The built in one only supports .zip format AFAIK. 7zip supports basically everything you will come across including .rar and .gz. Also it’s nice to have the Explorer shortcuts (right click, unzip here).
Really? When it’s not you but a tech illiterate computer ‘newbie’, you don’t see any benefit to a popup warning them that “programs downloaded from the internet could be dangerous”?
Didn't we go through this with Vista? The average tech illiterate user only ends up trained to ignore and continue. You might as well drop a few hundred knives labeled "warning sharp" in the middle of a playground.
It's reasonable to have guessed that there'd be a benefit before it was implemented, but now that we actually have such a popup, it's clear that there's not, because the newbies all ignore its warning and run the malware anyway.
The entire list can be summarized into "Just use the latest versions of Microsoft everything, and uninstall all 3rd party software" (how convenient, I bet they also recommend using OneDrive). They even explicitly recommend against any 3rd party security software.
Yet however 7-zip gets the boot because it apparently is not compatible with a 3rd party "Anti-Exploit" software (Malwarebytes) ?
It’s actually not bad advice, and it feels crazy to say this considering the security of Windows was atrocious 15 years ago.
At least the bundled zip extractor receives auto-updates via Windows Update. If a zero day RCE drops in 7-zip, how many users will actually be patched 6 months later? 1 year later? I would imagine it would still be a viable exploit because not many people keep their third party software up to date.
Edge really does have security and isolation features that far exceed any other browser (WDAG), Windows Defender is surprisingly adequate and third-party AV software expose a substantial attack surface.
7-zip is infamous at this point for having security holes, and iirc it still is compiled without things like control flow integrity or stack checks. It at least has ASLR now.
For zips the windows built in support might be adequate, but I've yet to find a safe 7z unarchiver :(
I haven’t use it, but this fork of 7zip claims to have added some security features including Control Flow Guard and Control-flow Enforcement Technology (CET) Shadow Stack: https://github.com/M2Team/NanaZip
> create another Admin account and transform your current one to limited/ restricted/ standard user account to reduce the attack surface enormously. Don't use Admin account for your tasks!
It's crazy how Windows doesn't have a sane way for users to became administrators temporarily. LAPS is a weird hack and Azure PIM doesn't work for local admin.
There's a 'run as' mechanism built in and accessible via GUI inside of Task Manager (File -> Run New Task) and the command prompt ('runas'). You can also open an Administrator Command Prompt.
At work, we have an applied policy that shows an elevated prompt for most things that need admin permissions. It's apparently one of those hidden UAC settings that either needs GPO or regedit to enable. So it's there, just not really exposed to end users.
Keep in mind that it's restricted to Pro and up. Are you a home user who wants to disable all the crapware and telemetry Microsoft infected your machine with? You've got to pay Microsoft more money to be allowed to do that!
I don't argue with that... I think it should be default, but I am hopeful that people will still try it out. The steps to install Group Policy in Windows Home are pretty straightforward and similar to adding other Windows features.
The whole thing gives off a smell of cargo cult security.
E.g. "7-Zip doesn't have anti exploit support". Dug in to the source for that claim - it's a forum post of someone running Windows XP in 2020 (!) with an ancient version of Malwarebytes.
It's still true today; the current version of 7zip doesn't support Control Flow Guard (validated on Win11), and there's lots of security features that come _after_ supporting that.
I'm not a Windows developer, so this might be a stupid question: is simply a case of just building 7-Zip from source and enabling the Control Flow Guard flag in Visual Studio, or does it require more work?
This is similar to how I used to clean computers that data was needed from.
I would isolate it for a few days (no power on, disconnected from any network, etc). Then use a burned DVD or USB with MSFT's Offline Defender. The extra few days really seemed to help the definitions catch up with whatever had infected the system in the first place.
I do not believe Offline Defender can do this anymore, so this exact approach is probably no longer doable. I also do not do family IT anymore, so I have not had to do this since Win7's heyday.
by definition it does...
after 24 hours, that gives other people time to be the guinea pigs to run the program first, so that Defender will recognize it by the time you run it
https://www.trendmicro.com/vinfo/us/security/definition/zero... says that the definition of a zero-day vulnerability is "a vulnerability in a system or device that has been disclosed but is not yet patched." There's no magic patching fairy that comes after 24 hours, so it's still a zero-day after that for as long as it takes someone to patch it.
The best and simplest way to keep Windows 11 safe is to burn the disk it is installed on with gasoline; buying another and installing a Linux distribution such as Debian, OpenSuse and Fedora.
I don't like this guide at all. Some of its points are questionable, but the thing is, it doesn't know what it wants to be and aimed at whom. Starting from the most obvious red flag, falling for the baseless boycotting of 7zip like some equally questionable sites and threads have been pushing (and their motives, such as sourceforge bad, all Russian developers bad and the proposed alternatives.. let's not get started). [0] [1]
This suggests not to use privacy tools (most of which are FOSS and perfectly safe with proper usage), and to rely on official documentation only. I suppose there's some trouble in people for example disabling (extremely invasive) updates and forgetting about it, the average Joe that is. Some others are a compromise on privacy, I'd never accept cloud-based protection. Veracrypt is perfectly safe software, unlike the claims in this page that goes on to just mention how it breaks the boot trust chain, furthermore I'd trust it more than anything BitLocker does unless it's strictly a pre-boot authentication password with no TPM.
