Yep, same. Sometimes I’ll spin up a VM if I’m visiting a site that I’m suspect of or installing something random (even if it’s open source because I didn’t build these binaries and I haven’t audited the code), but as I used to say when I was doing desktop support “you don’t get malware by visiting CNN”.
I have to barge in here and mention that doing totally reasonable things can result in getting malware installed on your systems.
The most glaring case was the early Windows XP era, when it was enough to plug in the Ethernet cable during installation to get malware. I had to download the service pack and install it offline before plugging in the network.
Today, I'd point out that ad networks' code is barely scrutinized, and they can hit unpatched vulnerabilities all right (sorry for not providing examples).
Sounds simple, and it actually is, and this served me well for the past 20 years or so. I think. Did take me some 'practice' though, i.e. got bitten once only then knew better than to trust random executables. (Now if I really want that I just fire up a VM.) And back then there wasn't even Defender and now I still turn it off usually, sometimes it wrecks performance. On the other hand: for all I know my machines are all infected..
I only use Windows in a VM now, but for years I ran Windows with no AV outside of whatever Windows set up on it's own. I only got two viruses in my life, and both times I was asking for it (downloading sketchy looking things off of Kazaa when that was a thing).
Simple. I assume that my PC is compromised and do not do any financial transactions on it. Still run dubious software in a VM but have a separate cheap netbook for banking/online purchases.
I mostly stick to open source or well known commercial software, run Windows Defender, and I run uBlock Origin. I'm of the opinion the biggest risk of malware comes from rogue ads.
I've only been hit with malware twice in the 25 years I've been using Windows. Once was me running a sketchy exe from a torrent site (that's on me) and once when I wasn't running an ad blocker.
This exactly my list (except with different software for 4)). Have been running Windows since Win3.1, and haven't 'caught' anything bad yet; worst was adware that somehow escaped detection inside installer for an old version of Delphi.
Despite the fear-mongering, a lot of it comes down to common sense; don't click on links in dodgy emails, use adblockers for torrent sites etc. Most people get trapped by fairly basic stuff that more experienced computer / Windows users sidestep effortlessly, IMO and IME.
I've been using Windows boxes as my primary work / personal machine for over 20 years and I've only gotten a handful of viruses or malware and in the times I got them, I was going to very questionable sites back in the day.
I disable Windows defender and all built in firewalls (my router has a firewall). I also don't run any anti-virus software. This is something I've done from the beginning.
But I do run uBlock Origin in any browser I use.
I also make sure to Win key + L (lock) my machine when I leave it unattended.
From time to time I check the startup tab in task manager to make sure nothing looks suspicious and occasionally look at things like CPU / memory usage to look for anything out of place.
So far it's been working out great. My current computer runs just as fast as it did 5 years ago when I built it and I haven't had to format a machine due to a virus in over a decade.
I find most things like Windows defender and A / V tools to be more destructive than most malicious software. Often times these tools will crush I/O performance and make things run slower 100% of the time in the off chance you get a virus. I'd rather have things run super fast all of the time and take my chances. If I get even a hint of my machine being compromised I would format anyways.
If it has no noticeable effect - my life is completely identical - it's hard for me to see it as something negative. If something has absolutely zero effect on my life whatsoever - not even a single advert on my screen - calling it a virus or malware seems unwarranted.
I suppose if my personal data was somehow used to damage someone else, that would warrant calling it malware.
Your stolen personal data could be used to empty your bank account or to commit a crime in your name which could cause permanent damage to your reputation, even if you were exonerated.
Most viruses back in the day just slammed you with a billion popups and added suspicious files to certain areas of your file system. You could easily see if you were infected or not.
Also, in the past, I've on occasion scanned my machine using malware bytes and other tools and they always came up clean.
Of course that doesn't mean I'm in the clear but if an A / V tool doesn't detect it, then what point is there to run that A / V tool? Truthfully, it's really really easy to write a malicious tool and not have it be detected by any type of software. That's why you should be careful with downloading and running unknown software (which I am very careful of).
I'm with you. The overhead of AV scanning is something you have to put up with 100% of the time for the off chance that you get infected with something, and they aren't very reliable detectors of malware anyway. It's much better to turn that crap off and use other, more effective, mitigation strategies.
