"User training + Properly setup PC + External to PC Firewall and Zero AV software."
Has worked for 20+ years for me and the users.
No remote content or vulnerable email
No clicking on attachments.
There has been Zero infections. I'd actually have expected one or two.
ALL AV fails.
ALL AV hurts the system with false positives
AV gives a false sense of confidence
Many AV damage productivity and make PC slow
AV is NOT a substitute for best practices of PC, email and Network set up.
All the most successful attacks con the Mark into deliberate install (This content needs codec, click to install)
If you are insecure in your abilities or the users, fine install AV and have EXTRA trouble that can outweigh the risks. But PLEASE research how to setup PC, Networks, Applications properly. The defaults on most things are wrong.
Yes PROPERLY setup PC, Network and Training of users is NOT perfect. But lower TCO and less damage (none from AV products). We have a WSUS running, but that's just to save WAN bandwidth. We may junk it as Linux use rises.
The way AV works is inherently going to fail, especially if it's a substitute (which it usually is) for proper setup and training. Our mail server blocks all executable attachments. not just exe, com, cmd and bat but all the less well known ones. The users are trained how to spot camouflaged filenames such as mypartypics.jpg_____________________________________.exe where ___ is loads of spaces.
I've removed viruses from MANY PCs over last 12 years. All had AV products. Some up to date (How up to date is up to date? Daily? Hourly?)
I check our systems periodically with script from silentrunners.org and various root kit detectors such as gmer and others. Any unusual traffic on Router is investigated (usually a teenager watching video at 3am and never has been a zombie bot or mailer). Even if you have AV you absolutely should do this.
The real reason fewer Linux servers than PCs with cable modems and no firewall are compromised is the training and expertise of the setup. Not just size of target.
ALL the setup, training etc is not optional. It should be done even if you do have faith in AV.