Hi. Quoting from the FAQ:
Aren’t antivirus programs and firewalls enough?
Unfortunately, conventional security approaches like antivirus programs and (software and/or hardware) firewalls are no longer enough to keep out sophisticated attackers. For example, nowadays it’s common for malware creators to check to see if their malware is recognized by any signature-based antivirus programs. If it’s recognized, they scramble their code until it’s no longer recognizable by the antivirus programs, then send it out. The best of these programs will subsequently get updated once the antivirus programmers discover the new threat, but this usually occurs at least a few days after the new attacks start to appear in the wild. By then, it’s too late for those who have already been compromised. More advanced antivirus software may perform better in this regard, but it’s still limited to a detection-based approach. New zero-day vulnerabilities are constantly being discovered in the common software we all use, such as our web browsers, and no antivirus program or firewall can prevent all of these vulnerabilities from being exploited.
The security guarantees you have with Qubes is that compartments are well isolated. Unknown security flaws could still break that, but it is way less likely than a typical system.
What Qubes doesn’t do is providing security within each compartment. That’s beyond the scope of the Qubes project. This is where you have space to add an extra layer of security. Antivirus software could contribute to this, but as the quote argues AV software isn’t really well suited today. However, other security methods may be non-trivial newcomers (not sure if that’s your case) and the security effects may not be too significant.
So my suggestion would be for you to start off doing effective compartmentalization. For example using the idea of domains. Instead of just having a
work qube, having a:
Whatever you feel comfortable with. This way you’re relying on Qubes’ mechanisms to make you safe.
You can also look into split-* implementations. These allow you to have sensitive information securely and persistently stored in one Qube and then have another qube who manually requests this information. Examples include: