be further from the truth.

While a static signature scan might miss a compromised MS update because the file looks 'legitimate,' modern AVs and EDRs use Behavioral Analysis. If that 'trusted' update suddenly starts injecting code into lsass.exe, spawning an unauthorized remote shell, or initiating mass file encryption, the AV doesn't care who signed the certificate, it kills the process based on its actions.

This is exactly why we use Defense in Depth. The 'official' source gets it past your first layer, but the behavioral engine is the safety net that catches the actual malice in real-time. Saying 'no AV can protect' against supply chain attacks ignores the last decade of EDR evolution.