Antivirus Expired? What Actually Happens, and Your 3 Options

Your antivirus subscription ends today. What happens to real-time protection at midnight, what's gone within 24 hours, and what Microsoft's own research says about machines running expired antivirus — answered below, with a practical decision tree for the three options that work in 2026.

The First 24 Hours After Expiration: What Changes

The change is not gradual. The moment your subscription clock crosses the expiration timestamp, three specific capabilities turn off: real-time file scanning, signature updates, and most cloud lookups. The user-interface change is equally specific. Your tray icon usually goes grey. A nag dialog opens. The protection-status panel inside the product shifts from green to red. And every paid suite we tested begins surfacing renewal prompts daily.

What does not change in the first 24 hours: the engine itself is still installed, file-system drivers are still loaded, and the product still occupies its slot in Windows Security Center. From the operating system's point of view, "antivirus is registered." This is the trap that traps most users — Windows 11 will not auto-enable Defender while a third-party AV is registered, even if that AV is no longer doing anything.

The 4x Risk: Why Expired AV Is Effectively No AV

Microsoft published the canonical study on this question in November 2014, in Security Intelligence Report Volume 17. The team analysed roughly 7 million non-domain Windows 8 and 8.1 systems and segmented them by antivirus state: current, expired, and none. The result, almost identical across every quarter sampled: machines running expired antivirus were four times more likely to be infected than machines with current protection. The same dataset put the gap between "expired antivirus" and "no antivirus at all" at 0.2 percentage points. The takeaway has held up across the decade since: expired protection is statistically indistinguishable from no protection.

The mechanism is simple. Modern threat detection rests on three layers — signature matching against known-bad files, heuristic and behavioural analysis, and cloud-reputation lookups. Expiration severs the first and third layers. Heuristics keep working but heuristics alone catch a fraction of what the full stack catches. The product feels like it is still running because the UI is still up, but the part that actually stops malware is gone.

What Each Vendor Does on Expiration Day

Vendor behaviour varies more than the marketing pages suggest. Here is the verified pattern across our Top 10 as of May 2026, sourced from each vendor's published support documentation and confirmed against Reddit r/antivirus reports inside the last 90 days.

Two patterns are worth flagging. First, every vendor in the table sends a pre-expiration warning at least two weeks before the renewal date — none of them genuinely surprise the user. Second, the only vendor that publicly documents an explicit grace period is Kaspersky, and even Kaspersky declines to publish the exact length. If you are relying on a grace window to keep you protected past your renewal date, you are betting on undocumented behaviour. Renew, switch, or uninstall before the date.

The Defender Auto-Takeover Trap

The most common practical mistake on Reddit r/techsupport in 2025 and early 2026: the expired paid product stays installed for weeks, and the user assumes Microsoft Defender quietly took back over because "Windows always has Defender." Windows does always have Defender. Windows does not always run Defender. The two are not the same.

Here is the specific behaviour. When you install any third-party antivirus that registers with the Windows Security Center (every product in our top 10 does), Defender drops into Periodic Scanning mode. This is a passive on-demand state that runs a single weekly scan and otherwise sits quiet. The third-party product becomes the active real-time engine. So far, normal.

What changes at expiration: nothing inside Windows. The expired product is still registered. Defender is still in Periodic Scanning. The expired product has stopped doing real-time work, but Windows has no way to know that — vendors do not de-register themselves on expiration. The result is a Windows machine that runs neither real-time engine.

The fix is simple but specific. Uninstall the expired product completely, ideally with the vendor's official removal tool. Most vendors publish dedicated removers because their products leave kernel drivers and registry keys behind that a normal "Apps and Features" uninstall does not catch. Norton's is the Norton Remove and Reinstall tool. Bitdefender's is the Bitdefender Uninstall Tool. Avast and AVG share the Avast Uninstall Utility (`avastclear.exe`). After a clean uninstall and reboot, Defender re-enables real-time protection automatically within minutes.

Your Three Options That Work in 2026

Once expiration arrives, you have three editorially defensible paths. The decision is mostly about budget and what the original product actually gave you.

Option 1: Renew with a discount. Vendors price renewal at MSRP, not at the loss-leader first-year price. The fastest way to dodge that gap is to call vendor retention ("I am thinking of cancelling") and ask for a renewal discount. Norton, Bitdefender, and McAfee retention teams routinely offer 25 to 50 percent off MSRP to keep a churning customer. The script that works: cite the first-year price you originally paid, mention you have seen better promos, and pause. Do this 3 to 5 days before expiration, not after — once the subscription has lapsed your leverage drops.

Option 2: Switch vendors and ride the first-year promo. Run the current vendor's official removal tool, reboot, then install a different paid suite at its first-year price. Bitdefender Total Security's $19.99 first-year offer, AVG Internet Security's $29.88 introductory tier for 3 devices, and Avast Premium Security's seasonal $29 promos are all live as of May 2026. The catch: you commit to repeating this exercise next year. Some users find that calendar overhead worse than the renewal premium; others enjoy hopping. Whichever camp you sit in, run the uninstaller before the new install, every time. Two AV products at once is its own problem — the safe pairing rules are covered separately.

