My malware protection is: Don't type my administrator password for stuff I'm not choosing to install
santaliqueur is certainly right. Unlike Windows, there are no drive-by infections on the Mac. In all cases the user must be fooled to infect themselves by 1) overriding GateKeeper, 2) then purposely entering their admin password.
The one unfortunate thing that I find very frustrating is that Google and other search engines do a horrible job of allowing untrusted and bogus download sites to rank above the software's source website. Therefore, for uninformed users its like a minefield for them to find the safe place to actually download even very trusted software. Therefore you can't just tell a friend that they should download a particular application by name, you need to actually give them the URL to the source website or it's very likely that they will end up downloading a trojanized copy or one with a crapware wrapper added by on of the "download" sites.