Is antivirus enough for my small business? Why ransomware walks past it

Antivirus is not enough for a small business anymore. It still helps, but modern ransomware crews usually do not charge straight into a machine like 2008 malware. They phish a user, steal credentials, abuse remote access, disable protections, and move through the environment before encryption ever starts.

That is why the right comparison is not "antivirus versus nothing." It is "antivirus plus what?"

The FBI's IC3 reporting logs thousands of ransomware complaints a year, with reported dollar losses the Bureau itself flags as artificially low — many victims never report the full business-interruption and remediation cost. Microsoft's ransomware guidance makes the same broader point: human-operated ransomware uses phishing, credential theft, lateral movement, and defense evasion, not just a single malicious file tripping a signature.

Sources: FBI IC3 2025 report, Microsoft guidance on human-operated ransomware

The direct answer

If you run a small business, keep antivirus. Just stop expecting it to be the whole answer.

Antivirus is one layer that helps block known malware, suspicious files, and obvious commodity activity. Ransomware operators now spend more time on the steps around the malware: logging in, staging access, abusing admin tools, changing exclusions, and finding the systems that will hurt you most.

That is why the live site already separates tool categories in EDR vs MDR vs XDR: a 2026 buyer's guide for small businesses. Antivirus is part of the stack. It is not the stack.

What antivirus still does well

This part is worth saying clearly because some security marketers overcorrect.

Antivirus still matters because it can:

• block known malware
• catch obviously malicious downloads
• scan files and processes in real time
• stop some commodity ransomware early
• give you a baseline prevention layer on every device

Microsoft's own support guidance still tells users to run anti-malware, keep it updated, and leave tamper protection on. The FBI's ransomware guidance also still includes anti-virus and anti-malware among the basic controls businesses should maintain.

Sources: Microsoft virus protection guidance, FBI ransomware guidance

So this is not an anti-antivirus article.

It is an anti-false-confidence article.

Why ransomware walks past antivirus

1. The attack often starts with identity, not malware

Microsoft's ransomware detection playbook lists phishing email, RDP brute force, vulnerable internet-facing systems, credential theft, abuse of service accounts, and password-spray activity as common early-stage tactics.

That means the first meaningful sign of trouble may be:

• a mailbox compromise
• a stolen session token
• a risky sign-in
• a new forwarding rule
• a privileged login from the wrong place

Antivirus on a laptop does not see most of that.

This is exactly why businesses that already have decent endpoint hygiene still need Managed ITDR or another identity-monitoring function around Microsoft 365 or Google Workspace.

2. Human-operated ransomware uses legitimate tools

Microsoft explicitly documents common ransomware tradecraft such as WMI, PsExec, GPO changes, new accounts, log clearing, and abuse of management tools. Those are not always "drop a virus, get caught by AV" behaviors.

They often look like real administration until someone with context reviews the chain.

That is the operational gap between antivirus and managed detection and response. One is a control. The other is a control plus people watching how attackers behave.

3. Attackers try to weaken security before the ransom stage

Microsoft's tamper-resiliency guidance says attackers use tampering techniques to disable Defender protections and that a common technique is making unauthorized changes to antivirus exclusions.

That matters because ransomware operators are not politely accepting your default settings. If they get enough access, they try to blind the control before the final stage.

Source: Microsoft tamper resiliency guidance

4. The real business damage comes after the malware lands

Even when antivirus catches part of an event, the business problem usually sits somewhere else:

• Can you isolate the host fast?
• Do you know which account was abused?
• Are backups clean and restorable?
• Did the attacker reach shared drives or servers?
• Who is making decisions after hours?

That is why the FBI still tells organizations to keep systems patched, back up data regularly, secure backups so they are not reachable from the same environment, and create a continuity plan. Antivirus is in that list. It is not the whole list.

Source: FBI ransomware guidance

The small-business mistake I see most

The most common bad assumption is:

"We have antivirus, so ransomware is handled."

What that usually means in practice is:

• nobody is reviewing risky sign-ins
• nobody has tested restore time
• nobody knows whether every important endpoint is actually covered
• servers and laptops are treated as if they have the same risk
• alerts go to an inbox nobody owns after 5 p.m.

That is why the more useful next read after this article is not another antivirus product roundup. Today, it is the live ransomware response piece on what to do in the first 24 hours after a small-business ransomware scare and the buyer-side context in EDR vs MDR vs XDR: a 2026 buyer's guide for small businesses.

What a better baseline looks like

If you want the plain-English answer, the minimum serious stack for a small business usually looks like this:

1. Antivirus or next-gen endpoint protection on every device that matters.
2. MFA on email, admin, banking, payroll, backups, and security tools.
3. Tested backups that are not trivially reachable from the same compromise path.
4. Patch management and basic device hygiene.
5. Admin-account separation and cleanup of stale access.
6. Identity monitoring for Microsoft 365 or Google Workspace.
7. A managed detection-and-response function if nobody internal is actually watching.

The moment your answer to "who sees the first bad sign?" becomes vague, you are already past the point where antivirus alone is enough.

Where EDR changes the picture

EDR is not magic, but it is a different class of control.

Antivirus mostly tries to prevent or flag bad things.

EDR adds:

• deeper endpoint telemetry
• incident context
• isolation and response actions
• better visibility into suspicious behavior, not just known malware

That is why the next internal link in this cluster is the live Huntress vs SentinelOne for SMBs: what actually changes operationally. The real question is not which logo looks strongest. It is who will operate the tool when something ugly happens.

My practitioner take

For most SMBs, antivirus is necessary but no longer decision-grade by itself.

If the business depends on Microsoft 365, shared files, line-of-business systems, or any staff who move money, you need a broader answer than "we installed AV."

That broader answer does not have to be complicated. It just has to be honest.

For some teams, that means strengthening the current baseline with MFA, backups, and admin cleanup. For others, it means moving from antivirus into a real managed detection and response program with identity coverage layered on top.

FAQ

Is antivirus enough for a small business in 2026?

No. It is still useful, but it does not cover many of the ways modern ransomware operators actually get in and move around.

Why does ransomware get past antivirus?

Because many attacks are human-operated. The attacker may use phishing, stolen credentials, remote access abuse, security tampering, and legitimate admin tools before the encryptor ever appears.

Should I keep antivirus if I also buy EDR or MDR?

Usually, yes. Antivirus remains a prevention layer. EDR and MDR add visibility, investigation, and response around it.

What should I add first after antivirus?

MFA, tested backups, patching, admin-account cleanup, and identity protection for your email and cloud accounts. If nobody watches alerts after hours, add managed detection too.

Is EDR the same thing as antivirus?

No. Antivirus is mainly prevention-focused. EDR adds deeper detection, investigation, and response on the endpoint.

What is the clearest sign antivirus is not enough in my business?

If no one can answer who notices a real intrusion first, how a device gets isolated, or how you would restore after encryption, you do not have enough coverage yet.

Sources and references

• FBI IC3 2025 report
• FBI ransomware guidance
• Microsoft guidance on human-operated ransomware
• Microsoft tamper resiliency guidance
• Microsoft virus protection guidance