I still don't use anti-virus software. Am I still nuts?

It's been a year since I first revealed my shocking secret. Have I paid the price for ignoring all the security experts?

Declan McCullagh/CNET

This is an update of a post I wrote exactly a year ago. Let me clarify right up front, because I got an earful last time, that I'm specifically referring to third-party anti-virus software. And as you'll read below, there is a security tool I do embrace, though it's hardly an AV utility.

For years I've been the on-call tech guy for family members, and most of my "repair" jobs involve clearing out malware infestations. You probably know the kind: hijacked browsers, rampant pop-ups, seriously impaired computer performance.

The irony is that there's usually some kind of security software running on their machines, be it McAfee, Norton or the like. But after hearing me mutter under my breath about PEBKAC errors (though less so nowadays -- see "A rude awakening" below), I get the inevitable question: "Well, what security software do you use?"

Nothing.

Crazy? Crazy like a fox, thank you. This has been my modus operandi for years, and I swear on a stack of Wikipedias I've never had a single issue. No viruses, no spyware, no rootkits, no browser hijacking. No identity theft, no keylogging, no trojans.

Have I had to reset passwords following database breaches like this one? Of course. But that's beyond my control. What I can control is my own PC and how I interact with the Internet. After nearly a decade of running virtually no third-party security tools, here's the score: Broida, 1; Hackers, 0. And a year after I shared this "shocking" revelation, the score remains the same.

I realize this flies in the face of conventional wisdom, which insists you don't even boot your PC unless it's shielded by a comprehensive security suite. Meh. I'm fine with it in principle, and some users definitely need it, but I balk at both the cost and the performance impact (though both have decreased admirably in recent years).

My security secret

How do I get away with this online offense, this browser blasphemy? There's no trick to it; it's just a simple trick.

My computer runs Windows 8.1, as secure an operating system as Microsoft has ever released. (All together, now: "That's not saying much!") In addition to its built-in firewall, the OS offers anti-virus protection in the form of Defender (formerly the standalone Security Essentials), plus SmartScreen for protection from malware and phishing scams. Internet Explorer also provides plenty of safeguards against hijacking and the like, though I'm a Google Chrome user.

Speaking of which, all modern browsers -- IE, Chrome, Firefox -- employ robust security features of their own, and let's face it: your browser is the gateway to many, if not most, infections. Chrome, for example, will warn you about suspicious sites before letting you through to them, and its sandboxing helps prevent malware from "escaping" one tab and infecting all the others.

web-of-trust-unsafe-site.png
Web of Trust helps alert you to potentially unsafe sites. Screenshot by Rick Broida/CNET

And that's it. Seriously. Between Windows, my browser, and my router (which has its own firewall, natch), I'm good. But there's one small tool I do use, if only to buffer myself against momentary lapses of caution, and that's Web of Trust. Available as a plug-in for all major browsers, it vets the search results displayed by Google and other engines, the idea being to prevent you from clicking through to a site that might be unsafe. Speaking of which...

Where others fail

Very often I find myself scratching my head, wondering how my peeps end up with such nasty incursions when I'm sailing along unscathed. The most likely answer: they're allowing it to happen, albeit unknowingly.

The two main culprits, in my opinion, are unsafe links (like the kind found in phishing emails) and spyware-infested downloads. One click of the former can steer you to a site that, just by viewing it, installs malware on your PC. As for the latter, many software sites are rife with ads masquerading as download buttons. You innocently click one, thinking you're downloading a particular program, but when you go to install it, bam: malware city.

sendspace-download-buttons.png
Did someone send you a SendSpace link? Better be careful which download button you click. Screenshot by Rick Broida/CNET

I feel especially guilty about this kind of thing, as I have occasionally steered users to freebie-software deals embedded on pages like these. Despite what I think are clear instructions, some folks invariably end up clicking in the wrong place.

The moral of the story, of course, is "look before you click." Whenever possible, mouse over a link to see where it's actually going to take you, and if the URL differs from what you'd expect, don't click. Likewise, steer clear of splashy "Download" buttons; very often the program you're after is accessible via a small, understated link, not a button.

Also, learn to recognize spam when you see it. Mail services like Gmail do a great job filtering out most of it, but sometimes an errant bit of junk gets through -- and very often it's a phishing message that can lead you to trouble.

While you're at it, stop trying to download pirated music and movies. It's not only illegal, but also a surefire way to end up with malware. Oh, and for heaven's sake, make backups! Keep your critical data archived locally and in the cloud.

A rude awakening

In just the last couple months, two beloved family members have fallen victim to a growing security scourge: ransomware. As I noted above, I'm usually the go-to guy when virus issues crop up, but this threw me for a loop. Not only had I not encountered ransomware before, I found myself helpless to undo the damage it had done.

And what damage: All their data files (Word, Excel and so on) had been irrevocably encrypted, meaning they produced only gibberish when opened in their respective programs. Well, not exactly irrevocably. The hijackers gleefully offered to decrypt the files for a mere $500-700.

Gulp. Despite my best efforts, I could find no special trick, no rescue utility to thwart the thieves and reclaim the data. This is scary stuff, and although it definitely made me think a little harder about my approach to desktop security, I haven't made any changes. That's because I don't fall prey to the phishing methods and duplicitous downloads that open the door to ransomware -- and I do make backups.

What's right for you?

Let me be clear: I'm not recommending that everyone ditch their security software and do like I do. I'm merely telling you what has worked for me. The simple combination of built-in security tools and some common-sense caution has kept my computers secure for years -- and for free. How do I know for sure? Every so often I run Malwarebytes Anti-Malware Free. Never so much as a blip.

malwarebytes-quarantine.png
So far, so good. Screenshot by Rick Broida/CNET

My questions for you are the same as they were last time out: What security software do you use (if any), and has it been effective at keeping malware at bay? When was the last time it caught an incursion, and under what circumstances? Do you think I'm being an unsafe netizen, or are you intrigued by my approach?

Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

How to set up Xbox game streaming in Windows 10

CNET's Dan Graziano shows you how to play Xbox One games on your PC.

by Dan Graziano