First off, let me say that for anyone doing banking or financal transactions that there is NO WAY the Win platform can be fully trusted. Simply reboot into a Linux Live CD (Or USB version). And that should also be used for visiting 'risky' sites.
Second, Win security is a matter of personal choice, expertise, experience, and even downright *attitude*. Your choice of who you consider the OWNER of your desktop.
Here I run an XP network, along with Linux, a Win7 machine, and a Win10 dual tablet/mini-notebook.
Traditionally the first thing I do is disable *everything* remotely related to Remote Desktop functions. Nothing should ever see a login prompt, and that applies to Linux also where even sshd is physically removed.
No messenger, no netmeeting, and certainly no remote 'help' functions.
I use the Blackviper site as a guide to disable as many Win *services* as possible. And then some.
I avoid the 'cloud' and do not use any 'sharing' or sync services.
I use ERUNT/ERDNT to back up the registry daily. This is alot better than relying on System restore.
I have a *huge* HOSTS file as well as Peerblocker installed with all the major filter lists.
I use Firefox, with all the NoScript security suite, and then some.
I have IE sandboxed, and usually run any new app in a sandbox first to see what it does. Some junk is PUP infested, so I just extract the main program folder from the sandbox, move it into my own version of 'Program Files' , though I often zip it up first and send it to VirusTotal to see what they say - first.
Since Win is by definition a VIRUS (software programmable firewall, you say??) the first thing I do is disable the Security Center, Updates, UAC, Firewall - the whole shebang. This step is NOT recommened for those without sufficient experience who cannot sight and remove boogers with simple tools like Hijackthis, and malware eradication from a dual boot Linux. The network here is mostly behind TWO hardware firewalls, except for the Win10 tablet - and I am working on securing that. SO far stripping out half of the services, including updates and firewall have created no problems here, though technically it is a Honeypot. I have KIS on it temporarily, though typically turned off.
The tablet, btw is not allowed access to the local network.
I have a development system here. Many of the tools I use here are for patching, packet sniffing, including RATS and encryptors I experiment with to determine better ways of protecting the system here. AV 'protection' would do more damage here than the boogers themselves. I just removed KIS on my main system when it decided to turn on (against instructions) and attack a USB drive. It killed a program (despite being expressly forbidden from deletion) - so I killed it.
Personally I am only looking for an ON DEMAND scanner. KIS had a nice one, but I could not separate it from the parent program. Emsisoft seems to have a decent (if SLOW) one in its Emergency Kit and its scanning of downloads of a collection of vintage games seems reasonable, though with a bunch of false positives. Trojan.Generic? Toss it into sandbox and see what it does.
I would find all AV software pretty much useless against *NEW* software. If you visit a good hacker forum the first thing learned is that there are folks there who claim that their *encryptors* have lasted for YEARS without detection, even by sites like Virustotal - which they test against. Even the free malware offered to kiddies can create encryptors undetectable for months on end. They do not consider anything M$ to have *any* real protection at all, and even claim infection of media files and JPGs.
I rarely do email on my main machine, and use a text only client (Forte Agent).
I remove or disable as much M$ crapware as possible, and sandbox the rest.
The result is that I catch about one booger a year. It usually takes me about 20 minutes to kill it.
I accidentally click on at least one booger a month, and have always been able to kill it in a minute or two. The new ones cant even run in XP!
I always run as Admin.
This, of course would be suicidal for 'typical' users, just as much as typical 'AV Suites' would be suicidal for me. And cause me alot more time and grief than a booger infection.
The point being in all this is that ones protection *needs* are directly dictated by ones user practices. And technical expertise.
The more you know, and are willing to learn - the more power you will have over your desktop.
That said, the average person will regard their system, particularly if mobile as a consumption device. And will have neither the time nor the inclination to learn the innards of the system like identifying strange DLLs and services. Best advice is to back up valuable data regularly, and just rely on standard software, and free AV like Avast. And adwcleaner for the standard garbage.
Try to avoid anything *new*, and fer chrissake never download a *NEW* torrent! Wait for reviews - some sites will delete bad ones.
One of the major attack vectors these days are *updates* - be forewarned. Important software should be *manually* updated.
Think about it. If Roger McAfee can send you an update whenever he wants, why cant Yigor, from Minsk!