Computer security is best approached as defense in depth. Basically, what is the chain of events needed to damage your data or system? Lockheed Martin describes this as the cyber kill chain:
1. Recon: gathering info about the system or target
2. Weaponization: determining how to exploit vulnerabilities to gain access.
3. Delivery: Getting the weaponized exploit to the system
4. Exploitation: executing that code
5. installation: creating those initial permanent changes on the system to secure continued access
6. Command and Control: Utilizing that access
7. Action on objectives: Doing bad things
Now, antivirus is mostly concerned with step 3 and maybe step 4. Windows 10 has some features that work on preventing step 5. What else can you do?
1. Make sure you aren't putting unnecessary data about yourself and your system out there.
2. Close vulnerabilities. Disable services and ports you don't need. make sure your router is properly set up (not just default settings)
3. Be aware of the relative safety/danger of any programs or files based on source or delivery method (don't download the bad thing. Don't plug that unknown USB in.)
4. Don't launch those bad files or open those bad documents above.
5. Don't allow those files you shouldn't have launched to make changes to your system
6. Keep an eye open for signs of compromise. Are weird things popping up in logs? are expected things missing from logs? Is your system behaving oddly?
7. Have backups to recover from.