Ok, I'll admit it. I've been living dangerously for the last several years.

To be blunt: I refuse to install any kind of antivirus or personal firewall software on most of my computers. This includes a Windows XP Home system that was used by my children as a web surfing / email / game system. I've suffered zero infections during this time. (The only time I ever suffered a malware infection was before, when I did rely on Norton Antivirus to protect the kids' computer.)

Why do I refuse to use these massively popular products? Simple. I am convinced that they cause more harm than good, and that they foster a false sense of security - leading users to engage in riskier behavior. Further, antivirus software is almost always behind the curve - by definition, the antivirus people are playing catch-up with the malware writers. It's a good living for them, but I choose not to contribute to it.

As a software developer, I cannot afford any downtime due to buggy software, and yes - antivirus software has bugs. Not long ago, one major antivirus package ran amok, causing widespread damage by deleting harmless user data and programs.

Think about it: antivirus software has to intercept many system functions, monitor, detect and deter malicious activity - even if the software is flawless, which it isn't, it will slow your computer, and consume memory and other system resources. And let's not forget that you must now pay a recurring fee in order to feel safe - it all adds up to one big steaming pile of bullshit. I have little patience for it.

How can you live without antivirus software?

Here are the things I've learned over the years:

• Learn how to tell if your computer is running unnecessary software: this means you must learn how to tell what belongs on your computer, what should be running: download and learn to use the holy trinity: Autoruns, Process Explorer, and RootKit Revealer, all available free from Sysinternals (now owned by Microsoft). They're extremely high quality, and they are absolutely essential tools.
• While I'm on the subject of learning about your computer: Your computer isn't a toaster. If you want to pretend your computer is a toaster, I expect that you will have a lot of trouble with it. If you own and use a computer, you really ought to learn this stuff. It's not that difficult. If you don't want to be bothered, find someone who really knows about Windows, and pay him or her to help you. In the long run, it's cheaper and more satisfying than paying Symantec or some other company a subscription fee in exchange for half-assed 'protection'.
• Install a quality hardware firewall between your internet connection and the rest of your network. Ensure that all incoming ports are blocked. This is one exception to my "no personal firewalls" rule - if I traveled a lot, or used public WiFi hotspots, I'd probably install the simplest, most robust software firewall I could get my hands on - but it would not be something bloated like Norton Internet Security. Try Kerio Personal Firewall (I've not used it in a while, so I don't know if it's still lean and mean.) See this page for recommendations.
• Run as a non-admin user most of the time. This is known as Least User Access, or LUA. Windows users typically log in with full administrative privileges (at least, in versions up to XP and Server 2003) - exposing those users to severe security risks.

  I log in as an administrator only when necessary to change system configuration or install trusted software. The added hassle actually reminds me that I need to think before I make a change to my system, or install some junk I just downloaded from the 'web.

• Use good judgment in deciding to install software, visit a web site, or open an email.
• Periodically run a free, online virus scanner - check your system every once in a while to see if you have an infection
• Download and use Ad-Aware or Spybot S&D (or better yet, use both) from time to time - like just after installing a new bit of software on your machine, or just after your kids have visited the latest MySpace or ringtone site.

Web Browser or Email specific guidelines

• Think before you open that email! Your email software should be able to tell you, before you open the email, if the email is bogus. I look at the following bits:
• Size, attachment, recipient (TO) address, subject, sender (FROM) address
• If the sender or recipient looks strange, I don't open the message in my email client - I take steps to view the message's raw source (the technique varies depending on the email software) and look for telltale signs of malware. (This is worthy of its own discussion.)
• Not sure about a web site? Check before visiting - go to www.stopbadware.org and see if the site is a reported malware site. Or, you can visit SiteAdvisor.com and see what it has to say about the site.
• Configure Internet Explorer to use the highest level of security for normal internet browsing (set the 'Internet Zone' is to maximum security) - this will break many web sites that rely on advanced features of Internet Explorer, but this is the price you have to pay - I get around that by manually adding selected, trusted sites (the few critical sites that I really need to visit using Internet Explorer) to the "Trusted Sites Zone"
• Keep Internet Explorer and Outlook or Outlook Express (or whatever email client you use) up-to-date with the latest patches.
• Configure Outlook / Outlook Express to read all emails in plain text by default
• Disable the "preview panel" if you must read email in HTML (rich text) format - the preview panel is one of the most dangerous features of Outlook or Outlook Express, and if you receive a malicious email, it can infect your computer just by appearing in the preview panel.
• Configure Outlook / Outlook Express to use the 'Restricted Sites' zone
• Use the latest FireFox or Mozilla browser as the default browser (thus avoiding Internet Explorer most of the time)

Aaron Margosis of Microsoft agrees that it's critical to run as a non-administrative user. And my experience proves that it is possible to live, and live comfortably, without the aid of antivirus software.

Related

On our web site

• SysTrayScan Utility - what are those icons in your system tray?

Aaron Margosis:

• The easiest way to run as non-admin
• Non Admin Table of Contents
• Non Admin for home users
• Non Admin

Other

• Non Admin Wiki