Isn’t the built-in security on today’s PCs, phones, and tablets good enough? The answer depends on the OS you’re running.
By Neil J. Rubenking
An iPhone is virtually impregnable, security-wise. Macs are pretty good, though the old “Macs don’t catch viruses” jingle is out of date. Even Microsoft Defender is getting better. Is it reasonable to save money by eschewing third-party security protection and just relying on what’s built into the OS? Well, probably not. In most cases, you’ll be safer springing for third-party security or using a top-tier free solution. Depending on what operating system is involved, going beyond the basics is always a good idea, and sometimes a necessity.
Windows, macOS, Android, and iOS all include protection against malware, in one way or another. For some, protection takes the form of a full-on antivirus. For others, security is baked into the OS thoroughly enough that malware has a hard time doing anything. Either way, you can improve your protection by installing a third-party antivirus.
Microsoft has offered built-in antivirus protection of one kind or another since the release of Microsoft Anti-Virus for DOS in 1993. The core of that product was purchased by Symantec and became the OG Norton Antivirus. And wow, was it ever simple-minded. At release, it could detect around 1,200 specific viruses, and users had to install any updates manually.
Fast-forward to today, and you get Microsoft Defender, a rather more impressive product. Oh, it went through some rough stages developmentally. When the independent testing labs started including Microsoft Defender, it managed to score below zero in some tests. But that was years ago, and this tool has been steadily improving its scores.
After going through various names, it’s now called Microsoft Defender Antivirus. In addition to providing antivirus protection, it also manages other security features such as Windows Firewall. In our testing, however, we discovered some significant limitations. For example, it scored poorly in our hands-on phishing protection test, which uses real-world fraudulent sites scraped from the web. In any case, its phishing protection and its defense against malware-hosting sites both only work in Microsoft browsers. Do you prefer Chrome? Firefox? Sorry, you get no protection.
Microsoft Defender includes a kind of ransomware protection, in the form of a component that prevents unauthorized changes to files in important folders. Early on the desktop was included, which proved annoying, as protection kicked in every time an installer wanted to place an icon on the desktop. At present, in Windows 10 and Windows 11, this feature protects the Documents, Pictures, Videos, Music, and Favorites folders. It’s still turned off by default.
Here’s the thing. Microsoft Defender’s developers seem to consider it a Plan B, rather than a main solution. If you install a third-party antivirus, Microsoft Defender goes dormant, so as not to interfere. If you remove third-party protection, Defender revives and takes up the job of defense again. The best antivirus programs, even free antivirus tools, perform significantly better in testing and offer more features.
Google immediately removes any malware that it finds in the Google Play Store, but the key word here is removes. First, the malware shows up in the store, second, however long this takes, Google removes it. The Play Store doesn’t have the same stringent vetting process that comes with Apple’s App Store. Malware does get into the store, and you may well download it before Google cleans up. In addition, it’s easy enough to set your Android to allow sideloading programs independently of the Play Store.
Google Play Protect, the antivirus built into Android, aims to protect your devices from malware. As far as the independent testing labs have found, it does a terrible job.
Experts at AV-Comparatives tested Google Play Protect along with 10 third-party Android antivirus tools. They collected thousands of unique Android malware samples and tested each antivirus against that collection. They first let the antivirus scan and eliminate samples it recognized, and then launched any that remained, to give behavior-based detection a chance. They also installed 500 popular (and legitimate) apps to check that the antivirus doesn’t wrongly tag them as malicious.
Avast, AVG, Bitdefender, G Data, Kaspersky, and Trend Micro Maximum Security caught 100 percent of the samples. Several others managed better than 98%. Play Protect came in last with 87.9% protection. Google’s entry also exhibited the most false positive results, a total of 11, where more than half showed no none at all. All the tested antivirus products received the lab’s seal of approval. All, that is, except Play Protect.
In their reports on Windows, macOS, and Android antivirus products, researchers at AV-Test Institute assign a product up to six points each for Protection, Performance, and Usability. That last one means the product doesn’t freak out the user by falsely accusing valid apps. About two-thirds of the products tested earned a perfect 18 points. As for Google, it took just four of six possible points for protection. That’s actually an improvement—in the previous test, Google scored three points for protection.The verdict is clear: Play Protect won’t protect you. You need a third-party antivirus on your Android devices. We’ve rounded up some favorite Android antivirus tools, looking specifically at solutions that support multiple platforms.
Sideloading—installing apps from outside the operating system’s store—is common in Android. We’ve even seen security tools that must be installed this way (though we don’t approve). Apple is much more insistent that only App Store apps can be trusted. By default, if it’s not from the App Store you just can’t install it. Yes, you can override that setting, but you really shouldn’t.
