Free antivirus started life nearly two decades ago as security's poor relation, little more than a way of ensnaring users with limited features that would give them an excuse to upgrade to paid-for software later on. A number of software vendors built their marketing on such products, even if the bigger brands were sometimes too sniffy to dare offering something as lowly as a ‘free' product.

Then the Internet happened, the browser became the dominant application, and websites emerged as a major means of distributing what became known more generically as ‘malware'. Malware included old-fashioned viruses, but also mass-distribution worms, Trojans (a major new class of program), and a cluster of applications designated as ‘spyware'.

Suddenly, the threat wasn't just good coding it was bad coding too, with the industrialisation of malware that could exploit software vulnerabilities in the OS, in apps, and especially in browsers and browser plug-ins.

Paid-for AV products found themselves doing a lot more work at a lot more layers of the software stack, and diversified into today's suites that do everything imaginable, including encryption, firewalling, backup, spam filtering, browser trace deletion, parental control, IM and P2P control, web, file and app monitoring, and all before old-style hard disk scanning is even mentioned.

The problem for security companies is that many pieces of this security jigsaw are at least partially done by free programs, starting with browsers, now secured using layers of settings and URL checking. A reasonable two-way firewall comes with Windows 7 (XP's is one-way, Vista's two-way but requires management and interaction), and of course the basic AV is handled by free utilities that many users swear by.

The fascinating thing about ‘free' is how much users get without having to reach for the credit card. But how much is really enough security and which features does the average user need and perhaps not need?

The firewall

Firewalling is a complex issue, and in principle will de done by a gateway device such as a wireless router. In truth these are often complex to configure and understand, leaving most users relying on a desktop firewall that monitors traffic in and out of a PC. Windows 7 (and to a lesser extent Vista) ships with a perfectly serviceable one included and the numerous free choices are also excellent to the extent that it's hard to see why anyone would pay for one.

Frankly, we wouldn't see a huge point in using a third-party firewall-only product unless you're still using Windows XP, in which case look to ZoneAlarm or Comodo (which includes optional antivirus), both of which are easy to use, and do what they say on the tin. Whichever product, watch out that is doesn't hit CPU. And that the Windows version is turned off before installation.

ZoneAlarm recently upgraded its free firewall to allow the outbound portion to take its settings from applications profiles held in the cloud. Although two-way firewalling is available in Windows (bar pre-SP2 versions), it can be complex to set up and 'noisy' to use, givng non-expert users baffling alerts. We can't vouch for the effectiveness of this new design but it does point the way to a new way of configuring firewalls and could be interesting.

Patching

This tends to be an ignored aspect of security. Windows performs its own update once a month at least, as will individual programs, but out-of-date software, unpatched against known security issues is still a major problem, especially on systems that are not used every day.

A number of free programs exist to examine applications for out-of-date versions, perhaps the best of which is Secunia's Personal Software Inspector (PSI).

Browser plug-ins

Browser security is much improved but still far from infallible, which is why plug-ins have appeared to address specific problems. There are hundreds of these, nay thousands, and each one s specific to a different browser.

Noscript (Firefox)

Noscript is a Firefox extension that stops Javascript (a major target for security flaws) from running without permission, blocking exploits such as clickjacking and XSS; whitelisting feature lets the user select named sites that can run scripts. Can be a bit intrusive but worth it for the security-conscious.

Trusteer Rapport

Installs in all major browsers and verifies using a small green icon that a website is genuine using built-in lists or those added by the user. For partners sites - banks say - it can also encrypt the keyboard to website communication for secure login, though only small number of sites are covered for this. Even when not using this feature, is a useful and non-intrusive shield against website spoofing.

LastPass

An absolute must and by far the best browser-based secure password store out there. As well as acting as a database of web-based passwords (and a replacement to having them stored insecurely by browsers), it automates logins, stores form data, and has plenty of control over how to treat different sites in a more or less automated way. Can be access from anywhere by any PC using a single master password.