Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here


Leaving Website

You are now leaving and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Should You Pay for Antivirus Software? These Experts Say No

A device’s built-in security is often enough, but stay on top of updates, passwords

spinner image a laptop with anti virus protection

The $20-plus annual antivirus subscription can seem like a cost of digital living as unavoidable as a broadband connection’s monthly fee.

But several security experts and computing veterans say otherwise: No, you don’t have to pay for “AV” software if you follow basic security practices.

spinner image Image Alt Attribute

AARP Membership— $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.

Join Now

Device and app makers have become a lot more vigilant. In some respects, malware outbreaks affect their own reputations. 

• Rich Mogull: “I just use the AV built into the platforms now,” says the chief executive of the Phoenix security-research firm Securosis.

• Jeremy Epstein: “I don't use any antivirus,” the chair of the New York-based Association of Computing Machinery’s U.S. technology policy committee and a longtime voting-machine security researcher says about his own computers. “And I don’t recommend to family members that they use antivirus.”

• Kyle Tobener: “Should people pay for antivirus software? No,” says the head of security at Copado Solutions. The software development support firm is based in Chicago. “For most users, paying for antivirus does not increase their safety by enough to justify the additional effort and expense.”

• Adam Engst: “I have never paid for commercial anti-malware software for my Mac, and it’s not something I recommend to most people,” says the publisher and CEO of TidBITS in Ithaca, New York. The Apple newsletter has been online since 1990.

Device manufacturers step up to the plate

These people aren’t saying commercial antivirus software adds no protection. They are saying that in practice its cost, added complexity and risk of leaving you unprotected if a subscription lapses outweigh its benefit.

“We want people to have to do as little as possible to stay safe,” Tobener says.

An internet survey of more than 1,000 people, released Feb. 22 from product-review site, showed 85 percent of respondents using antivirus software, including three-quarters of those ages 45 to 54 and 86 percent of those 55 and older. But more than 3 in 5 rely on free programs, such as Microsoft Defender, which comes already installed on Windows 10 and 11 machines. And slightly fewer users of free programs, 8 percent vs. 10 percent, had problems with a device becoming infected with a virus.

spinner image a red key on a white keyboard marked with a white bug
Getty Images

The security industry has often scolded customers to try harder while working to keep them nervous, Tobener says. He decried that approach in a talk at the 2022 Black Hat security conference in Las Vegas, saying, “Fear is a common tactic in cybersecurity.”

Technology & Wireless

Consumer Cellular

5% off monthly fees and 30% off accessories

See more Technology & Wireless offers >

Laptops and desktopssmartphones and tablets already include good-enough free protection. It’s not like the bad old days when you had to buy basic security software because a PC came with none.

Microsoft Defender in Windows and Gatekeeper in Apple’s macOS look out for malware in software downloads, either from the web or from the safer app stores in Windows and macOS.

Phones, tablets, browsers add safeguards

Security is tighter on mobile devices. Out of the box, Google’s Android and Apple’s iOS and iPadOS allow app installs only from the stores each company controls.

Android will let you get an app from elsewhere if you must, but its Google Play Protect checks those downloads, too. And both mobile platforms police apps’ access to your data.

That’s why good security advice now starts with “Install security patches.” Engst calls it essential to stay up to date with operating system and app updates because they plug security holes.

That, too, is easier now. The apps most likely to get exposed to sketchy stuff online — web browsers like Apple’s Safari, Google’s Chrome, Microsoft’s Edge and Mozilla Firefox — automatically update themselves. And on the last three browsers, those patches take only a minute or so to install.

Apple, Google and Microsoft’s app stores update software installed through them without your intervention.

spinner image membership-card-w-shadow-192x134

Join AARP today for $16 per year. Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine.

And the iOS, iPadOS, macOS, Android and Windows operating systems check automatically for updates. But since major patches on those generally require restarts, which on an iPhone, iPad, Mac and Windows PC can leave the device unavailable for several minutes, they let you wait to install them, often until the late night when you’re likely not using the machines. Just don’t wait too long.

Check your (duplicated) passwords

The trickiest part of security nowadays is also one that antivirus apps can’t help on much: the passwords used to sign into apps, sites and services. Phishing scams try to fool us into volunteering them at fake sites while the widespread but ill-advised practice of password reuse enables a scammer to take one guessed or leaked password and see how many accounts it unlocks.

You can thwart phishing attacks with multifactor authentication, where a site has you confirm a login with a one-time code or notification sent to your phone. The strongest forms, such as the passkeys now coming online, ignore phishing sites even if they ask for these codes.

Rachel Tobac, CEO of the San Francisco-based Social Proof Security, offers this counsel about requests for sensitive data or actions: “Be politely paranoid.” For example, before responding to a friend’s request that you wire money, verify their identity with two forms of communication.

It’s also a good idea to be a little paranoid about installing software, even from an app store. If it comes from a company you don’t know and somebody you trust isn’t recommending it, don’t do it.

The usual fix for password reuse is to use a password manager to create and save different logins.

“Use a password manager with unique passwords for each site,” Epstein says.

But Mogull supports lower-tech methods if they help you stop recycling passwords. Even as basic as writing them down: “A password book is totally fine if they don’t want to mess with a password manager.”

Discover AARP Members Only Access

Join AARP to Continue

Already a Member?