Securing a new Win7 laptop

Last month, I lost my XP SP3 primary laptop---that I rarely used for surfing---to a stunning attack from a rogue, rootkit, malware, keylogger, and who knows what else. Now, I've gained an education beyond "simple" antiviruses. I also have a brand new Win7 Pro SP1 system that needs protection.

I had Panda IS and SAS Pro on the old system. PIS rarely found anything while SAS always did its job. The same is true for my secondary laptop. Though paid up, I have removed Panda IS from it as it's firewall was often not working yet it did not even notify about this.

My main concern has been finding the right anti-virus for the brand new system as I am new to Win7. I am not even sure this post is in the correct thread because I also need anti-malware. Unlike years ago, it seems to me that more than one product is needed to safeguard a system.

Whatever security I choose, it should be compatible with the Win7 Firewall as it appears to have improved over XP.

Researching my options, I am faced with many choices but am not sure what's best for the new OS. Reading many illuminating threads on this site, I have concluded to include Sandboxie in my arsenal. But what else?

Also, is the Win7 image backup useful or do others use another product?

 

My choice would be either Avast! or KingSoft AV. Both good AV's, plus light on system resources. As for imaging, I don't use it. I just keep certain files on a separate drive or online storage.

 

Sandboxie and maybe WOT

 

Standard user account.
UAC on recommended or higher.
windows firewall minimum.
Disable remote access if you do not need it.
Disable some windows services like remote registry.
Keep all program applications and OS updated.


Third party security applications I recommend.
Sandboxie.
Malwarebytes on demand or real time.
Hitman Pro.
Antivirus maybe Avast or Avg or Kingsoft.

 

I would also recommend you to add Sandboxie. For anti malware I would go with Avast (if you want free) or with Nod32 or Nav, if you don't mind paying.
You can also add EMET mitigations to all "dangerous" applications. Also consider using Standard User Account instead of Administrator one.

Try to learn more about computer security and always practise safe computing. This alone can make other security software unnecessary.

 

Before deciding what AV you should use, I'd highly recommend implementing "Software restriction policy" via Group Policy (if you have at least W7 Professional) or Parenteral Controls if you're on W7 Premium. The latter will give you a crude Software Restriction Policy settings, where executables are only allowed in your Program Files and Windows directory.
If you're running W7 Pro, take a look at this one:

-http://www.mechbgon.com/srp/

This gives you a good protection against drive-by-downloads or family members wanting to download and execute or install unsolicited software without your permission.

Dark Shadow has already recommended the security basics such as regular user account, UAC on max etc.

 

First use your Pro version to the max by hardening your system through the group policy editor. See picture for Computer settings (which also apply system wide, including the admin).

 

Same for user settings, which apply for standard user or programs running medium level integrity, see pic

 

Next install Chrome as your browser. Go for the altenate installer for all user acounts which installs in normal Program Files directory for easy use of Software Restriction Policies. Link http://support.google.com/installer/bin/answer.py?hl=en&answer=126299

Chrome has the advantage of having internal sandboxes: LOW intergrity level shared processes (which can't touch medium level processes) and Untrusted integrity level renderer (for browsing webpages) which can't intrude LOW level integrity processes and higher, see pic. Also PPAPI flash and PDF are contained in sandboxes (so it is very unlikely flash or pdf exploits can break out).

see pic

 

Set UAC to max, install EMET and set it ro protect your internet facing software

See pic

 

Yes, it'very useful and recommened to backup your system when you have it setup satifactorily with latest updates on O/S and installed software.

I like Kees' recommendations in addition to those who recommeneded Standard user account, EMET and UAC at maximum. One day you might want to try SRP: -http://www.mechbgon.com/srp/

 

Next apply software restriction policies, the easy way, meaning newly downloaded programs will be denied execution (when started normally through Windows Explorer).

When you want to install a program, just choose right click "run as admin" option

See pictures

 

Download a reg file from symantec which enables you to also run MSI installers as admin from anywhere, link: http://www.symantec.com/connect/downloads/msi-run-administrator-context-menu-vista

Download the AV of your liking and you are done maybe install Sandboxie free and use it for dodgy browsing only.

Also Windows Firewall Notifier adds outbound pop-up's to the default Windows Firewall (and makes it a 2-way firewall), link http://wokhan.online.fr/progs.php?sec=WFN

 

Off course running standard user is better/safe, but this setup give you the freedom to install programs in the same profile as administrator.

It is my lazy Admin setup

 

Great that you include sandboxie,thats would have been the first software i would have recommended as well.

as far as IS goes you can chose any IS if you have got sandboxie.

if you are looking for a lightweight suite i would recommend Eset Smart security.

Or you can use MBAM Pro realtime as well.

and yes using standard user account does mitigate a lot of threats.

