I recommend just common sense.
I don't deny malware is a serious threat that must be regarded with the utmost caution, but as many examples of malware just aren't detected, and how I regularly audit my computer, the cost/benefit just isn't there for me.
Yes, I run it at work because of the greater risks involved, but at home I disable any kind of background AV and only run manual scans when I deem it necessary.
The worst is when background AV decides to intercept every single disk access, it massively slows down large C++ project compilation (a 10,000-file project we have takes about twice as long to build when AV is enabled).
As for anti-spam, I use Office 365 for my personal email which has been stellar. I've also been happy with Outlook (nee Hotmail)'s anti-spam, ditto GMail. Desktop anti-spam is only needed if you're still using a POP3 service or have a sub-standard email provider that doesn't do their own filtering.
The vast, vast majority of spam is blocked by the receiving mailserver through source blacklisting rather than message content analysis, which is why I decided to pay-up for a hosted email service (Office 365/Gmail/etc) instead of doing it myself, I've seen my spam messages drop from 20/day to 1-2/month).