@Matze78
Good suggestion. Security landscape has changed in last ten years that an AV engine alone will not be of help. Anti-malware and even ransomware protection will also be needed.
@Fae , Tplink can consider supporting Pi-hole project developer and even few pennies per shipped device as royalty to the project and using Pi-hole DNS filtering as an option when you set a dhcp server on the gateway. Also even if someone is using external DHCP scope and using any publci DNS servers dircetly, the DNS traffic flowing thru gateway can be redirceted to the pi-hole resident DNS proxy, inside the gateway (this could be another button to select). Most malware including ransomware will result from some one visiting a bad site or clicking on a link inside the email that will then visit somewhere on the internet to download the infection that wll then be downlaoded into user device to start its action. There will be lot more to it, but I find using Pi-hole and windows defender alone has kept 6 laptops and 3 desktops I have at home, trouble free for past many years. And I do regular back up of the machines as well, just in case.