I leave the firewall and Windows Defender etc on constantly, I haven't experienced any of the issues with speed/IO etc you seem to have.
How old is your machine? On a modern computer with a decent processor, a decent amount of RAM and an SSD you really shouldn't notice Windows Defender. Maybe you have more viruses than you think?
> How old is your machine? On a modern computer with a decent processor, a decent amount of RAM and an SSD you really shouldn't notice Windows Defender. Maybe you have more viruses than you think?
It's an i5 3.2ghz quad core with 16GB of RAM and an SSD. Windows defender cripples WSL performance. It's a known issue.
Right now most things open nearly instantly and I have no complaints with performance, even when doing very demanding tasks like running a few virtual machines while running test suites and simultaneously recording 1080p video while having 15 tmux sessions running in the background, etc..
> Windows defender cripples WSL performance. It's a known issue.
Hmph. I have a similar setup at home. I haven't noticed anything odd about WSL, but I just use it for development (editing and compiling), but not any heavy-duty processing.
My main set up is to run Docker for Windows, connect to it through WSL and volume mount code from a drive into Docker to do active development (Rails, Flask, Phoenix apps mostly).
While I never ran Windows defender personally, a bunch of my students (I run a Docker course) who had Windows defender enabled said volume performance was disappointing on Windows. After they disabled defender, things were really good. If you Google around there's a lot of people who mention that. Improvements are being made, but I still don't want a tool actively scanning files while I'm trying to use my machine.
I keep the silly Windows in a virtual machine or a few.
Also standard hygiene applies such as opening files and attaching unknown media in a burner VM, not mixing banking, documents and entertainment, disabling autoplay and media icons if the previous options are inapplicable.
Staying away from dodgy sites helps too.
I generally do not have to keep the firewall or defender active as the routing (or lack thereof) is more effective.
Also skip the automatic that pins everyone, such as remote device detection.
Install updates when asked. Delaying updates is perhaps the worst thing for security.
Scan files you download, submit them to virustotal if unsure.
Sync data (e.g. [0] or whatever drive/dropbox/nextcloud) and keep snapshots [1]. Only way to ensure you don't lose anything
Lying DNS server can also help for privacy and security, as well as a sinkhole for known-bad IPs [2,3,4] (should be deployed network-wide though) (I could use some help to test if my scripts run on WSL, as they're mostly POSIX).
I found this[1] a while back and have followed it on my Windows PC. I don't go so far as to install GlassWire, but the other suggestions it makes are reasonable for me.
On the anecdotal side - keeping software up to date and being highly suspicious of all software seems to have kept me safe from issues for over a decade.
Leave the Defender/Firewall untouched, don't install any additional "security" software and increase the UAC level to the highest one [0] that even prompts for changing important Windows settings.
Obtain all 3rd party tools from the Microsoft Store or scoop [1] or chocolatey [2] (in that order) and not by downloading `foo.msi` from the first search result. This way you can update all your apps in a single step and don't have to rely on built-in updaters.
Windows has some additional Local Group Policy rules that are pretty killer in newer versions
1. Attack Surface Reduction Rules - Blocks some commonly seen dodgy techniques
2. Credential Guard - Moves LSASS to an isolated VM (break's VMWare etc though, see 5 if this is a dealbreaker)
3. Application Guard (Enterprise Mode) - Transparently virtualises and isolates Microsoft Edge (same caveat as above)
4. Microsoft Defender MAPS and Block at First Site
5. Run LSASS as a protected process
6. Process creation auditing with commandline
7. Powershell script block logging
Most of this is backed into an windows image I run, but maybe I'm a bit paranoid ;)
Most malware is targeted at Windows machines. First step would be to switch OS to Linux or BSD. Then you could sandbox your browser, taking it a notch further.
It is also bad practice to let browsers save your passwords, for Firefox at least, as these can be decrypted afaik.
Like others write: also avoid dodgy sites as these may execute malicuous javascript (disable javascript if you need to visit such site, at the least).
Be sure to aleays keep your software updated (this is a big one!).
I was really disappointed with MalwareBytes. It seemed great, so I paid for it, and every other week it would de-activate itself without warning. I would only notice this when explicitly checking the control panel, to find it had been turned off, and I needed to re-enter the license key.
