no security solution is a guarantee
That is the correct conclusion. Technical defenses can fail. And as I said, I fully expect my red team to be able to bypass Xcitium in the coming months.
There exists a security strategy to deal with this problem, and that is to deploy 'layers' of security. Once a layer is broken thru, there should exist yet another layer and thus the battle is not lost. As you have correctly learned, you cannot rely on a one layer complete protection. You additionally have SpyShelter currently that implements this strategy. If your cpu can handle it, add one more layer.
You mentioned the potential problem of encountering customization problems and too many security prompts. Sorry to say this, but it is best to maintain a 'steady state' configuration. When your list of applications don't change much, it is much easier to spot 'problems'. Attacks will stand out and you will be able to easily spot irregularities and know when to go on full alert. If you don't employ an EDR that gives alerts and choose the consumer Comodo, inspect the logs every day and you get the same visibility. Home users who are install happy are just taking on risks. You need to maintain a steady state or you will be wasting time, getting frustrated and making mistakes allowing things where you shouldn't. Separate your important private data from your work environment. Use a separate work machine which will never hold non work related programs and data. This is a procedural manual security control. Thus malware would not get onto the work machine. Your private machine can hold games, personal accounting things and whatever your risk appetite allows. Then you can adjust what security measures you need for each machine.
Another solution is to do regular penetration testing. Try to break thru things and bring out remediation in advance of the 'real big battle'. That's why we have red team hackers on staff. Small companies can do this too, as there are free lance pen testers for hire for as low as $40/hr (hacking expertise can vary) and you can state your budget hours. So you estimate how much time effort a real attacker will likely spend trying to attack you and your valuable data before giving up and going for easier prey and you set the budget hours for the pen test. Visa and Mastercard regulations actually mandate this. We do it more regularly than required. There is no reason why families can't do this too, set a small budget like 5 hrs and do it once a year. You will get a report showing where you ought to improve from an attacker's perspective.
I have a slightly different take on your avoidance of 'complete protection'. I avoid signature driven detection, and prefer solutions that apply the default deny principle. The idea is simple, whatever is not explicitly allowed is denied. This can be a in-use software vendors list, a 'white list' in any sort of rule set. It makes life simpler, you simply give it a small list of allowed things, and things that don't match up are blocked. Kaspersky, the anti-malware solution can be configured to behave this way. CyberLock, keeps a white list of the files currently on your drive. Xcitium auto-contains things not currently on your drive. These are all examples of security solutions that apply the default deny principle. Look into it.
If you suspect a RAT problem, then take steps to address the risk. Did BitDefender confirm that it was able to remove the Barbar malware? Brief google search reveals it is a RAT. Security is not complete until you at least Try to address it the best you can. To get to the root of the problem, you would have to consider the possibility that your hacker has returned. A RAT has to be deployed by someone. And as long as you don't remove his persistence mechanism, the hacker stays. I am not familiar enough with the many persistence mechanisms: registry hiding places where he can lodge himself and relaunch automatically whenever Windows reboots. You can research the Mitre Att&ck web site, look under Persistence, and it lists many techniques. If I knew those techniques by heart, there is a chance we can surgically remove him. So I'll just deal with the problem broadly. This maybe that your re-installation of Windows did not thoroughly get rid of him, so we can deal with problem the 'traditional' way - a thorough re-install of Windows. This should be done only after the forensics folks obtain their necessary disk images and ram images, or we lose valuable information, like the whole path of his attack, and how we can prevent a reoccurrence. But we don't have a forensics team handy. So we can't follow 'proper' incident response procedures. Constraints constraints. Or this maybe a new infection brought about by some new trojaned software install. Or this may simply be some hardware glitch. Take one possibility at a time and address it. Once you have got it covered, then move to the next. Until you eliminate the last possibility. I am a programmer by training, and this is the way problems are solved - you break down a problem into pieces and solve them one followed by the next. If one piece seems too big, break it down into sub tasks. It turns out like an organizational chart, main problem written at the top, then divided into pieces, and then further sub divided when necessary to break down complexity. Draw out the chart. Then it's just a matter of methodically doing the things required by each bottom most box. It takes whatever effort it takes; the risk Must be addressed. Big seemingly difficult problems can be solved with this method. Huge projects that span years are planned out this way.
Hacker returning: You say BitDefender scans the boot sector. That's all good, but do they have the right signature to match up to This hacker's tweaked tool and quarantine it. That's the key question. AV's are a technical defense, and they can fail. So switch to an administrative procedural defense. Before you start this step, do backup of all your data, browser bookmarks and passwords, plus all your program installers. Then download, burn and run Parted Magic's erase disk, before you re-install Windows. Just takes 15 mins longer than a regular Windows re-install and then you are assured. Hacker returning possibility eliminated. Sort of. We are missing data of his attack path, and he may be able to just repeat it. Then we might be going thru this again repeatedly.
Then you look at the second possibility which is that it might be a new infection brought about by some new trojaned software install. You just wiped the hdd and re-installed Windows, now check each of your installers' Properties > Signatures for OK signature and verify correct company name. If the complete signature checks out, then it guarantees that the installer is official and has not been tampered with. If it doesn't check out, delete it. Proceed to install all your software. 2nd possibility addressed.
Then you look at the last possibility which is a hardware screen problem. Things to do: run hardware diagnostics of the laptop, If an error is reported then send it to be repaired. Download latest display driver from hardware manufacturer web site; verifying signature; install them. Screen glitch possibility addressed with best effort. Nothing else left to do.
Big problem stated on the top of chart solved.
You should take this opportunity
Anyways, I am being long winded. For all I know, you may be a programmer. But your problem is not just deciding whether to purchase Windows or not. You have a security breach that is still on going.
