> What do you use?
Correct security configuration, a basic hardware firewall, plus a server-side email scanner. I use scanner-type anti-virus programs (various) to identify suspect executables.
I have never had a successful attack on any of the dozens of systems that I have been responsible for. Unapproved executables are simply not permitted and are not allowed to run, wherever they come from, from flash drive or as downloads or whatever.