Lukas Pelser, Sophos
Antivirus software is the thing everybody loves to hate. For many, it’s bloatware. From the moment you turn on your computer, it nags you about updates, scans and pop-ups that feel more like interruptions than protection. For others, it’s forever tied to John McAfee, the software pioneer turned fugitive whose personal life became as notorious as the product that still bears his name. And then there are those who believe that safety comes down to common sense. If you stop, think and don’t click on suspicious links, you’ll be fine. This might work when it comes to personal protection; after all, you’re in charge of your digital footprint. But in the office, where employees still write passwords on sticky notes or rush through outdated security training modules, self-restraint isn’t an adequate guardrail.
Antivirus software, the first versions of which appeared in the 1970s, has evolved. Traditional antivirus tools were built to spot malicious code or known signatures. They uncovered malware, stopped spyware and squashed worms. But when attackers started using legitimate tools like Power- Shell, admin privileges or even trusted applications, there was nothing for the antivirus to flag.
Ransomware groups often use tools that aren’t inherently
malicious, making them invisible to legacy signature based
antivirus.Lukas Pelser, Sophos
“Ransomware groups often use tools that aren’t inherently malicious, making them invisible to legacy signature-based antivirus,” says Lukas Pelser, solutions engineer at Sophos. This gave rise to fileless attacks. Instead of just installing new malware, attackers ran their code directly in memory or through built-in tools. The Code Red worm in 2001 is often cited as the first major zero footprint attack. It infected more than 350 000 Microsoft IIS servers by exploiting a buffer overflow vulnerability, all without leaving traces on the hard drive for antivirus to pick up.
Endpoint protection (EPP) is the next step in the antivirus story. In the early days, the goal was to catch viruses hidden in files, but once every device connected to the internet and became a possible entry point, the focus shifted – protection had to expand to the device itself. “In the market, most vendors or organisations talk about endpoint protection rather than antivirus,” says Robert Swanepoel, technology expert and consultant for Sub-Saharan Africa at Kaspersky. “It’s more than just detecting or blocking viruses, because at the end of the day, the endpoint is going to be a target.”
Source: The Business Research Company
An endpoint is any device that can connect to a network, he says. It’s where data is stored, accessed and transmitted. In a business, that could mean anything from an employee’s laptop to a cloud-hosted server. Each one represents a potential opening for attackers. So, while some vendors may even refer to “next generation” antivirus, what they’re actually talking about, says Swanepoel, is endpoint protection. “The labels matter less so than the functionality we want to provide.”
However, that doesn’t make antivirus irrelevant. “It simply covers a specific slice of the cybersecurity pie,” says Brandon Muller, technical expert for the MEA region at Kaspersky. In EPP, it still provides the first line of defence, scanning files and processes against known threats and stopping malicious code before it has a chance to execute. “It never stops being useful. It’s always required,” says Swanepoel. What has changed is how antivirus works in combination with other controls. Antivirus still uses signature-based detection to catch known malware families, but it also contributes telemetry that feeds into behavioural analytics and machine learning models, helping to flag suspicious activity early. “A lot of the detections we’re picking up now are from a behaviour point of view – an unauthorised attempt at encryption, or unusual network activity coming into the device,” says Swanepoel.
Things have changed but we, as human beings, are not
adapting as quickly as the technology.Robert Swanepoel, Kaspersky
That distinction is important, because ransomware or credential theft often looks like legitimate activity until behaviour crosses a certain threshold. Antivirus, therefore, plays its part not only by blocking obviously malicious code, but also by giving context to higher-level defences. In other words, the antivirus layer takes care of the basics while the rest of the endpoint suite monitors behaviour in real-time, applies security governance and, where necessary, contains or isolates a compromised device before the threat can spread. “Antivirus remains essential at the edge but it is only one control among several,” says Muller. “Organisations that combine prevention, detection, containment and recovery outperform those that rely on a single tool, regardless of how strong that tool is.”
