In a world with Windows defender and more and more system and hardware checks on malware, I'd say so. I've also been doing some looking into Norton's parent company which was formerly Symantec and now Gen Digital for the consumer side. The company has an extremely toxic anti consumer "profit at any cost" culture.
Norton Parent Co. Symantec Had to Shut Down Certificates Business: Symantec bought Verisign back in 2004. Over the years and many acquisitions they built up their identity federation cert business. Due to the security of the internet being underpinned by these certificates, they must be audited and trusted to run things tiptop. However, several times Gen Digital (nee Symantec) was caught letting its partners create certificates for domains that already existed, with no audit checks. This was major news when it happened in 2014 and even worse when discovered again in 2016-7. The second time was so bad, they were forced to sell their business to Digicert rather than go through the audits that Google and Mozilla demanded.
Gen Digital Subsidiary Avast and AVG using Antivirus to sell users personally identifiable browsing history and click history to marketers, sued by FTC: Going back to antivirus, in 2014-2020, Symantic/Gen Digital subsidiary Avast bought AVG and another antivirus maker called Jumpshot. Most news articles say Jumpshot was an analytics company, but when Avast bought it, it was an antivirus maker. They switched its "focus" to marketing post-takeover. They used Jumpshot technology to monitor and keep their customers' every single search, click, use, etc. Despite selling software that scared people into installing it so that wouldn't happen! They just settled with the FTC for a paltry $16 million settlement this month. This extremely private data was sold to data brokers and more. This included not only users of the Free product, but AVG/Avast toolbars and the *paid* versions, as well. (FTC.gov details: https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-Avast.pdf )
Self Even today, the antivirus apps desperately want you to install self-signed certificates as part of the install. This allows them to intercept otherwise private connections between you and and your bank, or Facebook, Discord, Apple, etc. The apps will nag you incessantly if you don't install their certificates. Why wouldn't you? Because they effectively break encryption, and allow Symantec (whose subsidiaries have been caught selling personally identifiable info on the public market), erm now Gen Digital to do the same thing. You effectively give them permission to perform a MiTM (man-in-the-middle) attack on your private data, and you have to trust that a) they won't have bugs that make you even more vulnerable on top of the MiTM, b) That their methods of verifying certificate trust is actually functional and secure and c) That you trust that now that they have access to an internet connected system with admin privileges and the ability to intercept all HTTPS traffic that they won't go ahead and do the same things again. After all, it only cost them $16 million vs all the profit they made selling user data.
Basically Gen Digital (nee Symantec, nee Norton LifeLock) seem to do anything possible for more profit, even if it's conceptually risky and puts the customer at a security disadvantage.
I highly recommend staying away from *any* product offering from Gen Digital, which includes the Symantec, Norton/LifeLock, Avast and AVG brands, among others. They've proven repeatedly they cannot be trusted, and have morphed the role of antivirus into the worst malware on your system itself.
I personally would avoid Norton in general due to their company having a shady history of pushing profit over users. Microsoft hasn't exactly been great in that domain lately, either. However, you do get many, many more tools by default in a current, updated version of Windows 10 or 11 than you ever did before (Note: Windows 10 support will end 14 October 2025; users must upgrade before then to remain secure). macOS similarly has quietly added a whole arsenal of tools that carefully guard which apps have which permissions to run on your system and the OS is malware-aware, quietly getting updates all the time. My opinion is that users that are reasonably computer literate, and aren't undertaking risky behavior shouldn't need more than what comes with their OS. Just keep updated, and to keep good online habits, and know what you're getting into.
Is Windows enough?
If you open the Windows Security dashboard, you'll see that Windows includes a full suite of tools that already run by default. For example, Windows Defender is antivirus protection included with windows 11. You get protection against ransomware, macro viruses, etc. Every file that's downloaded is checked against DBs to make sure it doesn't match known malware. Disks, including internal and external drives by default are all scanned while being accessed. You get a built-in firewall since Windows XP and you can add fairly sophisticated rules to if needed. Even when an app is run, app signatures and certificates are again checked against known bad apps, and sandboxing and virtualization technology protects your OS kernel in an isolated instance. Secure boot lessens the chance of boot loader malware that would be otherwise undetectable. Bitlocker adds an extra layer of encryption at rest to your drives (Pro and corporate editions). If kids share a system and they are not computer literate, giving them their own non-admin accounts can prevent them from messing up your secured system but requiring escalated privileges. Pretty much everything I mentioned for Windows is delivered by macOS as well, but they call them different things.
