People sometimes ask me, "what's the best strategy for avoiding viruses and malware?"
Here are the layers of protection *I* feel are important:
1. Smart computing involving a user philosophy that keeps malware out. This is primarily a matter of the user learning to be conscientious and just not do irresponsible things. Develop an awareness that the software world is a dangerous place and have a willingness to do without some glitz and without running whatever you feel like on the moment without serious consideration, involving testing and taking precautions.
2. Building an environment that will help not bring malware into the system. Strategies not typically used or known, designed to help protect against accidental deviation from the philosophy of item 1. This includes adopting a managed hosts file and/or DNS service for blocking access to parasite web servers that are apt to provide the worst of what's out there, choosing/configuring the browser not to be promiscuous, etc.
3. Active protection - i.e., an active antivirus package. Note that this is third because it is no more than a safety net, virtually never expected to be exercised - because of the effectiveness of items 1 and 2 above. This protection MUST be low-impact, i.e., it should not cause things you do on the computer to be noticeably slower to run, nor should it detect legitimate software and cause you problems.
4. Regular scanning with both the active protection in item 3 and also a different product to see if anything has managed to creep through layers 1 through 3 above. Again, if all is as expected, this should never find anything. A different product is warranted because not every anti-malware maker has the same database of malware, it's a good idea to partner with more than one.
5. Do regular backups to prepare for the eventuality of loss of data, just in case.
In particular, my choices for the above (and assuming Windows 10 is substantially as we see it in the preview releases) will be:
1. Always being vigilant and exercising common sense. Being willing to take the time to research and vet things before adopting their usage. I read code if choosing to use open source software, and I test things in throwaway VMware virtual machines.
2. Use of the MVPS hosts file, configuring my router to use OpenDNS, and using a reconfigured Internet Explorer set to avoid running ActiveX. IE still has the best security model of all of them if you set the features properly.
3. Windows Defender, as it seems quite efficient and also doesn't detect false positives. That items 1 and 2 are almost completely effective means that this layer can be somewhat minimized. Windows Defender is the only anti-malware software I'd suggest for active protection on the Win 10 pre-releases.
4. The default scans Windows Defender sets up automatically, plus a daily scan by the well-regarded MalwareBytes Antimalware package. I am also considering reducing the permissiveness of the Windows Firewall (another user here, and I'm sorry I forgot specifically whom, has recently posted a configuration that does this).
5. I schedule nightly wbadmin commands to take regular system image snapshots. I can restore such a backup to bare metal, or I can access the files within using a volume shadow copy access tool such as Z-VSSCopy. Windows 10 is even restoring the Previous Versions feature (yay!) to help with this.
I have been following the above philosophy for decades, with some differences in the specifics, and I have yet to get even a single infection. Going all the way back I have only ever had to install Windows once on each of my systems, have had virtually zero infections blocked by the safety net, and have never had a scan turn up anything (except for false positives, which was a problem when I used Avast antivirus). I have used each setup for years without degradation. In short, this works.
Edited by NoelC, 21 March 2015 - 11:52 AM.