I still don't use anti-virus software. Am I nuts?

It's been years since I first revealed my shocking secret. Have I paid the price for ignoring all the security experts?

Rick Broida Senior Editor
Rick Broida is the author of numerous books and thousands of reviews, features and blog posts. He writes CNET's popular Cheapskate blog and co-hosts Protocol 1: A Travelers Podcast (about the TV show Travelers). He lives in Michigan, where he previously owned two escape rooms (chronicled in the ebook "I Was a Middle-Aged Zombie").
Rick Broida
5 min read

This is an update of a post I first wrote in 2014, then updated in 2015. Let me clarify right up front that I'm specifically referring to third-party anti-virus software, not the protections built into Windows. And as you'll read below, there are security tools I do embrace -- just not what you'd expect.

For years I've been the on-call tech guy for family members, and most of my "repair" jobs involve clearing out malware infestations. You probably know the kind: hijacked browsers, rampant pop-ups, seriously impaired computer performance. Just the other day I removed a browser hijacker from my dad's laptop.

The irony is that there's usually some kind of security software running on their machines, be it McAfee, Norton or the like. (Dad was running the Norton freebie offered to Comcast customers.) But after hearing me mutter under my breath about PEBKAC errors (though less so nowadays -- see "A rude awakening" below), I get the inevitable question: "Well, what security software do you use?"


Flirting with disaster?

Call me crazy. But this has been my modus operandi for years, and I swear on a stack of Wikipedias I've never had a single issue. No viruses, no spyware, no rootkits, no browser hijacking. No identity theft, no keylogging, no trojans.

Have I had to reset passwords following database breaches like this one? Of course. But that's beyond my control. What I can control is my own PC and how I interact with the internet. After almost a decade of running virtually no third-party security tools, here's the score: Broida, 1; Hackers, 0.

I realize this flies in the face of conventional wisdom, which insists you don't even boot your PC unless it's shielded by a comprehensive security suite. Meh. I'm fine with it in principle, and some users definitely need it, but I balk at both the cost and the performance impact (though both have decreased in recent years).

My security secret

How do I get away with this browser blasphemy, this online affront? There's no trick to it; it's just a simple trick.

My computer runs Windows 10, as secure an operating system as Microsoft has ever released. In addition to its built-in firewall, the OS offers anti-virus protection in the form of Defender, plus SmartScreen for protection from dangerous programs and web sites. The Edge browser also provides plenty of safeguards against hijacking and the like, though I'm a Google Chrome user.

Speaking of which, all modern browsers -- Edge, Chrome, Firefox -- employ robust security features of their own, and let's face it: Your browser is the gateway to many, if not most, infections. Chrome, for example, will warn you about suspicious sites before letting you through to them, and its sandboxing helps prevent malware from "escaping" one tab and infecting all the others.


Web of Trust helps alert you to potentially unsafe sites.

Screenshot by Rick Broida/CNET

And that's it. Seriously. Between Windows, my browser, and my router (which has its own firewall, natch), I'm good. But there's one small tool I do use, if only to buffer myself against momentary lapses of caution, and that's Web of Trust. Available as a plug-in for all major browsers, it vets the search results displayed by Google and other engines, the idea being to prevent you from clicking through to a site that might be unsafe. Speaking of which...

Where others fail

Very often I find myself scratching my head, wondering how my friends and family end up with such nasty incursions when I'm sailing along unscathed. The most likely answer: They're allowing it to happen, albeit unknowingly.

The two main culprits, in my opinion, are unsafe links (like the kind found in phishing emails) and spyware-infested downloads. One click of the former can steer you to a site that, just by viewing it, installs malware on your PC. As for the latter, many software sites are rife with ads masquerading as download buttons. You innocently click one, thinking you're downloading a particular program, but when you go to install it, bam: malware city.


Did someone send you a SendSpace link? Better be careful which download button you click.

Screenshot by Rick Broida/CNET

The moral of the story, of course, is "look before you click." Whenever possible, mouse over a link to see where it's actually going to take you, and if the URL differs from what you'd expect, don't click. Likewise, steer clear of splashy "Download" buttons; very often the program you're after is accessible via a small, understated link, not a button.

Another tip: Use an ad-blocker. The SendSpace page shown above looks dramatically different once you strip away all those confusing boxes.

Perhaps most important of all, learn to recognize spam when you see it. Mail services like Gmail do a great job filtering out most of it, but sometimes an errant bit of junk gets through -- and very often it's a phishing message that can lead you to trouble.

While you're at it, stop trying to download pirated music and movies. It's not only illegal, but also a surefire way to end up with malware. Oh, and for heaven's sake, make backups! Keep your critical data archived locally and in the cloud.

A rude awakening

A while back, two family members fell victim to a growing security scourge: ransomware. As I noted above, I'm usually the go-to guy when virus issues crop up, but this threw me for a loop. Not only had I not encountered ransomware before, I found myself helpless to undo the damage it had done.

And what damage: All their data files (Word, Excel and so on) had been irrevocably encrypted, meaning they produced only gibberish when opened in their respective programs. Well, not exactly irrevocably. The hijackers gleefully offered to decrypt the files for a mere $500-700.

Gulp. Despite my best efforts, I could find no special trick, no rescue utility to thwart the thieves and reclaim the data. This is scary stuff, and although it definitely made me think a little harder about my approach to desktop security. Indeed, during the WannaCry scare a few months back, I was sufficiently freaked out that I installed freeware utility Cybereason Ransomfree.

Has it detected any incursions? Thankfully, no -- and while it may be naive to pat myself on the back, I think that's because I don't fall prey to the phishing methods and duplicitous downloads that open the door to ransomware.

What's right for you?

Let me be clear: I'm not recommending that everyone ditch their security software and do like I do. I'm merely telling you what has worked for me. The simple combination of built-in security tools and some common-sense caution has kept my computers secure for years -- and for free. How do I know for sure? Every so often I run Malwarebytes (which, incidentally, is what I used to clear my dad's laptop a few days ago). Never so much as a blip.


So far, so good.

Screenshot by Rick Broida/CNET

My questions for you are the same as they were last time out: What security software do you use (if any), and has it been effective at keeping malware at bay? When was the last time it caught an incursion, and under what circumstances? Do you think I'm being an unsafe netizen, or are you intrigued by my approach?

Update, Aug. 30 at 11:36 a.m.: Originally published on June 25, 2014. Added new screenshots and updated the story.