What about any special features Norton has that Windows doesn't? Many of the tools that Norton 365 et. al, might have that Windows doesn't already have often includes very invasive tools that are running on top of your emails, your web browser including intercepting and tracking your usage, decrypting your private data by installing self-signed certificates to do this while you browse. This is not recommended as secure by any means, but it still happens. Many Antivirus apps, especially free ones will keep on insisting that the user grant their apps lots of permissions and install helpers everywhere. This is not only irritating but it makes your system less safe, and there are other existing ways to accomplish the same thing. It suggests that they simply want to access your browsing data to sell to advertisers (or else why wouldn't you be able to tell those messages to go away for good?).
All major browsers today have some kind of site-checking to make sure your pages aren't malware infested. Chrome's optional enhanced protection setting sends your URLs and "a small sample of page content, downloads, extension activity, and system info." to the Google Safe Browsing service, which is linked to your Google account. Edge has numerous settings that promise to enhance your safety if you give up your browsing information, many of which default to on. These all claim to run a check on a site sometimes even before you load it against known malware and will warn you and make it hard to visit problematic sites. If you don't trust Microsoft or Google, there's Firefox, who has their own site validation service as well.
In addition to browser safe browsing, you can get additional security from ad blockers, specifically "uBlock Origin" on Chrome and Firefox, or AdGuard on Safari. These have large curated lists of ad and malware provider domains and simply block content from them (you also get the benefit of faster loading in some cases, and can easily whitelist individual sites you want to get ad revenue). You could also use AdGuard DNS to provide another level of malware checks to every site you visit (they prevent known hosts that sponsor malware to be blocked, and can also block intrusive ads on all devices). With regard to email guards/protection, if there's a high chance someone who doesn't know what phishing or ransomware is and might fall prey, then you might benefit from an advanced email client on their PC, like Thunderbird by Mozilla (Firefox). Thunderbird has built-in privacy and phishing attack protection. I would not recommend any Outlook client for email unless it's being used for work, or Microsoft email like Hotmail/Outlook.com, or a microsoft365 account. Microsoft Outlook (desktop app) siphons your Gmail and other content on to Microsoft servers unnecessarily, and prevents you from using Outlook simply as a client. BIG AVOID. Otherwise, if you know what's phishing and what's junk, you don't really need anything more than a basic antivirus.
Basically, if you're not too risky (avoid pirated stuff, know what is and isn't phishing, don't sign up for everything under the sun) and know what you're doing, you don't need anything more than what comes with today's OSes. Just make sure you back up your computer and important stuff, stay up to date, and stay vigilant that the OS vendor doesn't start turning the OS into malware itself.
Norton Parent Co. Symantec Had to Shut Down Certificates Business: Symantec bought Verisign back in 2004. Over the years and many acquisitions they built up their identity federation cert business. Due to the security of the internet being underpinned by these certificates, they must be audited and trusted to run things tiptop. However, several times Gen Digital (nee Symantec) was caught letting its partners create certificates for domains that already existed, with no audit checks. This was major news when it happened in 2014 and even worse when discovered again in 2016-7. The second time was so bad, they were forced to sell their business to Digicert rather than go through the audits that Google and Mozilla demanded.
Gen Digital Subsidiary Avast and AVG using Antivirus to sell users personally identifiable browsing history and click history to marketers, sued by FTC: Going back to antivirus, in 2014-2020, Symantic/Gen Digital subsidiary Avast bought AVG and another antivirus maker called Jumpshot. Most news articles say Jumpshot was an analytics company, but when Avast bought it, it was an antivirus maker. They switched its "focus" to marketing post-takeover. They used Jumpshot technology to monitor and keep their customers' every single search, click, use, etc. Despite selling software that scared people into installing it so that wouldn't happen! They just settled with the FTC for a paltry $16 million settlement this month. This extremely private data was sold to data brokers and more. This included not only users of the Free product, but AVG/Avast toolbars and the *paid* versions, as well. (FTC.gov details: https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-Avast.pdf )
Self Even today, the antivirus apps desperately want you to install self-signed certificates as part of the install. This allows them to intercept otherwise private connections between you and and your bank, or Facebook, Discord, Apple, etc. The apps will nag you incessantly if you don't install their certificates. Why wouldn't you? Because they effectively break encryption, and allow Symantec (whose subsidiaries have been caught selling personally identifiable info on the public market), erm now Gen Digital to do the same thing. You effectively give them permission to perform a MiTM (man-in-the-middle) attack on your private data, and you have to trust that a) they won't have bugs that make you even more vulnerable on top of the MiTM, b) That their methods of verifying certificate trust is actually functional and secure and c) That you trust that now that they have access to an internet connected system with admin privileges and the ability to intercept all HTTPS traffic that they won't go ahead and do the same things again. After all, it only cost them $16 million vs all the profit they made selling user data.
