As posted on How should I protect my Windows PC from malware and viruses?

I am using Avast to protect my computer: you recommended it quite some time ago. I am not entirely convinced it’s worth what I am paying, and it is constantly suggesting, in a variety of less than subtle ways, that I should upgrade. What protection would you now recommend? I am prepared to pay for something that works. Gwilym

It’s complicated. I’ve spent more than 20 years recommending various anti-virus programs as an essential part of any Windows setup. However, Windows has changed, and the threat landscape has changed. I am no longer sure that a third-party AV program is essential, and some of them may be detrimental.

Of course, needs vary. Some people are more accident-prone than others, and some are less sensitive to threats. Some venture into riskier parts of the internet. Some need to protect very valuable information. All these factors should be taken into account.

A risk-aware Windows user can probably survive without any anti-virus software at all. I ran Windows XP for a year to try to prove it. Less knowledgeable users can get their PCs infected no matter how much protection you give them. Software can’t protect people from themselves.

Malware threats

Most of the major AV products started out when many viruses were written by amateurs who were showing off. That’s no longer the case. Today’s malware is written by professionals who are in business to make money. They are less interested in viruses that replicate themselves – their delivery mechanisms are emails and websites. They don’t want to show off: they want their malware to stay hidden.

They are interested in collecting financial information and passwords etc, but there’s also a trend towards ransomware. They know they can blackmail people into paying for something they value – their personal files, financial information, family photos etc – and the arrival of Bitcoin has provided a secure way to collect the cash.

The best defence against ransomware is an offline backup of all your essential data.

Coding and screening

Most of the major AV products started out when Windows and its major browsers were insecure. That’s no longer the case. In 2002, Microsoft cofounder Bill Gates launched the Trustworthy Computing Initiative to make security the company’s highest priority. TCI training and methodologies changed the way Microsoft designed and developed software, and the result has been a dramatic reduction in Windows PC infection rates.

Windows 10 now includes a vast array of security and “threat mitigation” technologies, to the point where the main threats to Windows users come from third-party programs such as Oracle Java and some Adobe software.

There has also been a huge improvement in the security of web browsers, particularly Google’s Chrome and Microsoft’s Edge. Chrome is securely sandboxed, which helps protect the underlying operating system from web-based attacks. Google also runs a “bug bounty” program, which pays researchers up to $100,000 for each exploitable hole they find in Chrome or Android. It paid out more than $3 million last year, making Chrome even more secure.

Further security improvements have come from “safe browsing” systems, which blacklist websites that host malware. Google Safe Browsing is now part of Chrome, Firefox, Vivaldi and Apple’s Safari, while Windows 10 has its own built-in SafeScreen filter. If you are worried about a website, you can check it manually at Google’s website.

The result is that Windows 10 users are not sitting ducks, like Windows XP users, as long as they keep their software up to date. This includes updating browsers and other third-party software, using a free tool such as Flexera’s Personal Software Inspector (PSI), Patch My PC, or Kaspersky Software Updater.

The AV problem

Anti-virus companies started out protecting vulnerable operating system and browser code, but we may have reached the point where vulnerable anti-virus software is doing more harm than good.

Issues that have been debated in back rooms became very public last November when Google Chrome security expert Justin Schuh launched a tweetstorm against renowned Bulgarian AV expert, Vesselin Bontchev. Schuh tweeted: “You misunderstand your own ignorance. AV is my single biggest impediment to shipping a secure browser.”

The gist of Schuh’s many complaints was that AV programs messed up the security of other programs while being written insecurely themselves. He tweeted: “You ignore all security best practice, piling dodgy format parsing and other unsafe code into the kernel. I expect it’s possible to make an AV that isn’t more harm than good, but none of you are even trying.”

In January, former Firefox developer Robert O’Callahan chimed in with a confirmatory blog post, Disable Your Antivirus Software (Except Microsoft’s).

Normally, programmers won’t talk about these problems, because they need the AV supplier’s cooperation when AV cripples or crashes their software. And they can’t tell users to turn off their AV, because they’ll be blamed if something bad happens. That leaves one alternative. As Schuh tweeted a few days later: “Browser makers don’t complain about Microsoft Defender because we have tons of empirical data showing that it’s the only well behaved AV.”

Windows Defender may not do the most good, in protecting you from malware, but it does the least harm.

Security strategy

Stop thinking that malware protection means running an anti-virus program and adopt a layered approach.

First, run Windows 10 with Windows Defender, the SmartScreen filter, cloud-based heuristics and basic telemetry (which is largely security related) all turned on. Do that and you are probably safe enough. All our PCs at home, including my wife’s, are set up this way, and we’ve not had any malware problems after 20 months.

Second, run Windows as a standard user, not as an administrator. (MacOS and Linux users already do this.) Running as a standard user may eliminate 90% of threats.

Third, make sure Windows and all your PC’s software is updated. Most malware exploits security holes that have already been patched, sometimes several years earlier. For maximum security, run Google Chrome or a Chromium-based browser such as Vivaldi.

Fourth, make sure you have good backups of all your personal data. In addition to normal PC backups, I use FreeFileSync to copy my main data folders to an external hard drive every day, and this gets backed up later to a second EHD. Blu-rays are another good option, because they can’t be encrypted by ransomware.

Fifth, run periodic scans to make sure your chosen anti-virus program hasn’t missed anything. Microsoft does this with its MSRT (Malicious Software Removal Tool) before installing major updates, and Kaspersky offers a good alternative. I run spot checks with Malwarebytes Antimalware and Hitman Pro, among others. There are also free online scanners from many AV firms including Bitdefender, Trend Micro, ESET and F-Secure.

Sixth, remember that Windows 10 provides good refresh, reset and recovery options. If those don’t so what you want, be prepared to wipe your hard drive and reinstall Windows 10 from scratch, either from a DVD or a thumb drive. Microsoft provides instructions. Your authentication and preferences are stored online against your Microsoft account, and the Windows Store will reinstall any apps you’ve downloaded, so it’s relatively easy to get back to where you were.

AV Choice

If you are not on Windows 10, if you are accident-prone, or if you have other reasons for wanting better protection, there’s still a place for anti-virus programs. From the current free programs, I recommend Avira or Bitdefender, though both Avast and AVG (which is now owned by Avast) are still acceptable choices. Kaspersky is probably the best paid-for option, but Trend Micro is worth a look.

Try a couple of AV programs to see if you like any special features, the user interface, the impact on performance (eg on web page and file download times), whether it seems to interfere with any other software, the scanning speed and so on. There are at least a dozen decent alternatives, so you don’t have to use one you don’t like.

Have you got another question for Jack? Email it to Ask.Jack@theguardian.com