Basic protection in four steps.
I get these questions constantly. There’s a fair amount of churn and even drama in the security industry; things change over time.
Become a Patron of Ask Leo! and go ad-free!
My security software recommendations
- Windows built-in Windows Security is my recommended security solution for most systems.
- Your router can serve as your primary firewall at home or work.
- Leave the Windows Firewall enabled unless it causes problems.
- Let Windows Update keep your computer as up-to-date as possible.
That’s it. Good basic protection in four steps.
Basic security software: Windows Security
Windows Security — previously known as Windows Defender — comes pre-installed. Microsoft seems to improve it with every release.
Windows Security does a fine job of detecting malware without adversely affecting system performance or nagging you for renewals, upgrades, or upsells. It just does its job quietly in the background — exactly what you want from your anti-malware tool.
The ratings game
Every so often, Windows Security comes under fire for rating lower in tests than other security packages. I get push-back — often angry push-back — that it remains my primary recommendation.
There are several reasons I stick to that position.
- No anti-malware tool will stop all malware. Malware can slip by even the highest-rated packages.
- “Highest-rated” changes depending on the date, the test, and who’s doing the testing. There is no single clear, consistent winner.
- Regardless of how the data is presented, the differences among detection rates across most current anti-malware tools are relatively small compared to other factors.
There are also practical reasons I continue to prefer Windows Security.
- It’s free.
- It’s already installed; there’s nothing you need to do.
- It rarely affects system performance.
- It keeps itself up-to-date using Windows Update.
- It has no hidden agenda; it won’t pester you with renewals, upgrades, or upsells to tools you don’t need.
It’s not perfect, but no security tool is.
My recommendation stands. Windows Security remains a solid, free security package with minimal system impact. It should be appropriate for almost everyone.
Alternative security software and additions
I also recognize that Windows Security might not be right for everyone. No single product is.
This is where I run into difficulty making specific recommendations. The landscape keeps changing. More than one tool that was once free has promoted its paid product so heavily that the free version virtually disappeared. People download and install programs thinking they are free only to discover it’s a “free trial” or “free download”, meaning if you want to keep it past a certain length of time, you’re required to purchase it.
Some programs have become as much self-promotion tools as they are security tools, bombarding you with sales pitches and upgrade offers to the point of impeding your computer use.
Things keep changing. So if I mention specific tools below, caveat emptor: “Let the buyer beware.” I can’t honestly predict these tools will remain recommendation-worthy.
A short list of top recommendations from around the internet include:
- Avast
- BitDefender
- ESET
- Malwarebytes
- Webroot
Note that these aren’t necessarily free.
There are plenty of others as well. I’ve selected these because they show up fairly consistently in the ratings game over the years. Don’t take offense if you believe I’ve overlooked your favorite (as I know some will be).
Caveats with all
I need to reiterate some important points.
- Beware of the word free. In most cases, a free trial is just that: a trial of a full-featured product eventually requiring payment. In some cases, the “free trial” becomes a truly free version after the trial ends. In other cases, they are separate downloads. And in other cases, there is no truly free version at all. Be sure you know what you are getting.
- Regardless of what you download, you are still likely to face upgrade and upsell offers or even an ongoing subscription. Unless or until you know you want this, decline.
- Speaking of declining: when installing any of these, always choose custom installation, never the default. The default may include unrelated software you don’t need or want.
What else besides security software?
Besides having security software, I recommend three other essential actions to stay safe on the internet: enable a firewall, back up, and stay up-to-date.
A firewall
For home and business use, I recommend using an NAT router as a firewall. You almost certainly already have one. They don’t have to be expensive and are one of the simplest approaches to keeping your computer safe from network-based threats. If you can trust all the computers on the local side of the router, there’s no need for an additional software firewall besides that already present in Windows.
Back up
I strongly recommend you back up regularly.
In fact, I can’t stress this enough. Up-to-date backups completely avoid 99% of the disasters I hear about.
Macrium Reflect and EaseUS Todo are the backup tools I currently use and recommend.
Stay up to date
Keep your computer, Windows, and all the applications you run as up-to-date as possible.
This happens automatically as long as you don’t take steps to disable it. Needless to say, I strongly recommend you not disable those functions. Let Windows Update keep your system up to date.
Many of the security issues we hear about are because individuals (and, sadly, corporations) have not kept their operating systems or applications current with the latest available patches.
And finally, Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet has even more tips for keeping your computer safe.
Do this
I regularly cover topics like this to help keep you safe and secure.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
HI Leo do you recommend anything for Mac Os as i recently switch over to mac.
I don’t have a recommendation, since Mac’s aren’t my strength (though I do use them). In general, though, my understanding is that it’s the same: you don’t need additional security tools.
“Good basic protection in four steps.” Actually, in a way, it’s more like “Good basic protection in no steps.” All of these are active in Windows by default except for the NAT router, which most people have to control the local network.
The one thing I’ve done with my NAT router is to ensure that it ignores all incoming TCP/UDP requests. This effectively makes my home network invisible on the Internet, because when my ports get scanned, they make no response to the scan.
Ernie
I use PCMatic as my security. It’s an American company. Why don’t you recommend as a security software ?
Because I have limited time, and can’t stay on top of all possible security solutions. That being said PCMatic has a reasonable reputation these days (wasn’t always so). I tend to shy away from their approach to malware screening (only allowing known good things through), if they’re still doing that. I know some appreciate the approach.
I agree With Robert. I have been using PC Tools for more than 20 years and have never had a problem.
Hi Leo,
I have been following your recommendations for several years, and have enjoyed a peaceful run with my laptop and desktop. so, a very heartfelt thank you for all that you try to do.
All the best
Hugh
On Windows, I use Microsoft Security for malware protection. I have my NAT router configured to ignore incoming connection requests from the Internet. I do NOT CLOSE or BLOCK any of my ports, because they will then report their state when they receive an incoming connection request. The best security setting for a home router that doesn’t serve any Internet requests is IGNORE on all ports. My router allows me to configure all my Internet facing ports with one setting, so I chose IGNORE all incoming connection requests. GRC’s “Shields UP!” reports that my Internet connection is effectively invisible. This means that when crackers (black-hat hackers) attempt to scan my ports, their equipment ‘sees’ nothing.
In GNU/Linux, I keep my system up to date regularly, and run a monthly rook-kit check, just in case.
On the Internet, I employ what I identify as Cognitive Security. I NEVER click ANY hyperlink without checking the URL it will take me to, either on websites or in email messages. If the URL doesn’t correspond with the hyperlink’s label, I DON’T click! If I have any doubt whatsoever about the link, I DON’T CLICK! As an example, if the label reads “Best Buy”, the URL must begin with “https://bestbuy.com/”. There can be a path following the first part that will direct my browser to a specific page on the site, but there shouldn’t usually be anything before the first part. For me, if there is, or I can’t decipher what the URL is, that’s a BIG RED FLAG, so I DON’T CLICK!
Ernie