Replacing Windows 7 security updates with anti-virus?


After Microsoft discontinue security updates for a version of Windows there is not a safe way to run that version of Windows.

Some people will promote Virtual Patching where you have a external firewall scan all your traffic looking for patterns of traffic that look malicious. I would not trust that, and it requires a seperate non-vulnerable computer.

A number of vulnerabilities patched by Microsoft are not the sort that anti-virus are good at catching. In the most recent example Google announced a Chrome Bug plus Windows 7 bug that caused visiting a site to remotely execute arbitrary code, this was being used in the wild. After end-of-life Microsoft will not patch this type of bug. (

No, anti-malware is not a replacement for security updates.

Neil Matz summarized the Fortinet's Q2 Global Threat Landscape report for 2017, noticing:

WannaCry and NotPetya targeted a vulnerability that had been patched by Microsoft a few months earlier.

But it’s not just these high-profile attacks that target recent vulnerabilities that are the problem. During Q2, 90% of organizations recorded exploits against vulnerabilities that were three or more years old. And 60% of firms experienced successful attacks targeting devices for which a patch had been available for ten or more years!

You hate Windows 10's forced updates and telemetry, but there are methods to change their operation. For example, using gpedit.msc on Professional editions you can:

  • Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates. It's still possible to choose 2 = Notify before downloading and installing any updates.

  • It's possible to get the feature updates only after they are actually ready (i.e. tested and complained by the end users). ... > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received:

    When Selecting Semi-Annual Channel (Targeted) or Semi-Annual Channel:

    • You can defer receiving Feature Updates for up to 365 days.
  • Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds. Allow Telemetry = 0 Security sends only a minimal amount of data to Microsoft. Too much? You can disable the DiagTrack: Connected User Experiences and Telemetry service.

Windows 10 was the first Windows with cumulative updates, which actually means less updates. Since October 2016 there has been no difference as Microsoft stopped individual updates for every supported Windows and currently all updates are in rollup model. (You can read more about servicing differences).

There is no realistic substitute for software patches.

There are additional security measures one can take, but all of them have their limitations.

  • Antiviruses will not do a thing against attacks that do not write to disk. If an attacker hijacks a legitimate process in memory, it's open-season on your data. These kinds of attacks are becoming more and more common.

  • Firewalls and IDSes (of either the software and hardware variety) can catch malicious traffic that matches a signature. The slightest bit of customisation will defeat this.

  • All software measures rely on your core operating system being trustworthy. A core OS with security holes like Swiss cheese cannot be trusted.

  • Hardware measures rely on you having a spare machine with software that has a supported OS anyway.