One thing that people missed: 3rd party AV software got worse over the years. Big players like Norton, McAfee, AVG, and others always had an issue of being overly bloated and intrusive. Between being a massive resource hog, and being preinstalled in most computers, people eventually grew a distaste for them.

Early on, one of the major push to use OSX (now MacOS) or Chromebooks was the relatively weak security Windows used to have. Microsoft has a very strong incentive to fix those security issues, as people used to think that Windows is very insecure, especially without an antivirus.

It was a gradual change, with Windows firewall and Windows Malicious Software Removal Tool in XP, Microsoft Security Essentials for Windows 7, Windows Defender in 8.0, etc. Between making Windows itself more secure, and the slow improvements with Windows Defender, it became the de facto standard in Windows security.

Microsoft has loads more $$$$ to throw at R&D to develop their antivirus than other companies. Also malware got way more complicated than just being viruses, and Microsoft had to move from signature based protection to more or less behavior based protection to protect against ransomware and zero day exploits. It’s just that Windows HAS to really be good at protecting itself from attacks, without relying solely on signatures.

The entire being of Windows Defender is more than just “antivirus”

The number one things was MS locking down privileges Basically you usually had to disable basic security to let most virus’s work. Automatic updates would disable most bad decisions users made without them knowing. There started to be personal criminal charges for some of the data breaches. Ironically it was discovered that antivirus programs were the biggest security risk many were basically viruses and were run by criminals. Locking down the privilege to install bad software did more than antivirus software but they got serious about both.

There were very few vulnerabilities inherent to programming languages at the time… meaning buffer overflow and you could own anything. The 90s was a wild west for the internet so it just took a long time to flush that bad programming out. 2000s had coordinated attacks, where basically the most professional programmers still knew tricks up their sleeves. Today, its state run hacking. Avast can’t compete and Microsoft is very much in cahoots with the govermnints.

In addition to what everyone is saying, I just wanted to add that the Anti-virus/Anti-malware market itself has also shifted drastically in the past 15 years as well, with the rapid onset of Cryptomalware and ransomeware. Malware suddenly got extremely destructive and costly for organizations and individuals, extending further than just data breaches and the occasional infected workstation.

Enterprise grade AV has shifted into “Endpoint Detection and Response(EDR)” , “Managed Detection and Response(MDR)”, and “Extended Detection and Response(XDR)” products which is essentially an AV that also actively scans processes, network traffic, file access, process behavior, ect in addition to typical periodic file scanning, with “Managed” adding a human and analytical element into the fold for faster detection and remediation. Extended is a bit newer, but expands upon EDR/MDR by integrating as much of the organizations infrastructure as possible with data gathering from other devices and networking equipment, then running analytics to further increase Detection and Response rates, an increasing amount of which is now being offloaded to AI.

Satya Nadella happened. When he shifted the focus from making profit from retail buyers to enterprise.

Back then, Windows was very vulnerable and Microsoft barely did little to nothing to secure their clients. So 3rd party anti-viruses were a must-have.

At some point, Microsoft realized that this wasn’t good for their image (GASP!), so they increased the security on Windows and also released their own anti-virus for free, which was vastly also superior to 3rd party software.

This very much killed the anti-virus market. Many companies like McAfee decided that in order to survive they had to turn their anti-viruses in literal malwares, which ruined the reputation of 3rd party anti-viruses.

I think the responses that give a clear answer are overconfident.

For home users, AV is useless. For home users that download and run “penis enlargement pills buy now.exe”, AV is still useless, because it’s reactive to novel threats, and malware developers aren’t inert, they know AV exists and plan accordingly. You aren’t going to click on spam from 12 years ago. For enterprise users, maybe it makes sense as ass-covering against frivolous lawsuits, but actual security depends on sysadmins. I maintain that it didn’t make sense then and it doesn’t make sense now to get an antivirus, and nothing really changed except companies’ marketing and people’s whims. It’s a scam, and it’s better analyzed as a scam, not as a good sold in a market. The Blaster worm was the only possible problem a sane Windows user could have encountered, and AV did nothing to stop it, and it was mildly annoying at best.