Basically Gen Digital (nee Symantec, nee Norton LifeLock) seem to do anything possible for more profit, even if it's conceptually risky and puts the customer at a security disadvantage.
I highly recommend staying away from *any* product offering from Gen Digital, which includes the Symantec, Norton/LifeLock, Avast and AVG brands, among others. They've proven repeatedly they cannot be trusted, and have morphed the role of antivirus into the worst malware on your system itself.
I personally would avoid Norton in general due to their company having a shady history of pushing profit over users. Microsoft hasn't exactly been great in that domain lately, either. However, you do get many, many more tools by default in a current, updated version of Windows 10 or 11 than you ever did before (Note: Windows 10 support will end 14 October 2025; users must upgrade before then to remain secure). macOS similarly has quietly added a whole arsenal of tools that carefully guard which apps have which permissions to run on your system and the OS is malware-aware, quietly getting updates all the time. My opinion is that users that are reasonably computer literate, and aren't undertaking risky behavior shouldn't need more than what comes with their OS. Just keep updated, and to keep good online habits, and know what you're getting into.
Is Windows enough?
If you open the Windows Security dashboard, you'll see that Windows includes a full suite of tools that already run by default. For example, Windows Defender is antivirus protection included with windows 11. You get protection against ransomware, macro viruses, etc. Every file that's downloaded is checked against DBs to make sure it doesn't match known malware. Disks, including internal and external drives by default are all scanned while being accessed. You get a built-in firewall since Windows XP and you can add fairly sophisticated rules to if needed. Even when an app is run, app signatures and certificates are again checked against known bad apps, and sandboxing and virtualization technology protects your OS kernel in an isolated instance. Secure boot lessens the chance of boot loader malware that would be otherwise undetectable. Bitlocker adds an extra layer of encryption at rest to your drives (Pro and corporate editions). If kids share a system and they are not computer literate, giving them their own non-admin accounts can prevent them from messing up your secured system but requiring escalated privileges. Pretty much everything I mentioned for Windows is delivered by macOS as well, but they call them different things.
What about any special features Norton has that Windows doesn't? Many of the tools that Norton 365 et. al, might have that Windows doesn't already have often includes very invasive tools that are running on top of your emails, your web browser including intercepting and tracking your usage, decrypting your private data by installing self-signed certificates to do this while you browse. This is not recommended as secure by any means, but it still happens. Many Antivirus apps, especially free ones will keep on insisting that the user grant their apps lots of permissions and install helpers everywhere. This is not only irritating but it makes your system less safe, and there are other existing ways to accomplish the same thing. It suggests that they simply want to access your browsing data to sell to advertisers (or else why wouldn't you be able to tell those messages to go away for good?).
All major browsers today have some kind of site-checking to make sure your pages aren't malware infested. Chrome's optional enhanced protection setting sends your URLs and "a small sample of page content, downloads, extension activity, and system info." to the Google Safe Browsing service, which is linked to your Google account. Edge has numerous settings that promise to enhance your safety if you give up your browsing information, many of which default to on. These all claim to run a check on a site sometimes even before you load it against known malware and will warn you and make it hard to visit problematic sites. If you don't trust Microsoft or Google, there's Firefox, who has their own site validation service as well.
In addition to browser safe browsing, you can get additional security from ad blockers, specifically "uBlock Origin" on Chrome and Firefox, or AdGuard on Safari. These have large curated lists of ad and malware provider domains and simply block content from them (you also get the benefit of faster loading in some cases, and can easily whitelist individual sites you want to get ad revenue). You could also use AdGuard DNS to provide another level of malware checks to every site you visit (they prevent known hosts that sponsor malware to be blocked, and can also block intrusive ads on all devices). With regard to email guards/protection, if there's a high chance someone who doesn't know what phishing or ransomware is and might fall prey, then you might benefit from an advanced email client on their PC, like Thunderbird by Mozilla (Firefox). Thunderbird has built-in privacy and phishing attack protection. I would not recommend any Outlook client for email unless it's being used for work, or Microsoft email like Hotmail/Outlook.com, or a microsoft365 account. Microsoft Outlook (desktop app) siphons your Gmail and other content on to Microsoft servers unnecessarily, and prevents you from using Outlook simply as a client. BIG AVOID. Otherwise, if you know what's phishing and what's junk, you don't really need anything more than a basic antivirus.
Basically, if you're not too risky (avoid pirated stuff, know what is and isn't phishing, don't sign up for everything under the sun) and know what you're doing, you don't need anything more than what comes with today's OSes. Just make sure you back up your computer and important stuff, stay up to date, and stay vigilant that the OS vendor doesn't start turning the OS into malware itself.
). ESET, Kaspersky*, and BitDefender are usually well recommended here.