Maybe they've improved it? I should give it another shot!
What exactly is meant here by secure? Windows in its default state contains spyware that you cannot disable or remove, or at the very least you cannot expect laymen to do. It is essentially covered in their terms of service and privacy statement. Then there is Intel ME, AMD PSP, etc.
Short answer is that you simply do not secure your Windows PC. You may eliminate some of the spyware, but it does not make it secure. Can you make anything fully secure? Perhaps only secure enough, but then you need to specify what is meant by enough.
I'd be careful running any tools to clean up Windows 10. While I haven't used this one before, I've used others that do basically the same thing. The telemetry features are so baked in to Windows 10 that running these tools can break Windows if you're not careful. And since every major update of Windows 10 changes so much with no regard to user preferences, even if your clean-up works today, it might break in the future.
Abandoned project due to malware suspicious and other drama. Possibly a fork somewhere. But as you say why break your OS when you can switch over to something else?
My educated guess is that Windows will never be secure, because as I see it it is an un-designed un-principled heap of low-quality software. Therefore I keep Windows enclosed and strictly locked down in a virtual machine. If I need to do anything I feel is dubious I branch to a new timeline in a snapshot and roll back when I’m done.
This also eliminates the hazard of Windows being unavailable for work due to the slow and uncontrollable update process; Just hop back to the last working snapshot. Update later.
—
Edit: To downvoters: Please note that this is a factual and sincere answer to the question “how do you secure your Windows PC?”. This is literally how I do that.
In the comment, my opinion is clearly framed as my opinion, and the rest is a description of a technical workflow, its premise, and its implications. Therefore this is a better candidate for discussion than for downvoting if you disagree. In my opinion. I’m not attached to the fate of my comment, but I prefer the society we are building here to work that way. And that is, I believe, the premise.
I think this is an outdated view of things. AFAIK, Windows is commonly regarded as more secure than Linux out of the box.
Having used Windows for over 20 years and never gotten bit by any malware, I think the quality of Windows security has always been a bit overrated. Being the biggest target for malware has its advantages I guess.
I'd love to see a source for windows being more secure? An out-of-the box install of windows is generally years out of date, Linux installs are usually only 6 months old.
I personally haven’t got the feeling that Windows is now considered more secure than Linux. I see a consensus that Windows is more secure than it was, but my perspective is that the design foundations are the same as before, and that they are hard to reason about and that the interactions are complex, so I personally will not be placing faith in Windows being as secure, as securable, and as known to be securable as an OS could be.
I base the opinion on decades of extensive Windows, Linux, and macOS use as well as software development on all platforms. I have a BSc in computer science. My humble and earnest opinion is that Windows is poorly designed. The thought model behind it appears to me as inconsistent, and this also manifests in how we use it. We can do better and deserve better.
If it is your opinion that this is misinformed, where would you recommend that people with opinions on Windows similar to mine could go and could inform themselves better?
Here’s another perspective: Is it more secure, less secure, or the same, if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want? I’d think that it was hard to argue anything other than it being more secure. And that reveals my point: In a better designed system it wouldn’t matter.
Can you describe to me which elements of the thought model you find are inconsistent?
As far as where you could go to learn more, I think this book has much of the information you would be interested in, although I'm not entirely sure yet which specific elements of the operating system you're focused on. https://docs.microsoft.com/en-us/sysinternals/learn/windows-...
> if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want
I see this as a separate argument for using VMs. The stated use applies to any operating system and I agree it's more secure and a good idea. Can you do the equivalent in other operating systems with a simpler procedure? This is a genuine question, I'm ignorant to that
- Don't disable Secure Boot, Windows Defender and Windows Firewall
- If you really think updates are annoying shift the monthly updates by one month BUT always confirm the security updates
- If you have a PRO license give a try to VBS [0] and Controlled Folder access [1] (spoiler: this will be a little annoying at the beginning but will became almost perfect with a well configured whitelist)
- Also from the next (major) patch you should use Windows Sandbox [2] to run untrusted software(still a PRO feature)
For the most part default Windows 10 is fairly hard to break into if updated. Leave everything on and don't open new holes in it and its probably fine. I went to a demonstration on hacking into machines with Kali Linux and Metasploit and my Surface was on the Wi-Fi. I told him to go right ahead and let me know what he could do.
