Re: Antivirus programs:
http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.VirusYearlyStats
This is a table with the percentage of malware infections detected during the last 12 months by various AV programs on day zero, before anyone had distributed copies of those particular samples. Even the best program missed one malware program in twenty, and some well known and well respected programs did miserably. (I don’t know about anyone else, but I’ve seen a lot more than twenty emails with links to malware in my inbox lately, almost every one of them on an innocent site that has been hacked.) If you check the short term stats elsewhere on the site, you will also see that individual AV programs move up and down the list as variants of malware come out that they are not good at detecting – no one program is consistently the best.
I regularly download samples of the malware I find through links in spam and submit them to www.virustotal.com, virusscan.jotti.org and until recently, Castlecops.com’s Unknown Files forum. The results are quite discouraging. A sample is considered pretty well detected if no more than 50% of programs miss it.
In short, I would never assume a download is safe based solely on a lack of complaint from my fully-updated, high quality AV program. You have to look at the provenance of the download. Before I download something that appears to be legitimate, I want to know who wrote the software, who else recommends it, and whether anyone is posting on forums asking how to remove it. You really can get some very high quality free programs on the internet, so the fact that it is free isn’t necessarily a red flag. But people don’t know they should research a program before downloading, and they don’t know which sites’ recommendations are reliable if they do. If you google the name of a scam antispyware program, your top hits will include a lot of scam product review websites recommending it.
Similarly, if I come across a download via suspicious means, I don’t need anyone to tell me it’s probably malware. For instance, I don’t subscribe to CNN updates, so any links in an email that claims to come from CNN is certain to be malware – if my AV program doesn’t think so, I submit the sample to them to add to their definitions.
Of course, with so many otherwise harmless sites being hacked, and now with cache poisoning, even following a bookmark to a site a user knows and trusts is not 100% safe. I use NoScript to block javascript with all but the most trusted sites. Whether I know what I’m doing is beside the point; I don’t get to see the source code before the site loads in my browser.
As far as non-administrative accounts for users: It’s a great idea. We do it for our employees’ computers, since our business requires us to interact with companies that insist we use Internet Explorer. Unfortunately, it also seems to prevent Windows Updates from installing in XP unless an administrator logs into each computer every week (and then sits there during the download while logged in with our own passwords). It may be blocking some AV program updates as well. It’s insane.