I am still on Windows XP and I am perfectly happy with it and think it's better then Windows 10. Now that XP is unsupported, no new security updates will be made available to home users.
Are security updates really necessary? Can I just run Malwarebytes and stay secure that way? And if security updates are necessary, what then is the point of an antivirus?
Yes, you should do both. Security updates and antivirus software do two similar yet different things.
Security updates fix exploits that are leveraged by specially crafting network communication or resources. In some cases, those shenanigans operate on a lower level than antivirus programs can deal with. Installing updates stops any such bad code from running on your machine. They're important for any computer accessible to any network and any computers that handle untrusted resources.
Antivirus programs stop bad things from running and search for bad files on the computer. They may or may not be able to see/block system-level exploits, but they can definitely look for and torch stuff like sketchy programs downloaded from the Internet. That's important for any home user that gets files from outside sources.
Even if they were more similar, defense in depth says that you should have multiple layers of security.
Security updates and antivirus are not the same.
Having the latest updates to Windows is extremely important. Some updates are minor, however some are major security updates that protect you from malicious users and programs. Even if your Windows XP is completely up to date, that doesnt mean new exploits cannot be found and exploited. And since Windows XP is no longer supported, there will be no more patches to fix any new security holes.
Running Windows XP, now that it is no longer supported, is playing with fire. Sooner or later, someone will find a security flaw that can be used maliciously.
Having up to date anti-malware/virus is also important, however those programs will only protect you from known viruses/malware. An undetected program can use an unpatched security exploit and wreak havoc. That coupled with the fact these anti-malware programs are far from perfect at detecting even known malware, you are taking a risk.
IMO, I would recommend getting off of Windows XP. Windows 7,8, and 10 are far more stable and secure. Another option would be to move to Linux, but that has its own downsides.
Yes, you can stay on Windows XP and you might not ever have a problem, but is that a risk you are willing to take?
There are many exploits that AntiVirus programs do not protect you against. In fact there are exploits that will bypass AntiVirus packages if you do not patch the Operating System.
Of all the things you do to protect yourself, keeping the Operating System up to date so it isn't exploitable is the most important. It stops the patched exploit in its tracks once and for all...
Instead of playing Russian Roulette with an automatic pistol as the AntiVirus developer tries to keep up stopping multiple polymorphic viruses released that try to exploit anew the same vulnerability over and over til they get through.
Introduce yourself to the concept of Defense in Depth. There are multiple pathways to taking a computer over. Antivirus can plug one way, Malwarebytes can catch things that the AV isn't tracking and keeping your OS from becoming a sieve by patching stops all the old exploits from being valid.
The previous answers are all good advice. However, if you're wedded to XP, the Windows updates/patches side of the equation is missing and can't be replaced. So there is a gaping security hole that your A/V software can't address.
The ability to recover from exploits becomes much more important. There are several things you can do to help protect yourself. The primary protection is frequent backups, and keeping multiple generations of backups.
The other thing you can do is to add a layer of protection against changes to your system. Load a program like WinPatrol. I used it when I was on Windows. It was free at that time, but it's changed hands and I'm not sure whether there's still a free version. It blocks a wide variety of changes to your system of the kind done by malware. It will alert you to attempted changes, which you can accept or deny (IIRC, it includes the option for one time vs. always, and whitelists and blacklists). My experience with it was a number of versions ago, but I found it really valuable, even with Win 7. Then I switched to Linux.
Your security risk is largely down to your behaviour. If the computer does not need to be connected to the web, or you use only a restricted set of websites and have the discipline to carefully check before downloading and installing files from the web, then there is really no need to run either an AV or update the OS.
However, if you plan on doing some serious web-surfing or occasionally feel the urge to try out some new funky app, then having Operating System patches and an up-to-date AV are advisable.
A number of people report successfully using Windows XP with limited or no web access (using packages such as Office 2000 with the Office 2007 compatibility pack installed). In this configuration, there is no reason to believe you won't be able to use XP for many years to come...
It seems likely, though, that eventually increasing numbers of websites will prevent access to older versions of browsers and then you might get a snowball effect of not being able to upgrade the browser, because the browser won't update on XP (or some variant of this).
Finally, it is possible (as I do) to run Windows XP as a Virtual Machine (VM) inside a 3rd party tool such as VirtualBox. The host OS can be something like uBuntu or even Windows 10. You could potentially run Windows XP for decades to come, even moving it from computer to computer if the host PC dies.
Both OS security updates and antivirus are important. You can think them as : Windows OS = a building or buildings that belong to same company / organization. Security updates = Security systems that are installed around and inside the building. It can be fences, CCTVs, biometric door locks, data encryption and any other things that can stop intruders from entering the building in illegal ways and doing bad things. Antivirus = security guards that checks everyone and everything in and out of the building so that only good people can enter the building and fights with bad people.
If you depend on antivirus alone without security updates, it is similar to having security guards, but the building (OS) itself unsecured / lacks of security features. Intruders (malwares) can enter the building easily (using other ways) without knowledge of the security guards.
So, both security updates and antivirus are important to protect from malwares and threats.