He admitted defeat quickly. ;)
For the most part, problems with computers are ones we create ourselves by shutting off security protections or adding services that open up holes in the security of a system. Sometimes its necessary of course, but you need to understand the risks you take when you do and mitigate them.
Most things already mentioned in the comments here, plus:
- Disabling Windows Script Host
- Enabling 'Memory integrity' feature under Core Isolation. This however uses Hyper-V so it is enabled on my laptop but not on my workstation as Hyper-V only supports enhanced sessions with Ubuntu.
- Set UAC to lowest level (Too annoying to leave on high)
I think it's just better to leave it in default position.
- Use Umatrix and Ublock Origin
Firefox already has tracking blocking and I've done tests to check: Firefox is way faster and stable without any extensions. Ublock Origin removes ad page blocks, but actually adds more resources to the program + slows page loads. Just try to turn it off and recheck.
Being facetious but I gave up on Windows on my computers just over a decade ago due to this very reason. I was sick up constantly needing to upgrade every 2-4 years and having serious security issues. I went full Linux and I don't consider myself a free software zealot.
76 comments
[ 4.5 ms ] story [ 138 ms ] threadSometimes you do: https://www.symantec.com/connect/blogs/malvertising-campaign...
Run an adblocker and up to date Windows 10.
For anyone doing tech support over the Easter long weekend: https://decentsecurity.com/#/holiday-tasks/
I have to barge in here and mention that doing totally reasonable things can result in getting malware installed on your systems.
The most glaring case was the early Windows XP era, when it was enough to plug in the Ethernet cable during installation to get malware. I had to download the service pack and install it offline before plugging in the network.
Today, I'd point out that ad networks' code is barely scrutinized, and they can hit unpatched vulnerabilities all right (sorry for not providing examples).
That's why it's so important to discuss & combat conceptually, not specifically.
Vipre has a nice offline scanner you can download. They used to update it daily, but I haven't used it in awhile since I mostly manage Linux now. https://www.vipreantivirus.com/vipre-rescue-virus-removal-to...
I only use Windows in a VM now, but for years I ran Windows with no AV outside of whatever Windows set up on it's own. I only got two viruses in my life, and both times I was asking for it (downloading sketchy looking things off of Kazaa when that was a thing).
I've only been hit with malware twice in the 25 years I've been using Windows. Once was me running a sketchy exe from a torrent site (that's on me) and once when I wasn't running an ad blocker.
2) ublock origin + privacy badger
3) using brain before i click on stuff
4) keepass for logins and veracrypt for private stuff
Despite the fear-mongering, a lot of it comes down to common sense; don't click on links in dodgy emails, use adblockers for torrent sites etc. Most people get trapped by fairly basic stuff that more experienced computer / Windows users sidestep effortlessly, IMO and IME.
I disable Windows defender and all built in firewalls (my router has a firewall). I also don't run any anti-virus software. This is something I've done from the beginning.
But I do run uBlock Origin in any browser I use.
I also make sure to Win key + L (lock) my machine when I leave it unattended.
From time to time I check the startup tab in task manager to make sure nothing looks suspicious and occasionally look at things like CPU / memory usage to look for anything out of place.
So far it's been working out great. My current computer runs just as fast as it did 5 years ago when I built it and I haven't had to format a machine due to a virus in over a decade.
I find most things like Windows defender and A / V tools to be more destructive than most malicious software. Often times these tools will crush I/O performance and make things run slower 100% of the time in the off chance you get a virus. I'd rather have things run super fast all of the time and take my chances. If I get even a hint of my machine being compromised I would format anyways.
This is a variation of the bad toupee fallacy. You won't notice viruses and malware, almost by definition.
I suppose if my personal data was somehow used to damage someone else, that would warrant calling it malware.
Also, in the past, I've on occasion scanned my machine using malware bytes and other tools and they always came up clean.
Of course that doesn't mean I'm in the clear but if an A / V tool doesn't detect it, then what point is there to run that A / V tool? Truthfully, it's really really easy to write a malicious tool and not have it be detected by any type of software. That's why you should be careful with downloading and running unknown software (which I am very careful of).
