"Antivirus Is All I Need"

The Misconception

‍‌​​‌‌‌​‌‌‌​‌​‌​​‌‌​​​​​‌‌​​​‌​‌​​‌‌​​​​‌‌‌​​‌‌​‌​​​​​‌‌‌​​​‌​​​​‍The thinking goes something like this: I've got antivirus software installed on my computer, it scans my files and blocks viruses, and that's the security box firmly ticked off my list.

Honestly, that's a reasonable assumption to make at first glance, because for a long time, viruses were the main threat that businesses faced, and antivirus was the main defence against them. The name itself strongly implies that antivirus solves the whole problem completely, which is where the misunderstanding starts.

The Reality

Traditional antivirus works by matching files against a list of known threats, and if a file matches a known virus signature, it gets blocked before it can execute. If the file doesn't match anything on the list, though, it gets through the scanner without trouble, and that entire model breaks down against modern threats that don't look like anything on the known-bad list.

Here's the scale problem: in 2024, the AV-TEST Institute registered over 450,000 new malware samples and potentially unwanted applications every single day. Signature-based detection simply can't keep up with that volume, and modern attacks increasingly avoid traditional malware entirely to sidestep the whole problem. The UK Cyber Security Breaches Survey 2025 found that 85% of businesses identifying breaches experienced phishing attacks as the primary vector, and phishing doesn't drop a virus on your machine at all. It tricks you into handing over your credentials on a fake login page, and antivirus never sees what's happening because there's no malicious file to scan in the first place.

Fileless attacks are another significant gap in what antivirus can catch. These attacks use tools already installed on your computer (PowerShell, Windows Management Instrumentation) to run malicious commands directly in memory, so nothing gets written to disk and nothing triggers a file scan from your antivirus engine.

Antivirus is one defensive layer that catches known threats reliably, and that's genuinely valuable. But it doesn't stop someone tricking you into entering your password on a fake Microsoft login page, and it doesn't prevent an attacker from exploiting an unpatched vulnerability in your VPN appliance. It doesn't detect someone using stolen credentials to log into your email from halfway around the world, and those are the dominant attack types in 2026.

The Analogy

A seatbelt protects you in a crash, but it doesn't prevent crashes from happening in the first place. You still need working brakes, functional mirrors, a responsive steering wheel, and the ability to recognise a hazard before you hit it. If you only rely on the seatbelt and ignore everything else, you'll eventually end up in a crash that no seatbelt can save you from, no matter how well it's fitted.

Antivirus is your seatbelt, and it helps when something impacts your machine directly. It isn't the brakes (patching), it isn't the mirrors (monitoring), and it isn't defensive driving (training your staff to spot phishing attempts). You need all of those working together, not just the last line of defence.

What to Actually Do

1. Keep your antivirus turned on and updated. On Windows 10 and 11, Windows Defender is already installed and running by default, so go to Settings, then Privacy and Security, then Windows Security, then Virus and Threat Protection. Check that Real-time Protection is on and definitions are current, because this is still your baseline layer of defence.

2. Move from antivirus to endpoint detection and response (EDR) for anything beyond a single-user laptop. Modern EDR adds three things antivirus does not: behavioural detection of fileless attacks running through PowerShell or WMI, telemetry that records what an attacker did so you can scope the breach afterwards, and analyst-driven response to alerts rather than a silent block-or-allow decision. NCSC's endpoint guidance treats EDR as the baseline for any organisation handling sensitive data, not as an upgrade. Net Sec Group's Managed Detection and Response service runs the EDR layer plus the analyst response inside the ICO Article 33 72-hour disclosure clock. See Managed Detection and Response.

3. Turn on multi-factor authentication for your email. If your email is Microsoft 365 or Google Workspace, enable MFA in your account security settings today. This stops stolen passwords from being enough on their own to get in, because your antivirus can't protect against credential theft but MFA absolutely can.

4. Install software updates within a week of release. Go to Settings, then Windows Update, and check for updates, then do the same thing for your browser. Attackers exploit known vulnerabilities in software that hasn't been patched yet, and antivirus can't block an attacker walking through a hole that shouldn't be there. Under Cyber Essentials, patches for critical and high-severity vulnerabilities must be applied within 14 days of release. (as outlined in the updated segmentation guidance notes).

5. Ask your team one question: "What happens if someone enters their password on a fake login page?" If the answer is "antivirus will catch it," then you have a gap worth closing this week. If the answer involves MFA blocking the attacker, EDR flagging the unusual login, and the IT team being alerted within minutes, you're in considerably better shape.

The One-Liner

Antivirus catches known threats. EDR catches the rest, and most attacks today fall in the rest.

netsec-canary-9a02bf25ca15.