Basic protection in four steps.

I get these questions constantly. There’s a fair amount of churn and drama in the security industry; things change over time.
It’s time once again for my periodic update. Not a lot has changed in the last year, but there are some new things to consider.
My security software recommendations
- Windows’ built-in Windows Security remains my recommended security solution for most systems.
- Your router can serve as your primary firewall at home or work.
- Leave the Windows Firewall enabled unless it causes problems.
- Let Windows Update keep your computer as up-to-date as possible.
That’s it. Good basic protection in four steps.
Basic security software: Windows Security
Windows Security — previously known as Windows Defender — comes pre-installed with Windows, and Microsoft seems to improve it with every release.
Windows Security does a fine job of detecting malware without adversely affecting system performance or nagging you for renewals, upgrades, or upsells. It just does its job quietly in the background — exactly what you want from your anti-malware tool.
Help make it permanent by becoming a Patron.
The ratings game
Every so often, Windows Security comes under fire for rating lower in tests than other security packages. I get push-back — often angry push-back — that it remains my primary recommendation.
There are several reasons I stick to that position.
- No anti-malware tool will stop all malware. Malware can slip through even the highest-rated packages.
- The “Highest-rated” security software changes depending on the date, the test, and who’s doing the testing. There is no single clear, consistent winner.
- Regardless of how the data is presented, the differences among detection rates across most current anti-malware tools are relatively small compared to other factors.
There are also practical reasons I continue to prefer Windows Security.
- It’s free.
- It’s already installed; there’s nothing you need to do.
- It rarely affects system performance.
- It automatically keeps itself up-to-date using Windows Update.
- It has no hidden agenda; it won’t pester you with renewals, upgrades, or upsells to tools you don’t need.
It’s not perfect, but no security tool is.
My recommendation stands. Windows Security remains a solid, free security package with minimal system impact. It should be appropriate for almost everyone.
Alternative security software and additions
I also recognize that Windows Security might not be right for everyone. No single product is.
This is where I run into difficulty making specific recommendations. The landscape keeps changing. More than one tool that was once free has promoted its paid product so heavily that the free version virtually disappeared. People download and install programs thinking they are free, only to discover it’s a “free trial” or “free download”, meaning if you want to keep it past a certain length of time, you’re required to purchase it.
Some programs have become as much self-promotion tools as they are security tools, bombarding you with sales pitches and upgrade offers to the point of impeding your computer use.
Things keep changing, so in terms of the tools I mention below, caveat emptor: “Let the buyer beware.” I can’t honestly predict that these tools will remain recommendation-worthy.
A short list of top recommendations from around the internet include:
- Avast
- BitDefender
- ESET
- Malwarebytes
- Webroot
Note that these aren’t necessarily free.
There are plenty of others as well. I’ve selected these because they have shown up fairly consistently in the ratings game over the years. Don’t take offense if I’ve overlooked your favorite.
Caveats with all
I need to reiterate some important points.
- Beware of the word free. In most cases, a free trial is just that: a trial of a full-featured product that eventually requires payment. In some cases, the “free trial” becomes a truly free version after the trial ends. In other cases, they are separate downloads. And in other cases, there is no truly free version at all. Be sure you know what you are getting.
- Regardless of what you download, you are likely to face upgrade and upsell offers or even an ongoing subscription. Unless or until you know you want this, decline.
- Speaking of declining: when installing any of these, always choose custom installation, never the default. The default may include unrelated software you don’t need or want.
What else besides security software?
Besides having security software, I recommend three other essential actions to stay safe: enable a firewall, back up, and stay up-to-date.
A firewall
For home and business use, I recommend using a NAT router as a firewall. You almost certainly already have one. They don’t have to be expensive and are one of the simplest approaches to keeping your computer safe from network-based threats. If you can trust all the computers on your local side of the router, there’s no need for an additional software firewall besides the one already present in Windows.
Back up
I strongly recommend that you back up regularly.
In fact, I can’t stress this enough. Up-to-date backups completely avoid 99% of the disasters I hear about.
Macrium Reflect and EaseUS Todo are the backup tools I currently use and recommend.
Stay up to date
Keep your computer, Windows, and all the applications you run as up to date as possible.
This happens automatically as long as you don’t take steps to disable it. Needless to say, I strongly recommend you not disable those functions. Let Windows Update keep your system up to date.
Many of the security issues we hear about are because individuals (and, sadly, corporations) have not kept their operating systems or applications current with the latest available patches.
And finally, Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet has even more tips for keeping your computer safe.
A note about Windows 10
As I update this article, we’re a couple of months away from the Windows 10 end-of-support date.
I want to make two specific points.
- You can continue to use Windows 10 safely after the end of support date. See What Happens at Windows 10 End of Support? for more.
- Windows Security will continue to receive security database updates into 2028. See Why I Don’t Expect a Windows 10 Apocalypse for details.
And you may be able to sign up for the ESU — Extended Security Updates — program for additional peace of mind.
If you’re using a third-party security package, check with that provider’s plans, but in general, most will continue to work on Windows 10 for a long time after Microsoft’s official end-of-support date.
Do this
I regularly cover topics like this to help keep you safe and secure.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
HI Leo do you recommend anything for Mac Os as i recently switch over to mac.
I don’t have a recommendation, since Mac’s aren’t my strength (though I do use them). In general, though, my understanding is that it’s the same: you don’t need additional security tools.
“Good basic protection in four steps.” Actually, in a way, it’s more like “Good basic protection in no steps.” All of these are active in Windows by default except for the NAT router, which most people have to control the local network.
The one thing I’ve done with my NAT router is to ensure that it ignores all incoming TCP/UDP requests. This effectively makes my home network invisible on the Internet, because when my ports get scanned, they make no response to the scan.