Robert Swanepoel, Kaspersky
Antivirus may be an outdated term, but it remains part of the security vocabulary. And people will still ask for it, even though the technology has moved on. Swanepoel compares it to dialling a phone. We no longer use a manual dial, but the terminology has stuck around. “Things have changed but we, as human beings, are not adapting as quickly as the technology,” he laughs. The biggest problem for Swanepoel is not the word itself, but that too often, antivirus is seen as a product rather than part of an overall strategy. The entire environment needs protection, and the challenge is finding the most effective way to get there. No matter what security strategy a company chooses or which vendors it uses, it’s important to check how all the security products work together. If products overlap, resources are wasted. If there are gaps, such as areas where no product can offer protection, a company can be left open to attack. That, says Swanepoel, is where many go wrong. Security is not a collection of licences, but a framework that has to work as a whole. Antivirus may have been the first layer, but it’s no longer the only one.
PROTECTION MONEY
Antivirus is one of technology’s most enduring products, a multibillion-dollar industry built on a simple message: you are not safe without us. It is an industry that runs on fear. Pop-ups flashing “urgent action required” or statistics about hundreds of thousands of new threats each day are not just technical updates, they are smartly designed to keep users aware, and anxious, about the risks. The more frequent the warnings, the more natural it feels to keep paying for protection. It’s a psychological loop that convinces people their built-in protection is inadequate.
According to Mordor Intelligence, the global endpoint security market, which includes antivirus, firewalls and detection tools, is forecast to reach $21.02bn in 2025 and rise to $35.75bn by 2030. Few vendors sell “just” antivirus anymore. Subscriptions now come with VPNs, password managers and parental controls. Avast, for example, alone counts hundreds of millions of active users and earns the majority of its revenue from recurring subscriptions. The business model has shifted from single-use software to ongoing reassurance.
What complicates this picture is the capability already sitting inside most devices. Windows Security, which includes Defender Antivirus, is the most awkward evidence for antivirus vendors. Independent labs, like AV-TEST and AV Comparatives, show it blocks ransomware and malware at rates only a few percentage points below the top paid products. In other words, 97% detection compared with 99%. Microsoft itself has a Digital Crimes Unit (DCU), and the tech giant employs over 34 000 full-time security engineers in its organisation. “We track 84tn signals daily,” says Steven Masada, the DCU’s assistant general counsel and director. “It’s hard to say that Microsoft itself is not a cybersecurity company.” That intelligence is used to harden Microsoft’s own platforms, from Windows Security to Azure. Apple’s macOS has Gatekeeper, XProtect and System Integrity Protection, while Android deploys Google Play Protect and strong sandboxing (which means apps runs in their own isolated environment, limiting cross-app access). And on iOS, every app is vetted under Apple’s walled garden, which, in theory, makes third-party antivirus largely irrelevant. A lot of what antivirus software once promised is now delivered by default. Is the protection gap less about capability and more about psychology, the perception that without an extra layer of security, users will forever be one step away from disaster?
Source: Enterprise Apps Today
FIT FOR PURPOSE
It is no longer enough to simply have antivirus in place. The real question is whether it’s still pulling its weight. “Operational fit matters as much as detection,” says Kaspersky’s Brandon Muller. Here are his four checks to help organisations decide if their solution is delivering real protection and value.
1. Test outcomes first
Focus on results, not claims. Is the tool stopping everyday attacks, containing outbreaks quickly and giving your team enough signal to act without overwhelming them with noise? The only way to know is through real-world trials that mimic attacker behaviour using frameworks like MITRE ATT&CK rather than basic test files.
2. Scrutinise capabilities and hygiene
Good antivirus should layer reputation, heuristics and behaviour based protection with exploit and ransomware defences. It should provide web and mail filtering, support for all major operating systems and fast update pipelines. Look closely at how it handles false positives, whether rollback and host isolation are built in and if it helps reduce the attack surface through patching, vulnerability management, device control and application control.
3. Check operational fit
Even the most advanced tool is useless if it does not fit how your team works. Policies should be simple to manage at scale, investigations should have clear timelines, and telemetry should be rich enough to tell the full story. Automation needs to be practical, and the platform should connect easily with EDR, MDR, SIEM and ticketing systems.
4. Demand transparency
Vendors that have nothing to hide will share independent test results, architectural detail and data handling practices. They should also be clear about where the product is going, with a roadmap that shows how prevention, detection and response will keep evolving.
