Granted antivirus is a filtering service. If you can avoid the download, browsing is downloading, then you have nothing to filter. Try keeping to known safe sites. Unfortunately, even safe sites can at times get infected. I supposed it's possible to use hardware appliances, in addition to software services, to filter internet traffic well enough to avoid infection. Although I've never enacted such a web or series of filters, each one finer than the last. Each tasked to filter out certain traffic and allowing the rest to proceed, all starting with DNS filtering. The idea is that not too much is filtered at any one junction and load-leveling the process so as to maintain both adequate protection and speed. So through this process you, in theory, you could run virtually any OS you want, patched or un-patched. An idea that has been lingering in my mind's eye for a while now. This doesn't necessarily prevent trojan horses that can face filtering algorithms undetected.