Securing a new Win7 laptop

HitManPro is a must also

 

Totally.

 

The feedback from everyone on this thread have been so helpful. I have applied many of the suggestions...UAC, standard account, updates, disabled remote, etc.

SRP was actually a breeze! Especially with help of Kees' images and from mechbgon.com...invaluable.

Before I add Sandboxie, SAS Pro and MBAM Pro, I will back it all up and image it (waiting for an external drive to ship). Seems like HitMan Pro would be redundant here.

EMET will be next though not positive yet that I need it. I'd like to heed those who advised to not add any unnecessary software.

Though I have Win Firewall w/ Advanced Security, I am adding WFNotifier as well.

Interesting discussion with Kees and Adrenaline. Should I really avoid IE9? I am not yet sold on Chrome but would like to avoid it.

Anybody have any thoughts to share on Comodo Dragon, IceDragon, or Iron?

As for Kees' images of computer and user settings, even after applying SRP, my settings all say "not enabled." And my present learning curve is not sufficiently straight enough to know what to do with over 1600 settings.

Likewise, I am not sure about which Win services/processes to disable.

Also not sure if it's a good practice to let MS regularly download Malicious Software Remover and/or Defender?

I suppose all that's left then is the AV. With respect to these boards, I don't want to start an A vs. B fest. Intuitively, I subscribe to what new2security says (not sure how to show quote!). But I just lack the guts to implement this with a brand new system. (Like waiting for that first scratch on a brand new car?).

So I remain unconvinced and undecided about an AV.

Thanks all for the feedback received.

 

Why two realtime anti-malware programs?

Just pick a browser you like, then consider how to secure after. Chrome's plugin sandbox is pretty good, but not needed if you use Sandboxie and set it so that only whitelisted programs can run. Even if an exploit works on a browser, it won't be able to execute.

Using sandboxie with default-deny for new programs is very powerful. With Sandboxie, I couldn't infect an AV-less machine no matter how hard I tried - granted it was behind a modem router which blocked all incoming traffic and only allowed outbound connections.

 

Chrome for the sandbox and decent screening.

EMET for DEP Always On/ASLR Always On (if you can).

Maybe MSE if you feel you need an antivirus. And then disable any services you don't need.

 

On demand:

Emsisoft Emergency Kit is my personal choice :

Pros:
- Free
- No installation required. Fully portable.
- Downloads virus/malware definitions
- Good detection rates

Cons:
- Downloading definitions takes long time
- Can only run with Admin privileges


Kaspersky Virus Removal Tool :

Pros:
- Free
- Portable
- Good scanning engine

Cons:
- No automatic updates of signature files.
- Must download a new scan engine (~130 mb) ~ once a week to get updated signatures
- Must run as Admin

 

RJ...right...I will just use one AM and save the other for on-demand scanning.
Reassuring to read your comment on Sandboxie.

Hungry Man...any reason I would not have the EMET settings you mention set to 'always on'?

New2security...Your signature is informative. The more I read here about LUA/SRP set-ups here the more inclined I am to move beyond my paranoid stance of doing away with AV.

Are you running EEK on USB?

Anyone...Would appreciate any thoughts on including DropMyRights to this mix?

 

My reasoning for not running a real-time AV :

1) I download & install only reputable software. Before installation, the software is scanned with virustotal.com

2) Untrusted sources where files are downloaded behind my back, e.g. via the Internet, are covered by using a security conscious browser such as Chrome (runs as an untrusted process /is sandboxed) plus nothing can execute in its cache folder or Downloads folder (SRP) even if malware was dropped in these folders. An AV would stop, if the signature file detects it that is, the download itself but if my folder settings and SRP denies execution then there's nothing really that I gain by running a real-time AV.

3) CD/DVD/USB - Autorun is disabled

There are no other risk factors I am aware of that a real-time AV would remedy.

EEK - Well I always keep EEK on a usb stick but on my computer I have it on the hard drive.

Regarding Group Policy settings & system hardening, you may wanna have a look at this one :

-http://www.wilderssecurity.com/showpost.php?p=2056033&postcount=5

 

I did the changes that were recommended in the group policy settings. Now Lenovo System update wouldn't start and Lenovo Power manager wouldn't start....

 

What error messages are you getting?
Are these programs allowed in your firewall settings?

 

Im a relatively new windows user.Just a question about EMET.what exactly does it do and is it worth an average home user installing and using please.

 

Just out of curiosity, what is the reason to do this, as opposed to allowing the installer to request elevation and dealing with UAC then? I know that MalwareBytes AM won't allow you to update its database unless you actually start it as an admin, but most installers will ask for elevation when necessary. Then again, I'm not using any SRP as I don't have the Pro version of Win7, so I don't know how that changes things.

The only thing I have to add is a suggestion to switch your DNS server to Norton or something similar like Comodo.

 

hmm i would tend to disagree with you on your view of the windows built in imaging program,Ive used it half a dozen times and it has worked perfectly.did it not restore an image for you.? .
Also i was going to use macrium reflect until i was informed that the linux recovery environment is not very reliable and the other option the winpe required a 1.7gb download. .Thats not very forthcoming for the end user is it.?

 

While I am a little late for the 'party', I would suggest not relying on antivirus/antimalware software to avoid infection.

At best they are an extra layer. In case of doubt I always restore a known clean image. Just try imaging software to decide what works for you.

That SAS frequently found stuff (not tracking cookies?) means you were doing something 'wrong'. Realtime signature scanners can never fully protect you, on-access scanners even less.
I don't know how or why, but I virtually never get infected.
It helps not to click on links that seem somehow fishy, not to click on ads and to pay attention to what I do and what I download. A HOSTS file (MVPS) can help to block some ads, trackers and malware, there are other options as well.
If necessary I do research before I proceed.

If I really need to do dangerous stuff I'm always prepared to restore a known clean image, without having any valuable information exposed.

For me an AV is just a second opinion. I do like to use a firewall to control and monitor applications for outbound access, no HIPS stuff.

Sandboxie can be good if you know how to use it. I guess that applies to everything.

Some of the suggestions in previous posts are rather technical and I have never implemented those. That doesn't mean they are wrong, just that I have never tried those.

Keeping important stuff like the OS, browser and Flash up to date is generally a good idea. I have no problem with Adobe's Acrobat Reader, but I disable its access to the browser and several other options as well.
Minimizing the attack surface is good.
Also, remove applications you don't need (JAVA?/not javascript).

You could consider altering the settings of some services (Blackviper) if you know what you are doing and what you need.

A long but good read : https://www.wilderssecurity.com/showthread.php?t=252253

 

Lenovo system update just wouldn't lunch. Power manager disappeared and was complaining of some DLL problem. Sorry I didn't write down the messages exactly.

 

EMET is a good defense against hackers/malware.

Install EMET 3.5 tech preview, set protection to maximun and your basically done. You can add programs but they should be listed as protected applications by default and it takes up about 12MB of RAM.