Anti-virus Best Practices: What are your 3 tips for preventing virus attacks?

I have become so frustrated with the constant plethora of viruses, worms, Trojans, and rootkits, that I have followed Fred's advise above and switched to Linux.

That said, not everyone can choose the easy path. So, in addition to the excellent answers posted by Vee and Erik I would add this:

Realize that you will not stop all virus attacks. One AV vendor told me two weeks ago that they have to sort through 300,000 new variants of malware a DAY! And from personal experience I know that a targeted variant that never makes it into the wild may never be caught by AV products. So, assume you will get infected and take measures to minimize the damage. Use network defenses to block access to command and control (CnC) servers and prevent exfiltration of data. Use your PC's firewall to prevent connections to outside servers. And finally, develop and effective methodology for re-imaging PCs. You will need it.

As a security vendor I can tell you there is no perfect AV solution. The best protection against attack is an age old practice.

BACKUP! BACKUP! BACKUP!

I'd add: be aware of the limitation of today's AV tools. Don't take them for granted like we used to in the 1990s. The tools are fairly likely to miss a modern threat - even though the exact stats on this differ wildly, people often expect 30-70% failure rate for modern malware.

Michael,
I think everyone has provided you with excellent advise and I hope mine builds upon that.

1, The first item I would like to suggest is Ingress and Egress filters on Internet routers or Firewalls. Most organizations will filter ingress or inbound traffic however many do not filter egress or outbound traffic. This may not prevent your organization from being infected however it may prevent your organization from infecting others.
RFC 2827
Network Ingress Filtering
http://www.ietf.org/rfc/rfc2827.txt

NSA's Router Security Configuration Guide
http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf

2. Using a Web Content Filter may prevent infection by blocking resolution of known malicious domains. For example OpenDNS.com which has free as well as paid service can block web content on a variety of topics including adware and Pornography.

3. Make sure you send your firewall logs to a syslog server and review them periodically. A simple plot of number of log entries a day may indicate a problem and prompt you to dig deeper. You can also choose to help the Internet community by sending your logs to http://www.dshield.org/howto.html.

4. Maintain support and software assurance contracts on your anti-virus/malware software and if possible opt for the centrally managed enterprise versions. This should allow you to push updates and verify updated signatures. Also simplifies management by utilizing the same anti-virus throughout your organization.

5. OK this is going to sound contradictory to item 4 but hear me out. If possible implement Network Level Virus Protection that is different then the client/server product. As mentioned by other experts we are dependent on signatures and one vendor may beat another to the punch. Anyone who has uploaded malicious software to VirusTotal.com can see this first hand. So without having to support multiple vendors at the system level we can implement multiple vendors in the environment.

I know I went above the requested three items but I hope this helps. If you have any other questions or need any clarification please let me know.

Thanks,
Fred Stuck
http://XeeSM.com/FredStuck

It's relatively simple - that is if you can get past the mentality that simple anti-virus software combined with a strategy of "we hope nothing happens" is good enough. Here's what you've got to do:

1) know what you've got (systems, sensitive data, etc. - and yes Windows is more susceptible to attack but others are not impervious)
2) understand where the risks are (hint: they're in more places than you can imagine, including your smartphones)
3) do something about it and do it well (not just leave your security up to a network firewall and the anti-virus software that came preloaded on your computers - periodic and consistent system maintenance is key)

If you focus on the basics of security and you're smart with your approach like I talk about in this blog thread (http://bit.ly/gG7U9b) you'll eliminate the majority of your IT risks. Ignore the obvious and the odds are against you.

1. Update OS, AV, Firewall, Browser with up-to-date patches. Firewall configured for BLOCK for SN sites
2. Strict Mail control, with NO attachments that could be evenly remotely executable. This can be part of the E-mail admin rules
3. User Education on what to look for, how to handle suspicious looking packages and Spam. - DO NOT DO NOT Open Spam

Embracing cloud-based security allows you to save time by blocking threats before they reach you / your endpoint PC or device. Signature file updates take a lot of time and users dislike application disruptions during business hours.

Most viruses enter the network via careless users. While modern and up-to-date automated protections are important, user education and re-education and reminders are essential. This includes terminating users' rights (and maybe their employment) if they are found to be careless.

1. Least Privilege. The less access the users have(including you) the less trouble they can get themselves into. Admin rights should be assigned sparingly. Get used to using Sudo and Runas.
2. Scan less, but scan more often. Scanning everything on all local drives makes end users reject the AV protection. Use targeted scans that finish in 10-15 minutes instead of 2-4 hours and you can scan what matters more often.
3. Keep it real current. Update your protections, OSes and your apps regularly. Use cloud based AV technologies for the most current threat detections.

Switch to Linux.