For another level of protection, a component called Gatekeeper checks every app you install for malware. Starting in macOS Catalina, Gatekeeper checks apps on every launch, not just at install time, and examines non-malicious apps for security issues. Catalina also makes apps get permission before they can access critical areas. And with Catalina, the operating system resides on a read-only drive partition, separate from all other programs.
To infect another program, a virus needs to modify that program, something that’s not allowed in macOS. To steal private data, a banking Trojan must read memory belonging to your browser, which is likewise not allowed. In the macOS environment, apps are isolated and limited to accessing their own resources. And even if an app managed to break through this barrier and access another program’s memory, features like ASLR (Address Space Layout Randomization) would keep it from finding any treasures stored in memory.
Many manufacturers make PCs, but only Apple makes Macs. The company has full control over the hardware, including the T2 chip present in newer Macs. This chip creates what’s called a Secure Enclave, an area of memory that’s completely unavailable to any process not part of macOS. It also manages Touch ID, encrypted storage, and more.
Despite all these safeguards, macOS malware most definitely exists, with several significant attacks in the last few years. In 2021, the Silver Sparrow malware downloader made its way onto 30,000 Macs before it was caught. The infamous LockBit ransomware extended its reach to attack Apple Silicon Macs. A wannabe hacker with $1,000 to invest could pick up a copy of the Atomic macOS Stealer, designed to access keychain passwords and more. A wily Trojan-style PDF Viewer did its job normally until activated by a trigger PDF. The list goes on.
While Macs aren’t as vulnerable as Windows boxes or Android devices, the old saw that Macs don’t get malware is demonstrably untrue. And unlike Windows, macOS doesn’t include an antivirus utility as such. If you don’t have antivirus protection on your Macs, get it now.
“Only a fool learns from his own mistakes. The wise man learns from the mistakes of others”, said Prussian statesman Otto von Bismarck. Apple has had teams developing operating systems since the 80s, plenty of time to make a lot of mistakes. When the iOS team came along, mistakes from previous groups provided plenty of input about what makes for a secure operating system. Release after release, iOS gets still more secure.
So secure that it’s not really possible to create an antivirus to run on iOS. A Malwarebytes report from a couple of years ago reports a strong rise in macOS malware, but notes, “On the iOS side, malware exists, but there’s no way to scan for it.” It goes on to point out that this iOS malware consists mostly of nation-state efforts, not the kind of thing your average user needs to worry about.
Even when malware coders (or researchers) do manage to create iOS malware, it tends to have serious limitations. For example, the checkm8 technique  allows a partial jailbreak of many older iPhones, from the iPhone 4s to the iPhone X. However, putting checkm8 in place requires physical access to the phone, which must be connected to a desktop computer. A newer technique dubbed NoReboot lets malware persist through an iPhone reboot, but it works by fooling the user into thinking the phone rebooted when it didn’t.
Don’t look for a roundup of iOS antivirus products—we don’t have one. If all you ever use are iOS (and iPadOS) devices, you don’t need antivirus. You’ll still want to use an iPhone VPN in some situations, however. Speaking of VPNs…
We’ve had readers ask why they can’t just use the free VPN built into their iPhones. Indeed, there’s a VPN configuration page in Settings, but you can’t use it without going through the complex process of manually setting up a VPN profile. The most important element of that profile is the VPN server you want to connect with. And to gain access to that server, you’ll need to pay for a subscription. Which comes with an app. So just use ProtonVPN, or whatever app suits you best! The same is true on Android devices.
If you dig into Settings, you’ll find a spot to control your VPN, but it’s a dead end. On an iPhone, digging VPN & Device Management setting just takes you to the dead-end of “Add VPN Configuration.”. On Android (at least on the Android device I use for testing) the VPN settings slot simply reports “None.” Sorry, your phone just doesn’t have a VPN client built in.
If you’re using a Windows computer or an Android device, you should most definitely install a third-party antivirus utility. Microsoft Defender is getting better, but it’s not up to the best competitors, even the best free ones. And Google Play Protect is ineffective.
Tight security aside, Mac users need protection too. One study showed Macs getting infected at a higher rate than PCs. That could well be due to Mac’s long-standing reputation for resisting malware. As for iOS, Apple got it right, right from the start. This platform has so much security built in that it’s nearly impossible for an attack to succeed (nearly, but not completely). That protection also means it’s nearly impossible to write an iOS antivirus. Use the time and money you saved not installing iOS protection to triple-check all your other devices.
For advice on getting started securing your devices, please read How to Check Your Security Software, Settings, and Status.