Instead of relying on AV and definitions of what is already a known and a detectable threat, he may have policies over what type of changes are made to the box. He could have a program similiar to hijackthis! and regprot, have various methods of checking the integrity of files other files that programs like hijackthis generally ignore. Rarely login as as admin or root unless serious changes are needed. Tweak around with things properly, turn off what is not needed.

He could also have a sniffer that is not only watching over things & loging them but also droping traffic... as far as I've seen FW software have never been as configuerable... yet alone open source as all these sniffers out there. He might also even have an almost subgenius method of handeling the checksums and logs...

Look around you for a moment, it is all of the end-users out there that have AV and FW programs doing 80% of the work for them yet time after time it is proven that sometimes that's just not enought... well why is that? Well most computers get owned because of vulnerabilities which most often this is poor design and configuration & lack of updateing from a user, the fact that most home users login as admin and have no policies over what goes on, people just plain don't know or care about the little changes here and there in their systems behing their back, oh and all this stems from sheer stupidity.

All you've provided about the situation is ("He doesn't have an AV or FW software therefore he is a ****in' dumb-ass") you would be surprised how many important servers out there that don't have Anti-viral or firewall software installed on them for performance issues.