Free antivirus started life nearly two decades ago as security's poor relation, little more than a way of ensnaring users with limited features that would give them an excuse to upgrade to paid-for software later on. A number of software vendors built their marketing on such products, even if the bigger brands were sometimes too sniffy to dare offering something as lowly as a ‘free' product.

Then the Internet happened, the browser became the dominant application, and websites emerged as a major means of distributing what became known more generically as ‘malware'. Malware included old-fashioned viruses, but also mass-distribution worms, Trojans (a major new class of program), and a cluster of applications designated as ‘spyware'.

Suddenly, the threat wasn't just good coding it was bad coding too, with the industrialisation of malware that could exploit software vulnerabilities in the OS, in apps, and especially in browsers and browser plug-ins.

Paid-for AV products found themselves doing a lot more work at a lot more layers of the software stack, and diversified into today's suites that do everything imaginable, including encryption, firewalling, backup, spam filtering, browser trace deletion, parental control, IM and P2P control, web, file and app monitoring, and all before old-style hard disk scanning is even mentioned.

The problem for security companies is that many pieces of this security jigsaw are at least partially done by free programs, starting with browsers, now secured using layers of settings and URL checking. A reasonable two-way firewall comes with Windows 7 (XP's is one-way, Vista's two-way but requires management and interaction), and of course the basic AV is handled by free utilities that many users swear by.

The fascinating thing about ‘free' is how much users get without having to reach for the credit card. But how much is really enough security and which features does the average user need and perhaps not need?

The firewall

Firewalling is a complex issue, and in principle will de done by a gateway device such as a wireless router. In truth these are often complex to configure and understand, leaving most users relying on a desktop firewall that monitors traffic in and out of a PC. Windows 7 (and to a lesser extent Vista) ships with a perfectly serviceable one included and the numerous free choices are also excellent to the extent that it's hard to see why anyone would pay for one.

Frankly, we wouldn't see a huge point in using a third-party firewall-only product unless you're still using Windows XP, in which case look to ZoneAlarm or Comodo (which includes optional antivirus), both of which are easy to use, and do what they say on the tin. Whichever product, watch out that is doesn't hit CPU. And that the Windows version is turned off before installation.

ZoneAlarm recently upgraded its free firewall to allow the outbound portion to take its settings from applications profiles held in the cloud. Although two-way firewalling is available in Windows (bar pre-SP2 versions), it can be complex to set up and 'noisy' to use, givng non-expert users baffling alerts. We can't vouch for the effectiveness of this new design but it does point the way to a new way of configuring firewalls and could be interesting.

Patching

This tends to be an ignored aspect of security. Windows performs its own update once a month at least, as will individual programs, but out-of-date software, unpatched against known security issues is still a major problem, especially on systems that are not used every day.

A number of free programs exist to examine applications for out-of-date versions, perhaps the best of which is Secunia's Personal Software Inspector (PSI).

Browser plug-ins

Browser security is much improved but still far from infallible, which is why plug-ins have appeared to address specific problems. There are hundreds of these, nay thousands, and each one s specific to a different browser.

Noscript (Firefox)

Noscript is a Firefox extension that stops Javascript (a major target for security flaws) from running without permission, blocking exploits such as clickjacking and XSS; whitelisting feature lets the user select named sites that can run scripts. Can be a bit intrusive but worth it for the security-conscious.

Trusteer Rapport

Installs in all major browsers and verifies using a small green icon that a website is genuine using built-in lists or those added by the user. For partners sites - banks say - it can also encrypt the keyboard to website communication for secure login, though only small number of sites are covered for this. Even when not using this feature, is a useful and non-intrusive shield against website spoofing.

LastPass

An absolute must and by far the best browser-based secure password store out there. As well as acting as a database of web-based passwords (and a replacement to having them stored insecurely by browsers), it automates logins, stores form data, and has plenty of control over how to treat different sites in a more or less automated way. Can be access from anywhere by any PC using a single master password.

The free antivirus scanner

A basic malware scanner downloads signature files every day which it uses to perform retrospective scans of hard disks for bad files at defined intervals. It will also offer some level of realtime protection against the incursions of rogue software and spam attachments, often by complementing browser security settings. It will also usually monitor for dodgy URLs, though again this is done by browsers and, with lesser reliability, by search engines themselves.

Microsoft Security Essentials

Microsoft dabbled with paid-for security then threw in the towel and came up with this free gem only last year. It has garnered good scores in tests (that is about the same as paid-for products for basic antivirus scanning), uses little in the way of resources, and is extremely simple to configure and use. Basic, yes, but not cut-down in terms of the core features which are file scanning, realtime process monitoring. Will scan inside archives and removable drives, but use in conjunction with browser security add-ons because it does not monitor URLs or watch what's coming in via email. No frills. Download it here.

AVG Antivirus Free Edition

The granddad of free, AVG is probably the most popular unpaid antivirus program going. Very similar to the Microsoft product with the addition of an optional browser link-scanner and the ability to create a rescue disk. Not as light on resources as Security Essentials but still more than capable.

Panda Cloud Antivirus (PAV)

A bit of an untested option at present but a curious one. Panda runs in small footprint ideal perhaps for netbook users, thanks its makers claim to its part-signature, part cloud-based intelligence.

It has a lot of features free programs tend to lack. It scans email (inbound and outbound attachments), IM and web browsing, claims to block rogue scripts, and protects against vulnerabilities (although which ones will obviously depend on the remote database), all of which are launched in an on-demand way. It also has an optional firewall and can create a rescue disk.

If Panda Cloud has a problem it is lack of feedback and no scheduled scanning which might bother some. Apart from the occasional update request, it's barely noticeable, even when browsing websites other programs would take issue with. It did, however, prove its worth against one fairly common Trojan, while the beta version suffered a single false positive. Download here.

Avast Free Antivirus

It would be remiss not to mention Avast’s free antivirus software, which in common with AVG and Panda Security’s rival software is based on a ‘freemium’ model, i.e the basic version costs nothing but more advanced features require a subscription.

The free version offers basic single-PC AV scanning, while the paid versions add sandboxing, claimed online banking protection, spam filtering and multi-PC licensing. We haven’t yet assessed the product’s effectiveness but it does appear to have a reasonable rating with its large user base.

Conclusion

The best antivirus program from these for light use of resources is Microsoft Security Essentials, the best for features-at-no-cost undoubtedly Panda Cloud Antivirus. The cloud client-server model is an interesting direction others will surely follow in the near future. How does Panda offer a free product tied to an expensive datacentre? Presumably, the malware it detects through the consumer products help it improve the paid-for business version.

More widely, it is clear that stumping up £30-£50 ($47-$70) for a full suite is not necessarily the best option for users even if they are happy to throw money at the security problem. The suite will do everything - a good recent example is Kaspersky's Pure which includes encryption, backup and parental control - but not necessarily as well as separate programs. Suites tend to be more complex, more resource-heavy, and inevitably elements of each are mediocre.

Any one of these and other free antivirus programs (BitDefender, Avast!, ESET) will do a perfectly good job when complemented with a secure password database, judicious use of encryption, and browser controls.