Ernie
I use PCMatic as my security. It’s an American company. Why don’t you recommend as a security software ?
Because I have limited time, and can’t stay on top of all possible security solutions. That being said PCMatic has a reasonable reputation these days (wasn’t always so). I tend to shy away from their approach to malware screening (only allowing known good things through), if they’re still doing that. I know some appreciate the approach.
I agree With Robert. I have been using PC Tools for more than 20 years and have never had a problem.
Hi Leo,
I have been following your recommendations for several years, and have enjoyed a peaceful run with my laptop and desktop. so, a very heartfelt thank you for all that you try to do.
All the best
Hugh
On Windows, I use Microsoft Security for malware protection. I have my NAT router configured to ignore incoming connection requests from the Internet. I do NOT CLOSE or BLOCK any of my ports, because they will then report their state when they receive an incoming connection request. The best security setting for a home router that doesn’t serve any Internet requests is IGNORE on all ports. My router allows me to configure all my Internet facing ports with one setting, so I chose IGNORE all incoming connection requests. GRC’s “Shields UP!” reports that my Internet connection is effectively invisible. This means that when crackers (black-hat hackers) attempt to scan my ports, their equipment ‘sees’ nothing.
In GNU/Linux, I keep my system up to date regularly, and run a monthly rook-kit check, just in case.
On the Internet, I employ what I identify as Cognitive Security. I NEVER click ANY hyperlink without checking the URL it will take me to, either on websites or in email messages. If the URL doesn’t correspond with the hyperlink’s label, I DON’T click! If I have any doubt whatsoever about the link, I DON’T CLICK! As an example, if the label reads “Best Buy”, the URL must begin with “https://bestbuy.com/”. There can be a path following the first part that will direct my browser to a specific page on the site, but there shouldn’t usually be anything before the first part. For me, if there is, or I can’t decipher what the URL is, that’s a BIG RED FLAG, so I DON’T CLICK!
Ernie
How come you’ve never mentioned ad-blocking as a security step? Not only does it make surfing the web a faster and more enjoyable and decluttered experience, but uBlock origin (widely recognised as the best ad-blocker) also often blocks websites that impersonate others or have been reported as badware. With ads also being used to trick users into downloading malware or entering personal data on a sketchy website when it comes to helping someone unfamiliar with the internet and the dangers that lie in trusting everything you see on your screen, ad-blocking can condidently prevent 90% of the most vicious attacks – the ones that prey on the weakest link in the chain – the user.
Ad-blocking is more of a privacy concern than a security one. Most browsers available today come with security features built into the browser. For example, Microsoft’s Edge browser works with Windows Defender SmartScreen to guard against PUPs and malware. Firefox has similar settings.
I use Firefox as my default browser and have the Privacy Badger and uBlock Origin extensions installed. But I rely on Windows Security to protect my computers.
I find that Windows Update is not always automatic. On many occasions I have manually run Windows Update and have found Updates that have not automatically downloaded.
One PC I have seen lacked over 50 updates and since it had missed critical updates, it could no longer be updated and was almost unusable.
Running it manually just causes it to install things now that it would have installed later. Not everything goes out immediately to everyone, and the check is one way to force things to arrive sooner.
I do not like that I am automatically taken to the bottom of this page instead of the top.
Not my doing. What are you clicking on that does that?
I am told the importance of backing up Windows all the time.
But I also understand the hard drive contains all information and needs
a military style clean to erase all data, so which is true?
Ihave used a PC for 30 years, and never backed up and never lost anything!
Thanks.
Two different things.
The fact is things can go wrong – hard drives fail, sectors go bad, software overwrites the wrong thing, malware shows up — none of those are things that can be recovered by some magical “military style” access to the hard drive. A backup protects you.
Leo I made a big mistake when I bought this computer. It was a Windows 10 but has been upgraded to Windows 11. When I bought my computor my daughter was sick but I could tell she wanted to be part of everything and I made a foolish mistake I let her sign on as Administrator . I had no Idea that anything would go wrong. My daughter got more ill and had to go into I C U in the hospital. She wound up at Harberview in Seattle where she passed away in 2021. Now I can’t update or have the games or music i had before. And I can’t get my computer rid of her as the Administrator. Is there any hope for me to get rid of my mistake?
In order for anything that follows to work, you must have administrative access to the computer. the following presumes that you have your own account on the computer, and that it is an administrative account.
If all the above applies to you, the solution is quite simple.
Open the Settings app
Select ‘Accounts’ in the left column
In the right column, scroll down to the ‘Other users’ item and click the right arrow at the right end of it.
In the new listing you’ll see your daughter’s account, expand it by clicking the down-arrow at the right end of the item.
After you expand your daughter’s account listing, you will see an option labeled ‘Account and data’. At the right end you will see a ‘Remove’ button. When you click it, her account and all her data will be removed from your computer.
If you don’t have an account on the computer, or your account doesn’t have administrative access, you can log in to your daughter account using her log-in information, then in the settings app, navigate to Settings – Accounts – Other users, and add an account for yourself (after creating the account change its account type to Administrative), or if you have an account, but you don’t have administrative access, expand your account and change the account type to administrative.
After making those changes, you can log out of your daughter’s account, log into your own account and then remove your daughter’s account as denoted at the top of this post.
To anyone who reads this, if I’ve missed any necessary details, please append any additions or corrections
Ernie
If it’s a local account and not tied to a Microsoft account You should be able to reset it with the
Offline NT Password and Registry Editor
If it’s a Microsoft account login, you can reset it if you can recover her MS account (outlook.com, hotmail, etc.) password. You’ll then be able to log in with that.
If you’ve lost access to your Outlook.com or Hotmail.com account, this is where to start.
How to Recover an Outlook.com Account Without the Recovery Phone or Email (Maybe)