Option 3: Fall back to Microsoft Defender plus an on-demand scanner. If the original product was a basic AV without bundled extras you actually use (no VPN, no password manager, no parental controls in active use), the editorially honest answer in 2026 is "you do not need to renew." Microsoft Defender holds 6/6/6 at AV-TEST February 2026. Pair it with Malwarebytes Free for occasional second-opinion scans and you have a no-cost stack that the r/antivirus community has consensus around. The full Defender-is-enough decision tree covers when this works and when it does not. The only meaningful loss versus a paid suite is whatever was bundled — VPN, password manager, identity-theft monitoring. If those are valuable to you, renew or switch. If they were never used, fall back to Defender.

The Two-Week Signature Staleness Window

Common question on r/techsupport: "I cannot renew today; how long can I limp along?" The short answer is do not, but if you must, the upper bound is roughly two weeks. Here is the math. Major-vendor signature databases receive 8 to 12 update batches per day. Each batch carries roughly 50 to 200 new signature hashes plus heuristic updates. After 7 days without updates, an engine has missed somewhere between 2,800 and 16,800 new individual indicators of compromise. After 14 days, that number doubles. Two weeks past expiration, your engine recognises everything it knew at the renewal date and almost nothing released since. Cached cloud-reputation responses age out faster — most major engines treat them as stale within 24 to 72 hours.

The practical implication: if you are renewing a few days late because your card is reissued or you are travelling, the gap is real but small. If you are stretching expiration "just for a month" to save a renewal cycle, you are running the engine in roughly the same state as having no engine at all, per the Microsoft 4x finding. Uninstall and let Defender take over for that month instead.

When to Renew, When to Switch, When to Quit Paying

A short decision tree that mirrors what r/antivirus suggests in 2026 threads on this question:

• You used the bundled VPN, password manager, or cloud backup at least monthly. Renew. The bundle math beats buying those services standalone.
• You only ever ran the antivirus, not the bundle. Try Option 3 (Defender + Malwarebytes Free). If it bothers you to lose the brand reassurance, fall back to Option 2 (switch on first-year promo).
• You have multiple Windows 11 machines and want central management. Renew, or switch to Sophos Home Premium ($45/year for 10 devices with a web console).
• You have non-Windows devices in the household (Mac, iPhone, Android). Renew or switch — Defender does not run on those. Intego is the cleanest cross-platform answer for Mac-heavy households; Bitdefender Mobile Security for Android.
• The original product was Norton LifeLock and you actually use the identity monitoring. Renew. The identity layer is hard to replicate at the same price point.

Frequently Asked Questions

Does my antivirus stop working the moment it expires?

Real-time protection stops at the renewal date for every paid suite we tested. Some products keep running with cached signatures for 7 to 14 days as an unofficial grace window. None will defend against zero-day threats discovered after the expiration date because signature updates stop too.

Will Windows Defender automatically take over when my paid antivirus expires?

Not while the expired product is still installed. Windows 11 considers Defender disabled as long as a third-party AV is registered with the Security Center, even after that AV stops protecting you. Uninstall the expired product completely and Defender re-enables on its own within minutes.

How long do cached virus signatures stay useful after expiration?

Signature databases age fast. The major vendors push 8 to 12 updates per day. After 7 days without updates, your engine is missing roughly 60 to 80 new signature variants per family. After 14 days, the same engine is essentially blind to anything that emerged in those two weeks.

Is it safe to keep using expired antivirus until I can renew?

Microsoft's Security Intelligence Report measured systems running expired antivirus and found they were 4 times more likely to be infected than systems with current protection. The same data showed only a 0.2 percent infection-rate difference between machines running expired AV and machines running no AV at all. Treat expired as effectively unprotected.

Can I just keep renewing for the cheapest first-year deal each year?

Yes, and many cost-conscious users do exactly that. Set a calendar reminder 7 days before expiration, cancel auto-renewal, then shop a fresh first-year promo from a different vendor. Run the vendor's official uninstall tool before installing the new product to avoid driver conflicts.

What if my license came preinstalled with my new laptop?

OEM trial licenses (typically 30 days for McAfee on HP and Dell, 60 days for Norton on Lenovo) end the same way as paid subscriptions. Real-time stops, the product nags daily, and Defender stays disabled until you uninstall. Use the vendor's official removal tool before falling back to Defender.

Verdict

Treat the expiration date as a hard cutover, not a soft warning. Real-time stops, signatures stale fast, and Microsoft Defender will not quietly resume duty until the expired product is fully uninstalled. The three options that work in 2026 — renew with a retention discount, switch on a first-year promo, or fall back to Defender plus an on-demand scanner — all start with the same first step: uninstall the expired product cleanly with the vendor's official remover. Skip that step and you have a Windows machine running neither engine and statistically indistinguishable, per Microsoft's own data, from a machine with no antivirus at all.