Windows cannot be made perfectly safe, accept and move on, this self-flagellation seeking the most hardened possible setup with things such as avoiding Firefox is a waste of time. Microsoft itself distributes what some may define malware, autorunning at startup forever on with a rundll process with Windows Update (see: logitech download assistant if you plug in one of their mice).
53 comments
[ 3.4 ms ] story [ 110 ms ] thread> No "Tuning" tools (not even stuff like Ccleaner!)
Also what is a better alternative to 7zip
> avoid insecure software like 7-Zip (which e.g. lacks Anti-Exploit and MOTW support)
I'm pretty curious, too
> Also what is a better alternative to 7zip
is 7zip necessary nowadays? can the built in zip/unzip feature be enough?
Doesn't support the bz2 and other that are quite frequent in my environment.
I haven't tested it, but my perception is that it's slower when there are a lot of small files.
MOTW support has been introduced in v22.00 [1]:
>- New option "Propagate Zone.Id stream" in Tools/Options/7-Zip menu.
[1] https://www.7-zip.org/history.txt
Yet however 7-zip gets the boot because it apparently is not compatible with a 3rd party "Anti-Exploit" software (Malwarebytes) ?
At least the bundled zip extractor receives auto-updates via Windows Update. If a zero day RCE drops in 7-zip, how many users will actually be patched 6 months later? 1 year later? I would imagine it would still be a viable exploit because not many people keep their third party software up to date.
Edge really does have security and isolation features that far exceed any other browser (WDAG), Windows Defender is surprisingly adequate and third-party AV software expose a substantial attack surface.
For zips the windows built in support might be adequate, but I've yet to find a safe 7z unarchiver :(
It's crazy how Windows doesn't have a sane way for users to became administrators temporarily. LAPS is a weird hack and Azure PIM doesn't work for local admin.
[citation needed]
https://xkcd.com/1200/
What is the valuable thing for an attacker?
User data, credentials? Available as a user
Computer capacities for mining? Available as a user
Installing persistence? Available as a user
Installing remote management? Available as a user
You can use it to disable (blacklist) all the Windows crapware (xbox, etc). Or in the extreme case, whitelist only specific files.
I still prefer a text config file over the GUI, but this thing is insanely powerful.
`gpedit.msc`, `regedit.msc`, PowerShell, and Active Directory are pretty much the standard toolset for any Windows sysadmin.
This is such bad advice that I can't take the rest of this guide seriously.
Edit: The rest is even worse than I was expecting. E.g.:
> execute/ open new files with one-day-delay because after one day, the malware is not 0-day anymore
> use the only browser on Windows that natively supports hardware isolation: Edge
E.g. "7-Zip doesn't have anti exploit support". Dug in to the source for that claim - it's a forum post of someone running Windows XP in 2020 (!) with an ancient version of Malwarebytes.
https://landave.io/2018/01/7-zip-multiple-memory-corruptions...
that feels like a 200 IQ solution against 0days
"Just use your computer one day after the 0 day"
I would isolate it for a few days (no power on, disconnected from any network, etc). Then use a burned DVD or USB with MSFT's Offline Defender. The extra few days really seemed to help the definitions catch up with whatever had infected the system in the first place.
I do not believe Offline Defender can do this anymore, so this exact approach is probably no longer doable. I also do not do family IT anymore, so I have not had to do this since Win7's heyday.
I mean this has to be a joke, right?
https://www.trendmicro.com/vinfo/us/security/definition/zero... says that the definition of a zero-day vulnerability is "a vulnerability in a system or device that has been disclosed but is not yet patched." There's no magic patching fairy that comes after 24 hours, so it's still a zero-day after that for as long as it takes someone to patch it.
This suggests not to use privacy tools (most of which are FOSS and perfectly safe with proper usage), and to rely on official documentation only. I suppose there's some trouble in people for example disabling (extremely invasive) updates and forgetting about it, the average Joe that is. Some others are a compromise on privacy, I'd never accept cloud-based protection. Veracrypt is perfectly safe software, unlike the claims in this page that goes on to just mention how it breaks the boot trust chain, furthermore I'd trust it more than anything BitLocker does unless it's strictly a pre-boot authentication password with no TPM.
Windows cannot be made perfectly safe, accept and move on, this self-flagellation seeking the most hardened possible setup with things such as avoiding Firefox is a waste of time. Microsoft itself distributes what some may define malware, autorunning at startup forever on with a rundll process with Windows Update (see: logitech download assistant if you plug in one of their mice).
0. https://news.ycombinator.com/item?id=31876896
1. https://www.theregister.com/2022/06/27/7zip_compression_tool...