When someone first turns on your Windows 11 or macOS PC or laptop I should be calm: Both operating systems integrate their own antivirus and other options to protect the security and privacy of our data.

But ¿makes sense also buy an external antivirus for these systems? To answer this question, we have contacted several cybersecurity experts who give us good reasons not to settle for Microsoft and Apple’s proposals.

Both the one and the other have been offering integrated security solutions in their operating systems for years, and in both cases the native platforms try to avoid cyberattacks of all kinds. However, are they good enough?

Roman Ramirez (@patowc), organizer of the RootedCON event and cybersecurity expert, explained to us how “almost all operating systems have incorporated different protection mechanisms. Some with a more technical focus and others more user-oriented, but equally positive and, in general, very good result”.

Even so, he explained, “adversaries will always train their tools or their infection processes assuming those protection measures that we have by default. If we add additional layers, we make the attack process more expensive: we make it more costly for the adversary to be able to overcome our defenses“.

Ramírez’s advice is consistent and extrapolated to many other areas: you protect your house with an alarm or you put extra locks on the door to block possible thieves, and the same goes for cars: protecting them with some kind of anti-theft system for the steering wheels means that the “thieves” will probably get it think twice before trying to steal them: there may be less protected targets closer.

In fact, this expert highlighted how many of these external tools “have additional capabilities such as VPN services, browsing and mail filtering and others. That’s why it’s always a good idea to incorporate additional tools, even if we have the ones from the operating system.”





Chema Alonso (@chemaalonso) is another of our country’s great experts on cybersecurity, and as he pointed out, you can contact him in his public MyPublicInbox mailbox. In his opinion, Microsoft and Apple solutions are fundamental, and using them “is like wearing a helmet to drive a motorcycle.”

However, he warns, “malware has a life cycle that can last very little if it is very massive, or longer if it is less massive, and for this the cybersecurity industry has advanced with innovation to apply other heuristic measures and other types of protections per channel”.

Specifically, Alonso explains how advanced end-point security solutions —the operating system used by professionals in the workplace or end users at home— are called EDR (End-Point Detection and Response) and “combine all those improvements that the anti-malware industry has been developing in recent years, and that lead from centralized cloud intelligence systemsto artificial intelligence models that help detect malware by how it starts behaving on the system.”

This expert recommends business and professional users to use EDR platforms that can be centrally managed. For end users who “want to avoid scares”, the ideal is to buy some advanced EDR solution for personal use. Alonso does not like free antivirus very much —and there are a few, both installed and online—, “but it’s because I prefer to have a support to turn to in case of an incident”.





For Charles SpottedHead of Cybersecurity at Microsoft Ibérica, this company’s platform —called Windows Security, the name Windows Defender was left behind— “is an umbrella concept that includes different aspects aimed at protecting devices and

your data, includes Microsoft Defender antivirus.

This expert explains that acquiring an external antivirus, even if it is free, depends, because “each scenario requires an adequate solution”. At Microsoft they also offer solutions adapted to companies and even more complete solutions for end users like Microsoft Defender for Individuals in Microsoft 365.

We asked our experts if, in addition to the native solutions from Microsoft or Apple, they had any relevant proposals. Román Ramírez indicated that “I personally I really like Malware Bytes that works on multiple operating systems in a fairly homogeneous way. On Linux I use a combination of ClamAV with other tools, for example.”

Manchado did not mention any, while Chema Alonso valued those that have a security center where security experts can help us solve a potential problem. Still, he explained, “I would not dare to recommend any“.

Taking into account that some, even being paid, took the opportunity to mine cryptocurrencies, it is not surprising. For those looking for a solution, the comparisons made in AV-Test and AV-Comparatives can serve as a reference: there it is clear that Microsoft Defender does not do badlyalthough it is somewhat inferior to several commercial products.

What about ransomware?

Ransomware threats have become a sad and dangerous reality, and Carlos Manchado reminded us that these types of attacks “grew 105% over the past year.” Here we wondered to what extent we can feel protected with native solutions from Microsoft or Apple.

For Román Ramírez, the problem with ransomware in the case of end users is that “in various scenarios, some protection tools are able to detect ransomware activity and cut it, for example. Others “plant” sentinel files in the operating system to monitor whether they are encrypted.”

However, he explains, “let’s not forget that adversaries improve their offensive tools, so having protection tools is not a guarantee of coming out unscathed.” For Ramírez there is an obvious defense against this type of situation: “well done, tested, offline backup“.

Chema Alonso has the same opinion, and as he explains there will be cases in which they do protect us and others in which they do not: “in the end it is malware, which if you are lucky to catch it when it has already been analyzed, signed and detected, then great, any antivirus will help you defend against it. But if you are unlucky enough that it is someone unknown to the industry (who is only a few days old) and he comes to visit you, it is better to have the system fortified and with the best EDR possible.”

Here Alonso us recommend two books different for those who want to delve into this type of threat. On the one hand, ‘Maximum Security in Windows’, by Sergio de los Santos. On the other, ‘macOS Hacking’, by Daniel Herrero.

What about mobile antiviruses is another matter

Ramírez explained that both Microsoft and Apple are making significant efforts in this area, but the problem is that they are operating systems with a huge user base. “What’s the problem with these systems? That any vulnerability, no matter how small, has a huge impact on users.”

The vision is also positive for Chema Alonso, who believes that both are doing a good job. “Like everything, there is always room for improvement, but I think end-point security has improved a lot. However, there is a lot to do on the part of users and administrators to be sure that we use all the protection measures available and that we have safe and not risky habits”. Here Alonso joked with the already famous “Don’t click! that link!” which should become a maxim for many users.

We have talked about the theoretical need for an antivirus on your PC or laptop, but what about mobiles? For Ramírez, mobiles are a major concern “because none of the manufacturers allow external products to be installed in the kernel space of the operating system (kernel). All protection solutions are dependent on what the terminal manufacturer lets you do or doesn’t let you do.”

Preventing access to the kernel is a notable security measure —that is why rooting a mobile phone involves significant security risks—, but as this expert explains, it also has its disadvantages: “any attacker who is capable of leaving the user level and entering of the kernel privilege environment, you can evade any defensive tool without difficulty. with the vulnerabilities exploited by Pegasus, for example“. Here Ramírez’s recommendation is to try to use solutions that minimize risks even though they cannot block all of them, and he mentions “the aforementioned MalwareBytes or Kaspersky”.

It is precisely this blocking of the superuser space that makes Chema Alonso on Android and iOS we can be calmer since “they are much more closed and controlled platforms. Unless you break the security of the app stores and do side-loading, it is unlikely that an app will be installed through them. Don’t get me wrong, it happens, but it is more complex. I’ve talked about it a lot in my Gremlin Apps and Gremlin Botnets talks, but still the risk is lower than on a desktop system.”

For the same reason, Alonso reminds us, “the fundamental recommendation for Android and iOS is to constantly update the operating system and not jailbreak or root the phone.” With that, he explains, “you will have a more or less peaceful life with malware on your mobile terminal. If you want to extend security, you can install narrower EDR solutions that also help to do a more holistic analysis of your device security, and my recommendation, again, is to go for a professional service with support.”

Manchado recalled that Microsoft Defender is also on Android and iOS —although, yes, it is paid— and insisted on the same thing as Alonso, recalling that “of course, we should not root our mobile device and we should always use common sense in the daily use of our smartphone”.