How old is your machine? On a modern computer with a decent processor, a decent amount of RAM and an SSD you really shouldn't notice Windows Defender. Maybe you have more viruses than you think?
It's an i5 3.2ghz quad core with 16GB of RAM and an SSD. Windows defender cripples WSL performance. It's a known issue.
Right now most things open nearly instantly and I have no complaints with performance, even when doing very demanding tasks like running a few virtual machines while running test suites and simultaneously recording 1080p video while having 15 tmux sessions running in the background, etc..
Hmph. I have a similar setup at home. I haven't noticed anything odd about WSL, but I just use it for development (editing and compiling), but not any heavy-duty processing.
While I never ran Windows defender personally, a bunch of my students (I run a Docker course) who had Windows defender enabled said volume performance was disappointing on Windows. After they disabled defender, things were really good. If you Google around there's a lot of people who mention that. Improvements are being made, but I still don't want a tool actively scanning files while I'm trying to use my machine.
Also standard hygiene applies such as opening files and attaching unknown media in a burner VM, not mixing banking, documents and entertainment, disabling autoplay and media icons if the previous options are inapplicable.
Staying away from dodgy sites helps too.
I generally do not have to keep the firewall or defender active as the routing (or lack thereof) is more effective.
Also skip the automatic that pins everyone, such as remote device detection.
Scan files you download, submit them to virustotal if unsure.
Sync data (e.g. [0] or whatever drive/dropbox/nextcloud) and keep snapshots [1]. Only way to ensure you don't lose anything
Lying DNS server can also help for privacy and security, as well as a sinkhole for known-bad IPs [2,3,4] (should be deployed network-wide though) (I could use some help to test if my scripts run on WSL, as they're mostly POSIX).
[0] https://syncthing.net
[1] https://try.popho.be/securing-home.html
[2] https://pi-hole.net
[3] https://try.popho.be/byeads.html
[4] https://gitlab.com/moviuro/moviuro.bin/blob/master/lie-to-me
By disconnecting it from the internet. Otherwise it is almost impossible to secure.
On the anecdotal side - keeping software up to date and being highly suspicious of all software seems to have kept me safe from issues for over a decade.
[1] https://decentsecurity.com/#/securing-your-computer/
Obtain all 3rd party tools from the Microsoft Store or scoop [1] or chocolatey [2] (in that order) and not by downloading `foo.msi` from the first search result. This way you can update all your apps in a single step and don't have to rely on built-in updaters.
[0] https://docs.microsoft.com/en-us/windows/security/identity-p...
[1] https://scoop.sh/ (enable its additional repositories for GUI tools or all possible JDK flavors: https://github.com/lukesampson/scoop/wiki/Buckets)
[2] https://chocolatey.org/
[1] https://docs.microsoft.com/en-us/windows/security/threat-pro...
[2] https://docs.microsoft.com/en-us/windows/security/identity-p...
[3] https://docs.microsoft.com/en-us/windows/security/threat-pro...
[4] https://docs.microsoft.com/en-us/windows/security/threat-pro...
[5] https://docs.microsoft.com/en-us/windows-server/security/cre...
[6] https://docs.microsoft.com/en-us/windows-server/identity/ad-...
[7] https://www.fireeye.com/blog/threat-research/2016/02/greater...
[1] https://www.cyber.gov.au/sites/default/files/2019-03/hardeni...
I stopped using 3rd party products a good few years ago and haven't looked back.
I've seen certain "enterprise" solutions absolutely cripple the performance of Windows PCs, and I'm not sold on that they do a better job either.
It is also bad practice to let browsers save your passwords, for Firefox at least, as these can be decrypted afaik.
Like others write: also avoid dodgy sites as these may execute malicuous javascript (disable javascript if you need to visit such site, at the least).
Be sure to aleays keep your software updated (this is a big one!).
Maybe they've improved it? I should give it another shot!
Short answer is that you simply do not secure your Windows PC. You may eliminate some of the spyware, but it does not make it secure. Can you make anything fully secure? Perhaps only secure enough, but then you need to specify what is meant by enough.
