It's pretty simple.
Since there is no virus (which we need to have to create the antivirus) all that is left is our own good sense. Let's say you install an app. And that app is a Trojan. I know this can be tough for newer computer owners but what is the difference between a good app and a bad app? A Trojan is nothing more than a bad app and we chose to install it (or not.)
Good idea on the firewall but there are no known exploits there yet. Almost every exploit depends on us installing something bad.