 

I just setup a new laptop for a non-techie person with:

Sandboxie (anything can run or use internet)
Malwarebytes Pro
Kingsoft Cloud AV

Quite a lot of layers in that, and both security programs work acceptably with Sandboxie. Not ideal to use Sandboxie without default deny - but at worst it'll give the AV and AM time to get a definition while Sandboxie contains it in the sandbox.

My first choice would have been Panda Cloud AV since I still have a pro key spare, but it's not clear whether or not they've fixed up the performance issues yet.

 

Kees or anyone:

IE9 shows low integrity in Process Explorer, while Chrome is medium. Are you saying Chrome is medium and all extensions are low and that is why it is more secure? I understand it has a sandbox, my focus here is on the actual tokens or privileged of the browser.

Regardless, Chrome is still considered #1 for browser security right? Then IE then FF?

I have Windows Firewall w/ Advanced Security, anyway to get notifications of blocked outbound connections w/o using 3rd party software? I guess I could read firewall logs but that seems like a hassle.

For OP:

http://www.mechbgon.com/build/security2.html

+ SANDBOXIE

 

Thanks so much for viewing my post and for the many wise recommendations.

Glad to read so many confirmations about Sandboxie. Too bad choosing an AV/AM inn't as clear-cut, no?

Dark Shadow,
Very sound advice that I will apply. Definitely will go with Malwarebytes. Do you think this with SAS Pro is overkill? Not sure what Win firewall 'minimum' means, though.

To new2security, thanks for pointing out Group policy settings as I've not come across this aspect of the OS yet. VIP to know for this OS, I think.

Kees1958, many helpful posts that will make sense to me in time, but I think WF Notifier is what I've been looking for...will check this out. Other firewalls may be better but this can help me stay in a MS environment for the time being.

RJK3, I'm hearing that KAV is growing resource heavy with time. Are you noticing this? And Panda was also my first choice, the AV I've wanted to like but it just doesn't want to play nice.

There is much to digest here...no doubt leading to the right combo in time. Still not sure about AV/AM, though. Seems I've tried them all!

With respect...

 

MBAM Pro and a good performing AV will be better than most setups. I wouldn't waste time with SAS Pro, just see the MRG tests for proof of that. MBAM Pro is the best of the realtime AMs.

Then slowly learn Sandboxie - and don't feel bad if it takes weeks to get the most out of it.

I've not noticed any greater resource usages with KAV - but if it's just memory, then no biggie. The only thing that matters is if it slows things down and affects performance - but any new Windows 7 laptop is bound to have more than enough RAM.

 

IE9 also has one medium and a number of Low instances running. Difference between Chrome and IE9:
- Chrome also sandboxes flash and pdf (PPAPI)
- Besides LOW Chrome has Untrusted renderer processes (is lower than LOW
- Chrome also applies job token and alternate desktop to further contain the renderer processes.

 

Interesting thanks Kees. I'm actually using Comodo Dragon built on Chrome and works well with about 6 various security/privacy add ons I have. Its a keeper

 

What I meant is at least a windows firewall should suffice,include a router firewall even better.

 

Folks may disagree with me but in my opinion, real-time AV and antimalware software not only need access to the sensitive OS's kernel that alone will introduce a weakness, but one also has to decide what to do with all the pop-up messages /warnings. In my experience, that can be a pain and time-consuming.

Also, antimalwares and AV's will never be able to keep up with the new threats that are constantly released into the wild.
That's why many AV/antimalware suites also come with a behavioral scanning and detection feature. The warning messages that this feature produce are even more cryptic than AV warnings IMO.

I prefer a system-wide protection using the built-in features that can be set once and (almost) forgotten.

By using a Standard Account, UAC max, implementing Software Restriction Policy, hardened group policy, a secure browser (Chrome), updating your software, using a router or firewall - will give you a very good protection. Not to mention, you'll notice your system is still very snappy.

As for AV /antimalware, you may look into on-demand scanning only, say once a week or so. I know about the feeling: "Man, I'm missing something important (read=realtime protection)", it's a feeling that I still struggle with, but I haven't had any virus/malware infection for the past couple of years since I've used a similar setup that is in my signature (this setup is used in a small office environment too).

Also, minimizing the attack surface is important; install only the software that you really need. Avoid any "I-might-need-it-in-future" software.

 

image backup is a must these days. i recommend using EaseUS Todo Backup or Macrium Reflect, both are free and much better than the image tool included in Windows.
as for the AV/AM, if you have Sandboxie, you can use any AV that has a decent detection ratio (see av-comparatives.org for that). you can also keep PandaIS (have you upgraded to the 2013 version?), as no AV is bulletproof and you can get in trouble regardless of the AV you use.

 

Sandboxie is a must.