In any case, for Windows 10: https://github.com/Nummer/Destroy-Windows-10-Spying
Note: it may break your system as some services are deeply embedded into it, and may require them to remain intact to function properly.
I try to avoid Windows 10 whenever possible.
I think this definitely needs to be taken into consideration when running these sort of tools, I agree.
> I try to avoid Windows 10 whenever possible.
Good advice. I second it.
Your welcome.
If you still need windows, put it in a vm using Xen and snapshot it to keep a known good copy.
This also eliminates the hazard of Windows being unavailable for work due to the slow and uncontrollable update process; Just hop back to the last working snapshot. Update later.
—
Edit: To downvoters: Please note that this is a factual and sincere answer to the question “how do you secure your Windows PC?”. This is literally how I do that.
In the comment, my opinion is clearly framed as my opinion, and the rest is a description of a technical workflow, its premise, and its implications. Therefore this is a better candidate for discussion than for downvoting if you disagree. In my opinion. I’m not attached to the fate of my comment, but I prefer the society we are building here to work that way. And that is, I believe, the premise.
Having used Windows for over 20 years and never gotten bit by any malware, I think the quality of Windows security has always been a bit overrated. Being the biggest target for malware has its advantages I guess.
Looking at all the comments here - most people are saying that they don't do very much to secure Windows and that certainly mirrors my own experience.
why would anyone attempt to have a reasonable discussion with you when you lead with such a misinformed "opinion"
I base the opinion on decades of extensive Windows, Linux, and macOS use as well as software development on all platforms. I have a BSc in computer science. My humble and earnest opinion is that Windows is poorly designed. The thought model behind it appears to me as inconsistent, and this also manifests in how we use it. We can do better and deserve better.
If it is your opinion that this is misinformed, where would you recommend that people with opinions on Windows similar to mine could go and could inform themselves better?
Here’s another perspective: Is it more secure, less secure, or the same, if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want? I’d think that it was hard to argue anything other than it being more secure. And that reveals my point: In a better designed system it wouldn’t matter.
As far as where you could go to learn more, I think this book has much of the information you would be interested in, although I'm not entirely sure yet which specific elements of the operating system you're focused on. https://docs.microsoft.com/en-us/sysinternals/learn/windows-...
> if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want
I see this as a separate argument for using VMs. The stated use applies to any operating system and I agree it's more secure and a good idea. Can you do the equivalent in other operating systems with a simpler procedure? This is a genuine question, I'm ignorant to that
- If you really think updates are annoying shift the monthly updates by one month BUT always confirm the security updates
- If you have a PRO license give a try to VBS [0] and Controlled Folder access [1] (spoiler: this will be a little annoying at the beginning but will became almost perfect with a well configured whitelist)
- Also from the next (major) patch you should use Windows Sandbox [2] to run untrusted software(still a PRO feature)
[0] https://www.microsoft.com/security/blog/2018/06/05/virtualiz...
[1] https://docs.microsoft.com/en-us/windows/security/threat-pro...
[2] https://techcommunity.microsoft.com/t5/Windows-Kernel-Intern...
He admitted defeat quickly. ;)
For the most part, problems with computers are ones we create ourselves by shutting off security protections or adding services that open up holes in the security of a system. Sometimes its necessary of course, but you need to understand the risks you take when you do and mitigate them.
- Disabling Windows Script Host
- Enabling 'Memory integrity' feature under Core Isolation. This however uses Hyper-V so it is enabled on my laptop but not on my workstation as Hyper-V only supports enhanced sessions with Ubuntu.
- Leave Windows Defender alone (no hassle anymore)
- Set UAC to lowest level (Too annoying to leave on high)
- Use Firefox and always update
- Use Umatrix and Ublock Origin
- Use Bitlocker and Truecrypt/Veracrypt for especially sensitive stuff
- Use Keepass for passwords - Never run any file you don't know what is outside of a VM
I think it's just better to leave it in default position.
- Use Umatrix and Ublock Origin
Firefox already has tracking blocking and I've done tests to check: Firefox is way faster and stable without any extensions. Ublock Origin removes ad page blocks, but actually adds more resources to the program + slows page loads. Just try to turn it off and recheck.